Edit tour

Windows Analysis Report
MT Marine Tiger.exe

Overview

General Information

Sample name:	MT Marine Tiger.exe
Analysis ID:	1464864
MD5:	2dcf1e9b4ca5afa19d7473f108aea256
SHA1:	d2f554d2699fcddf1c2d65cc05739916aa0dae62
SHA256:	a1aa961c8b1eb8e3627dceee8081d62544d84987b623b84addd7b92a35089c7d
Tags:	exeSnakeKeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

MT Marine Tiger.exe (PID: 1968 cmdline: "C:\Users\user\Desktop\MT Marine Tiger.exe" MD5: 2DCF1E9B4CA5AFA19D7473F108AEA256)

InstallUtil.exe (PID: 5716 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

RegAsm.exe (PID: 6428 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 6468 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 5960 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

RegAsm.exe (PID: 4328 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 5900 cmdline: C:\Windows\system32\WerFault.exe -u -p 1968 -s 1044 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "rightlut@valleycountysar.org", "Password": "fY,FLoadtsiF", "Host": "valleycountysar.org", "Port": "26"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2169216156.0000020D0FEBB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1484e:$a1: get_encryptedPassword 0x14b3a:$a2: get_encryptedUsername 0x1465a:$a3: get_timePasswordChanged 0x14755:$a4: get_passwordField 0x14864:$a5: set_encryptedPassword 0x15e37:$a7: get_logins 0x15d9a:$a10: KeyLoggerEventArgs 0x15a33:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18110:$x1: $%SMTPDV$ 0x18176:$x2: $#TheHashHere%& 0x1976d:$x3: %FTPDV$ 0x19861:$x4: $%TelegramDv$ 0x15a33:$x5: KeyLoggerEventArgs 0x15d9a:$x5: KeyLoggerEventArgs 0x19791:$m2: Clipboard Logs ID 0x199b1:$m2: Screenshot Logs ID 0x19ac1:$m2: keystroke Logs ID 0x19d9b:$m3: SnakePW 0x19989:$m4: \SnakeKeylogger\
00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xaac76:$a1: get_encryptedPassword 0xcb6be:$a1: get_encryptedPassword 0xaaf62:$a2: get_encryptedUsername 0xcb9aa:$a2: get_encryptedUsername 0xaaa82:$a3: get_timePasswordChanged 0xcb4ca:$a3: get_timePasswordChanged 0xaab7d:$a4: get_passwordField 0xcb5c5:$a4: get_passwordField 0xaac8c:$a5: set_encryptedPassword 0xcb6d4:$a5: set_encryptedPassword 0xac25f:$a7: get_logins 0xccca7:$a7: get_logins 0xac1c2:$a10: KeyLoggerEventArgs 0xccc0a:$a10: KeyLoggerEventArgs 0xabe5b:$a11: KeyLoggerEventArgsEventHandler 0xcc8a3:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xae538:$x1: $%SMTPDV$ 0xcef80:$x1: $%SMTPDV$ 0xae59e:$x2: $#TheHashHere%& 0xcefe6:$x2: $#TheHashHere%& 0xafb95:$x3: %FTPDV$ 0xd05dd:$x3: %FTPDV$ 0xafc89:$x4: $%TelegramDv$ 0xd06d1:$x4: $%TelegramDv$ 0xabe5b:$x5: KeyLoggerEventArgs 0xac1c2:$x5: KeyLoggerEventArgs 0xcc8a3:$x5: KeyLoggerEventArgs 0xccc0a:$x5: KeyLoggerEventArgs 0xafbb9:$m2: Clipboard Logs ID 0xafdd9:$m2: Screenshot Logs ID 0xafee9:$m2: keystroke Logs ID 0xd0601:$m2: Clipboard Logs ID 0xd0821:$m2: Screenshot Logs ID 0xd0931:$m2: keystroke Logs ID 0xb01c3:$m3: SnakePW 0xd0c0b:$m3: SnakePW 0xafdb1:$m4: \SnakeKeylogger\
00000000.00000002.2169216156.0000020D0FBB7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.2904940215.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: MT Marine Tiger.exe PID: 1968	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MT Marine Tiger.exe PID: 1968	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MT Marine Tiger.exe PID: 1968	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: MT Marine Tiger.exe PID: 1968	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: MT Marine Tiger.exe PID: 1968	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3223f:$a1: get_encryptedPassword 0x32521:$a2: get_encryptedUsername 0x32055:$a3: get_timePasswordChanged 0x32150:$a4: get_passwordField 0x32255:$a5: set_encryptedPassword 0x34645:$a7: get_logins 0x345a8:$a10: KeyLoggerEventArgs 0x34241:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: MT Marine Tiger.exe PID: 1968	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x34241:$x5: KeyLoggerEventArgs 0x345a8:$x5: KeyLoggerEventArgs 0x34e96:$x5: KeyLoggerEventArgs 0x351ca:$x5: KeyLoggerEventArgs 0x36778:$m2: Clipboard Logs ID 0x3686f:$m2: Screenshot Logs ID 0x368c5:$m2: keystroke Logs ID 0x369fa:$m3: SnakePW 0x3685b:$m4: \SnakeKeylogger\
Process Memory Space: RegAsm.exe PID: 6428	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6428	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegAsm.exe PID: 6428	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a22f:$a1: get_encryptedPassword 0x1a511:$a2: get_encryptedUsername 0x1a045:$a3: get_timePasswordChanged 0x1a140:$a4: get_passwordField 0x1a245:$a5: set_encryptedPassword 0x1c635:$a7: get_logins 0x1c598:$a10: KeyLoggerEventArgs 0x1c231:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegAsm.exe PID: 6428	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1c231:$x5: KeyLoggerEventArgs 0x1c598:$x5: KeyLoggerEventArgs 0x1ce86:$x5: KeyLoggerEventArgs 0x1d1ba:$x5: KeyLoggerEventArgs 0x1e768:$m2: Clipboard Logs ID 0x1e85f:$m2: Screenshot Logs ID 0x1e8b5:$m2: keystroke Logs ID 0x1e9ea:$m3: SnakePW 0x1e84b:$m4: \SnakeKeylogger\
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.MT Marine Tiger.exe.20d1fe1ec70.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MT Marine Tiger.exe.20d1fe1ec70.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.MT Marine Tiger.exe.20d1fe1ec70.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c4e:$a1: get_encryptedPassword 0x12f3a:$a2: get_encryptedUsername 0x12a5a:$a3: get_timePasswordChanged 0x12b55:$a4: get_passwordField 0x12c64:$a5: set_encryptedPassword 0x14237:$a7: get_logins 0x1419a:$a10: KeyLoggerEventArgs 0x13e33:$a11: KeyLoggerEventArgsEventHandler
0.2.MT Marine Tiger.exe.20d1fe1ec70.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a56b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1979d:$a3: \Google\Chrome\User Data\Default\Login Data 0x19bd0:$a4: \Orbitum\User Data\Default\Login Data 0x1ac0f:$a5: \Kometa\User Data\Default\Login Data
0.2.MT Marine Tiger.exe.20d1fe1ec70.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137d6:$s1: UnHook 0x137dd:$s2: SetHook 0x137e5:$s3: CallNextHook 0x137f2:$s4: _hook
0.2.MT Marine Tiger.exe.20d1fe1ec70.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16510:$x1: $%SMTPDV$ 0x16576:$x2: $#TheHashHere%& 0x17b6d:$x3: %FTPDV$ 0x17c61:$x4: $%TelegramDv$ 0x13e33:$x5: KeyLoggerEventArgs 0x1419a:$x5: KeyLoggerEventArgs 0x17b91:$m2: Clipboard Logs ID 0x17db1:$m2: Screenshot Logs ID 0x17ec1:$m2: keystroke Logs ID 0x1819b:$m3: SnakePW 0x17d89:$m4: \SnakeKeylogger\
0.2.MT Marine Tiger.exe.20d1fdfe228.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MT Marine Tiger.exe.20d1fdfe228.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.MT Marine Tiger.exe.20d1fdfe228.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c4e:$a1: get_encryptedPassword 0x12f3a:$a2: get_encryptedUsername 0x12a5a:$a3: get_timePasswordChanged 0x12b55:$a4: get_passwordField 0x12c64:$a5: set_encryptedPassword 0x14237:$a7: get_logins 0x1419a:$a10: KeyLoggerEventArgs 0x13e33:$a11: KeyLoggerEventArgsEventHandler
0.2.MT Marine Tiger.exe.20d1fdfe228.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a56b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1979d:$a3: \Google\Chrome\User Data\Default\Login Data 0x19bd0:$a4: \Orbitum\User Data\Default\Login Data 0x1ac0f:$a5: \Kometa\User Data\Default\Login Data
0.2.MT Marine Tiger.exe.20d1fdfe228.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137d6:$s1: UnHook 0x137dd:$s2: SetHook 0x137e5:$s3: CallNextHook 0x137f2:$s4: _hook
0.2.MT Marine Tiger.exe.20d1fdfe228.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16510:$x1: $%SMTPDV$ 0x16576:$x2: $#TheHashHere%& 0x17b6d:$x3: %FTPDV$ 0x17c61:$x4: $%TelegramDv$ 0x13e33:$x5: KeyLoggerEventArgs 0x1419a:$x5: KeyLoggerEventArgs 0x17b91:$m2: Clipboard Logs ID 0x17db1:$m2: Screenshot Logs ID 0x17ec1:$m2: keystroke Logs ID 0x1819b:$m3: SnakePW 0x17d89:$m4: \SnakeKeylogger\
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.RegAsm.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a4e:$a1: get_encryptedPassword 0x14d3a:$a2: get_encryptedUsername 0x1485a:$a3: get_timePasswordChanged 0x14955:$a4: get_passwordField 0x14a64:$a5: set_encryptedPassword 0x16037:$a7: get_logins 0x15f9a:$a10: KeyLoggerEventArgs 0x15c33:$a11: KeyLoggerEventArgsEventHandler
3.2.RegAsm.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c36b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b59d:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b9d0:$a4: \Orbitum\User Data\Default\Login Data 0x1ca0f:$a5: \Kometa\User Data\Default\Login Data
3.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155d6:$s1: UnHook 0x155dd:$s2: SetHook 0x155e5:$s3: CallNextHook 0x155f2:$s4: _hook
3.2.RegAsm.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18310:$x1: $%SMTPDV$ 0x18376:$x2: $#TheHashHere%& 0x1996d:$x3: %FTPDV$ 0x19a61:$x4: $%TelegramDv$ 0x15c33:$x5: KeyLoggerEventArgs 0x15f9a:$x5: KeyLoggerEventArgs 0x19991:$m2: Clipboard Logs ID 0x19bb1:$m2: Screenshot Logs ID 0x19cc1:$m2: keystroke Logs ID 0x19f9b:$m3: SnakePW 0x19b89:$m4: \SnakeKeylogger\
0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a4e:$a1: get_encryptedPassword 0x14d3a:$a2: get_encryptedUsername 0x1485a:$a3: get_timePasswordChanged 0x14955:$a4: get_passwordField 0x14a64:$a5: set_encryptedPassword 0x16037:$a7: get_logins 0x15f9a:$a10: KeyLoggerEventArgs 0x15c33:$a11: KeyLoggerEventArgsEventHandler
0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c36b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b59d:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b9d0:$a4: \Orbitum\User Data\Default\Login Data 0x1ca0f:$a5: \Kometa\User Data\Default\Login Data
0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155d6:$s1: UnHook 0x155dd:$s2: SetHook 0x155e5:$s3: CallNextHook 0x155f2:$s4: _hook
0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18310:$x1: $%SMTPDV$ 0x18376:$x2: $#TheHashHere%& 0x1996d:$x3: %FTPDV$ 0x19a61:$x4: $%TelegramDv$ 0x15c33:$x5: KeyLoggerEventArgs 0x15f9a:$x5: KeyLoggerEventArgs 0x19991:$m2: Clipboard Logs ID 0x19bb1:$m2: Screenshot Logs ID 0x19cc1:$m2: keystroke Logs ID 0x19f9b:$m3: SnakePW 0x19b89:$m4: \SnakeKeylogger\
0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a4e:$a1: get_encryptedPassword 0x35496:$a1: get_encryptedPassword 0x14d3a:$a2: get_encryptedUsername 0x35782:$a2: get_encryptedUsername 0x1485a:$a3: get_timePasswordChanged 0x352a2:$a3: get_timePasswordChanged 0x14955:$a4: get_passwordField 0x3539d:$a4: get_passwordField 0x14a64:$a5: set_encryptedPassword 0x354ac:$a5: set_encryptedPassword 0x16037:$a7: get_logins 0x36a7f:$a7: get_logins 0x15f9a:$a10: KeyLoggerEventArgs 0x369e2:$a10: KeyLoggerEventArgs 0x15c33:$a11: KeyLoggerEventArgsEventHandler 0x3667b:$a11: KeyLoggerEventArgsEventHandler
0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c36b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cdb3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b59d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bfe5:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b9d0:$a4: \Orbitum\User Data\Default\Login Data 0x3c418:$a4: \Orbitum\User Data\Default\Login Data 0x1ca0f:$a5: \Kometa\User Data\Default\Login Data 0x3d457:$a5: \Kometa\User Data\Default\Login Data
0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155d6:$s1: UnHook 0x3601e:$s1: UnHook 0x155dd:$s2: SetHook 0x36025:$s2: SetHook 0x155e5:$s3: CallNextHook 0x3602d:$s3: CallNextHook 0x155f2:$s4: _hook 0x3603a:$s4: _hook
0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18310:$x1: $%SMTPDV$ 0x38d58:$x1: $%SMTPDV$ 0x18376:$x2: $#TheHashHere%& 0x38dbe:$x2: $#TheHashHere%& 0x1996d:$x3: %FTPDV$ 0x3a3b5:$x3: %FTPDV$ 0x19a61:$x4: $%TelegramDv$ 0x3a4a9:$x4: $%TelegramDv$ 0x15c33:$x5: KeyLoggerEventArgs 0x15f9a:$x5: KeyLoggerEventArgs 0x3667b:$x5: KeyLoggerEventArgs 0x369e2:$x5: KeyLoggerEventArgs 0x19991:$m2: Clipboard Logs ID 0x19bb1:$m2: Screenshot Logs ID 0x19cc1:$m2: keystroke Logs ID 0x3a3d9:$m2: Clipboard Logs ID 0x3a5f9:$m2: Screenshot Logs ID 0x3a709:$m2: keystroke Logs ID 0x19f9b:$m3: SnakePW 0x3a9e3:$m3: SnakePW 0x19b89:$m4: \SnakeKeylogger\
Click to see the 28 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "rightlut@valleycountysar.org", "Password": "fY,FLoadtsiF", "Host": "valleycountysar.org", "Port": "26"}

Multi AV Scanner detection for submitted file

Source: MT Marine Tiger.exe	ReversingLabs: Detection: 47%
Source: MT Marine Tiger.exe	Virustotal: Detection: 45%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: MT Marine Tiger.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.2169216156.0000020D0FEBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2169216156.0000020D0FBB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MT Marine Tiger.exe PID: 1968, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49701 version: TLS 1.0

Source: MT Marine Tiger.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdb#( source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WER8DB1.tmp.dmp.7.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49701 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegAsm.exe, 00000003.00000002.2904940215.0000000003247000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003256000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003162000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegAsm.exe, 00000003.00000002.2904940215.00000000031A5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003247000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003256000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003162000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003150000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegAsm.exe, 00000003.00000002.2904940215.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: MT Marine Tiger.exe, 00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegAsm.exe, 00000003.00000002.2904940215.0000000003247000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.000000000317E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003256000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegAsm.exe, 00000003.00000002.2904940215.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 00000003.00000002.2904940215.00000000031A5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003247000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003256000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003162000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: MT Marine Tiger.exe, 00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegAsm.exe, 00000003.00000002.2904940215.0000000003203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: RegAsm.exe, 00000003.00000002.2904940215.00000000031A5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003247000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003256000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: MT Marine Tiger.exe PID: 1968, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MT Marine Tiger.exe PID: 1968, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegAsm.exe PID: 6428, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 6428, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Code function: 0_2_00007FFD348B1610	0_2_00007FFD348B1610
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Code function: 0_2_00007FFD348B1608	0_2_00007FFD348B1608
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Code function: 0_2_00007FFD348B8A58	0_2_00007FFD348B8A58
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Code function: 0_2_00007FFD348BB651	0_2_00007FFD348BB651
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Code function: 0_2_00007FFD348C41C9	0_2_00007FFD348C41C9
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Code function: 0_2_00007FFD348BB270	0_2_00007FFD348BB270
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Code function: 0_2_00007FFD348B8A60	0_2_00007FFD348B8A60
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Code function: 0_2_00007FFD348B37DC	0_2_00007FFD348B37DC
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Code function: 0_2_00007FFD348C39E9	0_2_00007FFD348C39E9
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Code function: 0_2_00007FFD348B96F8	0_2_00007FFD348B96F8
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Code function: 0_2_00007FFD34980060	0_2_00007FFD34980060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0306B328	3_2_0306B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_03066108	3_2_03066108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0306C190	3_2_0306C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_03066730	3_2_03066730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0306C470	3_2_0306C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0306BBD2	3_2_0306BBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0306CA70	3_2_0306CA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_03064AD9	3_2_03064AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_03069858	3_2_03069858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0306BEB0	3_2_0306BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0306CD52	3_2_0306CD52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_03063572	3_2_03063572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0306B4F2	3_2_0306B4F2

Source: C:\Users\user\Desktop\MT Marine Tiger.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1968 -s 1044

Source: MT Marine Tiger.exe

Static PE information: No import functions for PE file found

Source: MT Marine Tiger.exe, 00000000.00000000.2083818593.0000020D0DDE2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUdunivonerulipe4 vs MT Marine Tiger.exe
Source: MT Marine Tiger.exe, 00000000.00000002.2172160291.0000020D28240000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAvabevinozu> vs MT Marine Tiger.exe
Source: MT Marine Tiger.exe, 00000000.00000002.2171481565.0000020D1FF3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAvabevinozu> vs MT Marine Tiger.exe
Source: MT Marine Tiger.exe, 00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs MT Marine Tiger.exe
Source: MT Marine Tiger.exe, 00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAvabevinozu> vs MT Marine Tiger.exe
Source: MT Marine Tiger.exe	Binary or memory string: OriginalFilenameUdunivonerulipe4 vs MT Marine Tiger.exe

Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: MT Marine Tiger.exe PID: 1968, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MT Marine Tiger.exe PID: 1968, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegAsm.exe PID: 6428, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegAsm.exe PID: 6428, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@13/6@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\regasm.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1968

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\930f8912-1785-4817-b53a-873bfd298017

Jump to behavior

Source: MT Marine Tiger.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\MT Marine Tiger.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MT Marine Tiger.exe	ReversingLabs: Detection: 47%
Source: MT Marine Tiger.exe	Virustotal: Detection: 45%

Source: C:\Users\user\Desktop\MT Marine Tiger.exe

File read: C:\Users\user\Desktop\MT Marine Tiger.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MT Marine Tiger.exe "C:\Users\user\Desktop\MT Marine Tiger.exe"
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1968 -s 1044
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\MT Marine Tiger.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\MT Marine Tiger.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: MT Marine Tiger.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: MT Marine Tiger.exe

Static file information: File size 1960608 > 1048576

Source: MT Marine Tiger.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: MT Marine Tiger.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdb#( source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER8DB1.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WER8DB1.tmp.dmp.7.dr

Source: MT Marine Tiger.exe

Static PE information: 0x840105AF [Tue Mar 6 15:11:43 2040 UTC]

Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Code function: 0_2_00007FFD348B8113 push ebx; ret	0_2_00007FFD348B816A
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Code function: 0_2_00007FFD348B77ED push eax; retf	0_2_00007FFD348B78AD
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Code function: 0_2_00007FFD348C3B85 push eax; iretd	0_2_00007FFD348C3B87
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Code function: 0_2_00007FFD34980060 push esp; retf 4810h	0_2_00007FFD34980312

Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: MT Marine Tiger.exe PID: 1968, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: MT Marine Tiger.exe, 00000000.00000002.2169216156.0000020D0FBB7000.00000004.00000800.00020000.00000000.sdmp, MT Marine Tiger.exe, 00000000.00000002.2169216156.0000020D0FEBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: MT Marine Tiger.exe, 00000000.00000002.2169216156.0000020D0FBB7000.00000004.00000800.00020000.00000000.sdmp, MT Marine Tiger.exe, 00000000.00000002.2169216156.0000020D0FEBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Memory allocated: 20D0E110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Memory allocated: 20D27B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2FC0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599806	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599649	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597208	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596638	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596277	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595902	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595222	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594983	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594832	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594476	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594031	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 2100			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 7707			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -599806s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6992	Thread sleep count: 2100 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -599649s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6992	Thread sleep count: 7707 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -598296s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -598187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -597516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -597208s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -596968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -596638s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -596277s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -595902s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -595222s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -594983s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -594832s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -594476s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -594359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -594250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -594140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1008	Thread sleep time: -594031s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599806	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599649	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597208	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596638	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596277	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595902	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595222	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594983	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594832	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594476	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594031	Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: MT Marine Tiger.exe, 00000000.00000002.2169216156.0000020D0FEBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MT Marine Tiger.exe, 00000000.00000002.2169216156.0000020D0FEBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: MT Marine Tiger.exe, 00000000.00000002.2169216156.0000020D0FEBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: RegAsm.exe, 00000003.00000002.2904379628.0000000001645000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: MT Marine Tiger.exe, 00000000.00000002.2169216156.0000020D0FEBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: MT Marine Tiger.exe, 00000000.00000002.2169216156.0000020D0FEBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: MT Marine Tiger.exe, 00000000.00000002.2169216156.0000020D0FEBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: MT Marine Tiger.exe, 00000000.00000002.2169216156.0000020D0FEBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: MT Marine Tiger.exe, 00000000.00000002.2169216156.0000020D0FEBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: MT Marine Tiger.exe, 00000000.00000002.2169216156.0000020D0FEBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: MT Marine Tiger.exe, 00000000.00000002.2169216156.0000020D0FEBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: MT Marine Tiger.exe, 00000000.00000002.2169216156.0000020D0FEBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\MT Marine Tiger.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\MT Marine Tiger.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\MT Marine Tiger.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 103A008	Jump to behavior

Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\MT Marine Tiger.exe	Queries volume information: C:\Users\user\Desktop\MT Marine Tiger.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\MT Marine Tiger.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2904940215.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MT Marine Tiger.exe PID: 1968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6428, type: MEMORYSTR

Source: Yara match	File source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MT Marine Tiger.exe PID: 1968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6428, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT Marine Tiger.exe.20d1fe1ec70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT Marine Tiger.exe.20d1fdfe228.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2904940215.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MT Marine Tiger.exe PID: 1968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6428, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	OS Credential Dumping	121 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MT Marine Tiger.exe	47%	ReversingLabs	ByteCode-MSIL.Trojan.SpyNoon
MT Marine Tiger.exe	46%	Virustotal		Browse
MT Marine Tiger.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
reallyfreegeoip.org	0%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org	0%	Virustotal		Browse
http://checkip.dyndns.org	1%	Virustotal		Browse
http://checkip.dyndns.com	0%	Virustotal		Browse
http://checkip.dyndns.org/	1%	Virustotal		Browse
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/q	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
http://reallyfreegeoip.org	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/	0%	Virustotal		Browse
http://reallyfreegeoip.org	0%	Virustotal		Browse
http://checkip.dyndns.org/q	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.com	193.122.6.168	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	RegAsm.exe, 00000003.00000002.2904940215.00000000031A5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003247000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003256000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003162000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003203000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.7.dr	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	RegAsm.exe, 00000003.00000002.2904940215.00000000031A5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003247000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003256000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003162000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003150000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003203000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	RegAsm.exe, 00000003.00000002.2904940215.0000000003247000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003256000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003162000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003203000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	RegAsm.exe, 00000003.00000002.2904940215.00000000031A5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003247000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003256000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003203000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000003.00000002.2904940215.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	MT Marine Tiger.exe, 00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://reallyfreegeoip.org	RegAsm.exe, 00000003.00000002.2904940215.0000000003247000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.000000000317E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003256000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003203000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	MT Marine Tiger.exe, 00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2904940215.0000000003162000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1464864
Start date and time:	2024-06-30 17:19:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MT Marine Tiger.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@13/6@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 86% Number of executed functions: 150 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target MT Marine Tiger.exe, PID 1968 because it is empty
Execution Graph export aborted for target RegAsm.exe, PID 6428 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:19:56	API Interceptor	317064x Sleep call for process: RegAsm.exe modified
11:20:01	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	BbaXbvOA7D.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	228282cm.nyashka.top/ExternalimagevmRequestlongpollsqldbLocal.php
	j05KsN2280.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	640740cm.nyashka.top/providerEternalGameWindowstest.php
	QUOTATION_JUNQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/L69kvhYI/download
	Techno_PO LV12406-00311.xla.xlsx	Get hash	malicious	Unknown	Browse	qr-in.com/cpGHnqq
	QUOTATION_JUNQTRA031244#U0652PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/Txmfx0A2/download
	RITS Ref 3379-06.exe	Get hash	malicious	FormBook	Browse	www.ad14.fun/az6h/
	QUOTATION_JUNQTRA031244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/khvbX8Pe/download
	QUOTATION_JUNQTRA031244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/khvbX8Pe/download
	NGL 3200-Phase 2- Strainer.exe	Get hash	malicious	FormBook	Browse	www.ad14.fun/az6h/
	IMG_05831_0172.exe	Get hash	malicious	Azorult, PureLog Stealer	Browse	hqt3.shop/PL341/index.php
193.122.6.168	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Prouduct list Specifictions.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	LAQ-PO088PDF.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	IMG_0071191023.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	new purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win64.PWSX-gen.18963.11831.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z26SZO98764590000000980.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	Office Suppliers Order.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	IMG_2007_520073.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	PRODUCTS LIST.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	PRODUCTS LIST.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
checkip.dyndns.com	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	IMG_2007_520073.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	Find-DscResource_QoS.ps1	Get hash	malicious	Unknown	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	new order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	IMG_2007_520073.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	paediatric neurologist medico legal 68003.js	Get hash	malicious	Unknown	Browse	158.101.87.136
	paediatric neurologist medico legal 68003.js	Get hash	malicious	Unknown	Browse	130.61.47.235
	PRODUCTS LIST.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	PRODUCTS LIST.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
CLOUDFLARENETUS	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	BbaXbvOA7D.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	cL7A9wGE3w.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	https://bit.ly/3RPGSFw?lBj=IgAqyyGiOF?ehd=cNhnM3Ug7I	Get hash	malicious	Unknown	Browse	188.114.97.3
	a.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	exe	Get hash	malicious	Unknown	Browse	172.67.159.30
	https://fhdqc8.fi59.fdske.com/ec/gAAAAABmfF3sPeQKBD_Act5bCCrkUMkGrd87GXE85ptSvU0h8H9S97li_YZ1W2sNi71P90U8x627NEH6e-kCa62tjlvXVsamrSGp1TAMFtfgRydM8D-QFp4rxbgAeEilnkMUdRVDSB2T_2Qfh0hQuA2S3kIGAGxxOhLGRZlimak4HvWAhPpr3cGXO1dkFMRkycppPQIWKMCxf7zn-Sf2FKVlkV3bIiKpv65JecmpKmv7K1YnibkbTtyYKjzM0RBpe8SGtfO5gpSHLvPTYqZjsrGpeXbXcWmlaR9PZhWomJ586b1OeF7psyrkOXu7PHMFbYVK6t7rkfnsF9FVAXEF_z9qYdd6yq7sZRqhCkgEwDqZaPg8lBDqiVI04is9Ux1ckCdi1zoggbpZr_i4tJ1iUVNzVnpUh4z0GQ==	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://carsales.au1.documents.adobe.com/public/esign?tsid=CBFCIBAACBSCTBABDUAAABACAABAAfnb-qPSyZecO9B5ZfywmNLbpLvp031ot7ln8fPgu7eWwZ19_ZPQHTOqDMGxjirJcrmCsSaiIDmPdIRas_zn4z1go8wNiaf6T7KGdMemdAI87j-2cWRTSM8MgKsIEHUt-&	Get hash	malicious	Unknown	Browse	162.247.243.29

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	IMG_2007_520073.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	30 - 3050324.scr.exe	Get hash	malicious	Remcos	Browse	188.114.97.3
	PRODUCTS LIST.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MT Marine Tiger._b1fc61aa0f0ff659922dc1f816562af76c8bcc3_d4dd14a2_f9207a17-8494-4b79-9815-4bb98abb0750\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9967661337684316
Encrypted:	false
SSDEEP:	96:UGFtO36WxsF/SboNy/qXQXIDcQqc6jcEOcw3WP+BHUHZ0ownOgFkEwH3d2FYAKch:bHOlxeO0UnUdaWx9fOzuiFAZ24lO8l
MD5:	4A9FEFD67245A546E423AAB5D936E86F
SHA1:	E214A604752D1DDE932C458D50C8D46693809FA5
SHA-256:	B445200DC78F5E0194E8BBF6F4084C21D2885D905DCD87FC79D8B0AB4753B3E7
SHA-512:	C6EA5870EF9C117FE145CE22D692DFE07CEAF760C66CBAB0A3CF0EEE32D885D2879E63C8CD1CFE54F69995AE792BF66EC621C6D46173B0D3FCCAC986D94F4066
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.2.3.4.3.9.4.6.3.9.4.4.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.2.3.4.3.9.5.2.0.1.9.3.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.2.0.7.a.1.7.-.8.4.9.4.-.4.b.7.9.-.9.8.1.5.-.4.b.b.9.8.a.b.b.0.7.5.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.9.0.8.e.7.b.c.-.f.1.8.9.-.4.a.f.b.-.b.0.4.d.-.8.d.3.2.7.0.4.3.1.a.9.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.M.T. .M.a.r.i.n.e. .T.i.g.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.U.d.u.n.i.v.o.n.e.r.u.l.i.p.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.b.0.-.0.0.0.1.-.0.0.1.5.-.f.9.b.d.-.b.a.f.4.0.0.c.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.5.6.1.4.9.b.c.e.3.d.0.8.0.8.3.9.3.6.9.a.3.3.c.a.3.b.c.0.6.b.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.2.f.5.5.4.d.2.6.9.9.f.c.d.d.f.1.c.2.d.6.5.c.c.0.5.7.3.9.9.1.6.a.a.0.d.a.e.6.2.!.M.T.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DB1.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Sun Jun 30 15:19:54 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	385511
Entropy (8bit):	3.2896623789888664
Encrypted:	false
SSDEEP:	3072:mJQ+jkwS/Kbh1CCqM3+vRoPaNR9y4lmOlkBJyvWcSEqo+G2ZmkOPerFY:mJQ+IaqM3Q5R9y5OluJy2EV+G2Zmkg
MD5:	77CBE352A6BB93C55FE5FAEC2BE0A9FC
SHA1:	A16508510A5F4B062C8499C8D975CFD2C923D422
SHA-256:	43F392217B9A8B1CA092B6E509A93680FA85CB3757349D2003D4C91C510D8647
SHA-512:	59793F057E3929ED778834B1EB242D45544D161872383D84DF8081B8A9B90EF01DF5CE0BC1EDBD07EE2281454541FAEFED996A1A1C39B7A4D105FDF3FD569EF3
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........w.f....................................$.......................dE...s..........l.......8...........T............(..7............6...........8..............................................................................eJ......(9......Lw......................T............w.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EEB.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8822
Entropy (8bit):	3.7103134634870583
Encrypted:	false
SSDEEP:	192:R6l7wVeJ3SUCGe6Y2DIgygmflrL0prZ89bmFzLkfiim:R6lXJCB6YlgygmfxL3mxLkfu
MD5:	85E6446E1CA3BD4859697DB7DACF0A39
SHA1:	91A3F02EEF2554B09CEFBA92D3029C09930F8E12
SHA-256:	E3AE38BE95D8BBC4EC944C37CC21F6E1F55E417A3C617BA403E6E45C795B89AB
SHA-512:	B988A215DD097DEA6964F4C0696BDA1F3FB558E9386DF2876D386E8F4526634F24A24F1A2B53BB2919815E9CD3620396086FB1074E9EE29892E186579376D9BB
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.9.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F3A.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4792
Entropy (8bit):	4.503022925890394
Encrypted:	false
SSDEEP:	48:cvIwWl8zs0Jg771I9wTWpW8VYBYm8M4J1DFBXyq852BzJd6Zled:uIjfyI73i7VVJRX5z/6Zwd
MD5:	408C2D9A2FB4FED0CBAC93E0C2BA5256
SHA1:	65E11F64562133629039555BFEA58DD9BC6D8C96
SHA-256:	7A156E15FF47FA479F3F8A684700BE6C644E38342E67D6D2A386180A86AF5D25
SHA-512:	5F30FE61051314E782788B5DBA5F4C5F1166CE3C350AC5C857BDE1276F10BBD0B7CAC7C205670E32979B8DD32F96B1696DE5D626ABB1B8A866EC3F35032D5992
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="390622" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\regasm.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469012097065088
Encrypted:	false
SSDEEP:	6144:BzZfpi6ceLPx9skLmb0f7ZWSP3aJG8nAgeiJRMMhA2zX4WABluuNYjDH5SC:ZZHt7ZWOKnMM6bFpej4
MD5:	503C19266FEFFAC9A63B57AFC02136AA
SHA1:	B5000A393A73F541ACC0F7E4F1127C62D3359E07
SHA-256:	33E79B0C61845FC3AB442CEB440BB703FC3C3F5D3C71D7893C403D9BB71D6072
SHA-512:	6E3973E57F5798EDD9665DE20341CD6070ED76321265075D0002FC6BADFDBBF4705246E1CD0E028A6393D0793FCE8C970777296B4035E44F4F310E8D25F37735
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.D..................................................................................................................................................................................................................................................................................................................................................d...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.827227650151569
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MT Marine Tiger.exe
File size:	1'960'608 bytes
MD5:	2dcf1e9b4ca5afa19d7473f108aea256
SHA1:	d2f554d2699fcddf1c2d65cc05739916aa0dae62
SHA256:	a1aa961c8b1eb8e3627dceee8081d62544d84987b623b84addd7b92a35089c7d
SHA512:	be82afc240c397e66742a019af1fe6464100eda77bb5b4bfb6e92856ae51b866554e51b500786902d79737ed1a4e2e02b845b034ec9d2abfd3ff6d9526587cde
SSDEEP:	12288:7EC0huBtyjOQyaZyk3x2PulNQ5EcxhyBIpNOlV3d:AC4u/2x72PV5LxhclV3d
TLSH:	00951254B15B6E27FD084AB9C8D679F012FC5E833BF251AFDF900E29865003E386A975
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0.b4............... ....@...... ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x840105AF [Tue Mar 6 15:11:43 2040 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x93c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5446	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3462	0x3600	96c4f59a9f1ea1b9ffb9804f57fcb047	False	0.6315827546296297	data	6.112542966629395	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x93c	0xa00	3f8eed27f89f5ba6478e4aeb119d54d8	False	0.2984375	data	4.3571367254913	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x60b8	0x34c	data			0.49170616113744076
RT_VERSION	0x6404	0x34c	data	English	United States	0.4928909952606635
RT_MANIFEST	0x6750	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 30, 2024 17:19:54.942017078 CEST	49700	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:19:54.947262049 CEST	80	49700	193.122.6.168	192.168.2.6
Jun 30, 2024 17:19:54.947340012 CEST	49700	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:19:54.947591066 CEST	49700	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:19:54.952425003 CEST	80	49700	193.122.6.168	192.168.2.6
Jun 30, 2024 17:19:55.594471931 CEST	80	49700	193.122.6.168	192.168.2.6
Jun 30, 2024 17:19:55.633007050 CEST	49700	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:19:55.637995958 CEST	80	49700	193.122.6.168	192.168.2.6
Jun 30, 2024 17:19:55.823822021 CEST	80	49700	193.122.6.168	192.168.2.6
Jun 30, 2024 17:19:55.874972105 CEST	49700	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:19:55.879965067 CEST	49701	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:55.880027056 CEST	443	49701	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:55.880115986 CEST	49701	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:55.886090040 CEST	49701	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:55.886131048 CEST	443	49701	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:56.369088888 CEST	443	49701	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:56.369185925 CEST	49701	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:56.374558926 CEST	49701	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:56.374584913 CEST	443	49701	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:56.374906063 CEST	443	49701	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:56.421195030 CEST	49701	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:56.468507051 CEST	443	49701	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:56.530322075 CEST	443	49701	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:56.530411959 CEST	443	49701	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:56.530463934 CEST	49701	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:56.538800001 CEST	49701	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:56.542232037 CEST	49700	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:19:56.547188997 CEST	80	49700	193.122.6.168	192.168.2.6
Jun 30, 2024 17:19:56.729926109 CEST	80	49700	193.122.6.168	192.168.2.6
Jun 30, 2024 17:19:56.781208992 CEST	49700	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:19:56.786742926 CEST	49703	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:56.786784887 CEST	443	49703	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:56.786854029 CEST	49703	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:56.789424896 CEST	49703	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:56.789443970 CEST	443	49703	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:57.281004906 CEST	443	49703	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:57.283957005 CEST	49703	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:57.284003973 CEST	443	49703	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:57.436753988 CEST	443	49703	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:57.436861992 CEST	443	49703	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:57.436945915 CEST	49703	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:57.437530041 CEST	49703	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:57.441040993 CEST	49700	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:19:57.442178011 CEST	49705	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:19:57.446197987 CEST	80	49700	193.122.6.168	192.168.2.6
Jun 30, 2024 17:19:57.446260929 CEST	49700	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:19:57.446968079 CEST	80	49705	193.122.6.168	192.168.2.6
Jun 30, 2024 17:19:57.447062969 CEST	49705	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:19:57.447264910 CEST	49705	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:19:57.452080965 CEST	80	49705	193.122.6.168	192.168.2.6
Jun 30, 2024 17:19:58.106270075 CEST	80	49705	193.122.6.168	192.168.2.6
Jun 30, 2024 17:19:58.107614040 CEST	49708	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:58.107646942 CEST	443	49708	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:58.107711077 CEST	49708	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:58.107933044 CEST	49708	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:58.107949972 CEST	443	49708	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:58.156341076 CEST	49705	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:19:58.581471920 CEST	443	49708	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:58.588665962 CEST	49708	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:58.588742971 CEST	443	49708	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:58.726349115 CEST	443	49708	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:58.726429939 CEST	443	49708	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:58.726511955 CEST	49708	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:58.727024078 CEST	49708	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:58.731491089 CEST	49710	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:19:58.736712933 CEST	80	49710	193.122.6.168	192.168.2.6
Jun 30, 2024 17:19:58.736797094 CEST	49710	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:19:58.736856937 CEST	49710	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:19:58.741722107 CEST	80	49710	193.122.6.168	192.168.2.6
Jun 30, 2024 17:19:59.383162975 CEST	80	49710	193.122.6.168	192.168.2.6
Jun 30, 2024 17:19:59.438026905 CEST	49710	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:19:59.476006985 CEST	49711	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:59.476036072 CEST	443	49711	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:59.476095915 CEST	49711	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:59.477471113 CEST	49711	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:59.477484941 CEST	443	49711	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:59.962524891 CEST	443	49711	188.114.97.3	192.168.2.6
Jun 30, 2024 17:19:59.977508068 CEST	49711	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:19:59.977536917 CEST	443	49711	188.114.97.3	192.168.2.6
Jun 30, 2024 17:20:00.108521938 CEST	443	49711	188.114.97.3	192.168.2.6
Jun 30, 2024 17:20:00.108620882 CEST	443	49711	188.114.97.3	192.168.2.6
Jun 30, 2024 17:20:00.108669043 CEST	49711	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:20:00.109146118 CEST	49711	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:20:00.113749981 CEST	49710	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:00.114356041 CEST	49713	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:00.118961096 CEST	80	49710	193.122.6.168	192.168.2.6
Jun 30, 2024 17:20:00.119020939 CEST	49710	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:00.119118929 CEST	80	49713	193.122.6.168	192.168.2.6
Jun 30, 2024 17:20:00.119189024 CEST	49713	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:00.119285107 CEST	49713	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:00.124160051 CEST	80	49713	193.122.6.168	192.168.2.6
Jun 30, 2024 17:20:02.188436985 CEST	80	49713	193.122.6.168	192.168.2.6
Jun 30, 2024 17:20:02.191560030 CEST	49716	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:20:02.191632032 CEST	443	49716	188.114.97.3	192.168.2.6
Jun 30, 2024 17:20:02.191721916 CEST	49716	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:20:02.192035913 CEST	49716	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:20:02.192050934 CEST	443	49716	188.114.97.3	192.168.2.6
Jun 30, 2024 17:20:02.249979973 CEST	49713	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:02.679672003 CEST	443	49716	188.114.97.3	192.168.2.6
Jun 30, 2024 17:20:02.681823969 CEST	49716	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:20:02.681853056 CEST	443	49716	188.114.97.3	192.168.2.6
Jun 30, 2024 17:20:02.825824022 CEST	443	49716	188.114.97.3	192.168.2.6
Jun 30, 2024 17:20:02.826033115 CEST	443	49716	188.114.97.3	192.168.2.6
Jun 30, 2024 17:20:02.826121092 CEST	49716	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:20:02.826642990 CEST	49716	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:20:02.830344915 CEST	49713	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:02.831022978 CEST	49717	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:02.835937023 CEST	80	49713	193.122.6.168	192.168.2.6
Jun 30, 2024 17:20:02.836059093 CEST	49713	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:02.836119890 CEST	80	49717	193.122.6.168	192.168.2.6
Jun 30, 2024 17:20:02.839071035 CEST	49717	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:02.839154005 CEST	49717	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:02.843961954 CEST	80	49717	193.122.6.168	192.168.2.6
Jun 30, 2024 17:20:24.237505913 CEST	80	49717	193.122.6.168	192.168.2.6
Jun 30, 2024 17:20:24.240609884 CEST	49717	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:24.289808989 CEST	49717	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:24.291837931 CEST	49720	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:24.296777964 CEST	80	49717	193.122.6.168	192.168.2.6
Jun 30, 2024 17:20:24.296802998 CEST	80	49720	193.122.6.168	192.168.2.6
Jun 30, 2024 17:20:24.296921015 CEST	49720	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:24.297055006 CEST	49720	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:24.302676916 CEST	80	49720	193.122.6.168	192.168.2.6
Jun 30, 2024 17:20:45.659807920 CEST	80	49720	193.122.6.168	192.168.2.6
Jun 30, 2024 17:20:45.659902096 CEST	49720	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:45.659984112 CEST	49720	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:45.664788961 CEST	80	49720	193.122.6.168	192.168.2.6
Jun 30, 2024 17:20:45.674823046 CEST	49982	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:45.679771900 CEST	80	49982	193.122.6.168	192.168.2.6
Jun 30, 2024 17:20:45.679856062 CEST	49982	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:45.682045937 CEST	49982	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:20:45.687117100 CEST	80	49982	193.122.6.168	192.168.2.6
Jun 30, 2024 17:21:01.128643990 CEST	80	49982	193.122.6.168	192.168.2.6
Jun 30, 2024 17:21:01.130090952 CEST	49984	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:21:01.130142927 CEST	443	49984	188.114.97.3	192.168.2.6
Jun 30, 2024 17:21:01.130232096 CEST	49984	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:21:01.130470991 CEST	49984	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:21:01.130484104 CEST	443	49984	188.114.97.3	192.168.2.6
Jun 30, 2024 17:21:01.171850920 CEST	49982	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:21:01.597140074 CEST	443	49984	188.114.97.3	192.168.2.6
Jun 30, 2024 17:21:01.605318069 CEST	49984	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:21:01.605428934 CEST	443	49984	188.114.97.3	192.168.2.6
Jun 30, 2024 17:21:01.737674952 CEST	443	49984	188.114.97.3	192.168.2.6
Jun 30, 2024 17:21:01.737756014 CEST	443	49984	188.114.97.3	192.168.2.6
Jun 30, 2024 17:21:01.737839937 CEST	49984	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:21:01.738320112 CEST	49984	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:21:01.741642952 CEST	49982	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:21:01.742880106 CEST	49985	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:21:01.747828960 CEST	80	49982	193.122.6.168	192.168.2.6
Jun 30, 2024 17:21:01.747947931 CEST	49982	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:21:01.747982979 CEST	80	49985	193.122.6.168	192.168.2.6
Jun 30, 2024 17:21:01.748061895 CEST	49985	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:21:01.748138905 CEST	49985	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:21:01.752945900 CEST	80	49985	193.122.6.168	192.168.2.6
Jun 30, 2024 17:21:03.109843016 CEST	80	49705	193.122.6.168	192.168.2.6
Jun 30, 2024 17:21:03.109947920 CEST	49705	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:21:14.418400049 CEST	80	49985	193.122.6.168	192.168.2.6
Jun 30, 2024 17:21:14.420151949 CEST	49986	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:21:14.420181990 CEST	443	49986	188.114.97.3	192.168.2.6
Jun 30, 2024 17:21:14.420279980 CEST	49986	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:21:14.420681000 CEST	49986	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:21:14.420694113 CEST	443	49986	188.114.97.3	192.168.2.6
Jun 30, 2024 17:21:14.468452930 CEST	49985	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:21:14.900696993 CEST	443	49986	188.114.97.3	192.168.2.6
Jun 30, 2024 17:21:14.903609037 CEST	49986	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:21:14.903625965 CEST	443	49986	188.114.97.3	192.168.2.6
Jun 30, 2024 17:21:15.054507971 CEST	443	49986	188.114.97.3	192.168.2.6
Jun 30, 2024 17:21:15.054589033 CEST	443	49986	188.114.97.3	192.168.2.6
Jun 30, 2024 17:21:15.054672003 CEST	49986	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:21:15.055160999 CEST	49986	443	192.168.2.6	188.114.97.3
Jun 30, 2024 17:21:15.178482056 CEST	49705	80	192.168.2.6	193.122.6.168
Jun 30, 2024 17:21:15.178571939 CEST	49985	80	192.168.2.6	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 30, 2024 17:19:54.888385057 CEST	60717	53	192.168.2.6	1.1.1.1
Jun 30, 2024 17:19:54.896522045 CEST	53	60717	1.1.1.1	192.168.2.6
Jun 30, 2024 17:19:55.864197969 CEST	60094	53	192.168.2.6	1.1.1.1
Jun 30, 2024 17:19:55.879339933 CEST	53	60094	1.1.1.1	192.168.2.6
Jun 30, 2024 17:20:36.116975069 CEST	53	52066	162.159.36.2	192.168.2.6
Jun 30, 2024 17:20:36.631110907 CEST	53	52773	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 30, 2024 17:19:54.888385057 CEST	192.168.2.6	1.1.1.1	0xb345	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jun 30, 2024 17:19:55.864197969 CEST	192.168.2.6	1.1.1.1	0xcebc	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 30, 2024 17:19:54.896522045 CEST	1.1.1.1	192.168.2.6	0xb345	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 30, 2024 17:19:54.896522045 CEST	1.1.1.1	192.168.2.6	0xb345	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jun 30, 2024 17:19:54.896522045 CEST	1.1.1.1	192.168.2.6	0xb345	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jun 30, 2024 17:19:54.896522045 CEST	1.1.1.1	192.168.2.6	0xb345	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jun 30, 2024 17:19:54.896522045 CEST	1.1.1.1	192.168.2.6	0xb345	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jun 30, 2024 17:19:54.896522045 CEST	1.1.1.1	192.168.2.6	0xb345	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jun 30, 2024 17:19:55.879339933 CEST	1.1.1.1	192.168.2.6	0xcebc	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jun 30, 2024 17:19:55.879339933 CEST	1.1.1.1	192.168.2.6	0xcebc	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49700	193.122.6.168	80	6428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 17:19:54.947591066 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 30, 2024 17:19:55.594471931 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:19:55 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d2c882d621ec7b13b80b54e77f80ef25 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jun 30, 2024 17:19:55.633007050 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jun 30, 2024 17:19:55.823822021 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:19:55 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 06f1b42ac8f185ed50d0e33de76d9be9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jun 30, 2024 17:19:56.542232037 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jun 30, 2024 17:19:56.729926109 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:19:56 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7fb103820da1001b63f17f403df37bce Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49705	193.122.6.168	80	6428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 17:19:57.447264910 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jun 30, 2024 17:19:58.106270075 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:19:57 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: dce41b3f071758bac7124b5928c531cd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49710	193.122.6.168	80	6428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 17:19:58.736856937 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 30, 2024 17:19:59.383162975 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:19:59 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e7d0d6a0cf03bae79a8b403db9916b82 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49713	193.122.6.168	80	6428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 17:20:00.119285107 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 30, 2024 17:20:02.188436985 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:20:01 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 79ad715b87b15e1c732e5b4e187f48b8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49717	193.122.6.168	80	6428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 17:20:02.839154005 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49720	193.122.6.168	80	6428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 17:20:24.297055006 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49982	193.122.6.168	80	6428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 17:20:45.682045937 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 30, 2024 17:21:01.128643990 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:21:01 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d8a46c9d9e7faa87b0b855c6ab871c66 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49985	193.122.6.168	80	6428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 17:21:01.748138905 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jun 30, 2024 17:21:14.418400049 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:21:14 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: dcb9a0caf822da505cdc1cfd57a70a21 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49701	188.114.97.3	443	6428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 15:19:56 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-06-30 15:19:56 UTC	709	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:19:56 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3360 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QRQUjpsIVelakGu5mlm5r3UYoJvHra0CtTnimJzcsyDnjKUIFq5HNF9vs5Uj%2BOzLlvY%2Fb50Ae0t68ehIEkt17MalprnCO6%2BDkNufo8TV7sRhtTKFZA2Qfwf%2FxQCu4Sps0%2F3Aj47e"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bf2331df641791-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 15:19:56 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 15:19:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49703	188.114.97.3	443	6428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 15:19:57 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-06-30 15:19:57 UTC	707	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:19:57 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3361 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gisi9QZgBOaIPfkM%2B3GnBlsTCafVsBxQSWD%2BkfgGgcrjBuvXVl83P4zDnVz64w%2FhmnA89hvN4cPhYncbLq6dPu3vTZoO3ueHEzn1qXKXglfolvFyXoYE%2FTiCP8zaXLNAcIh3NW6x"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bf23378d9119bb-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 15:19:57 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 15:19:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49708	188.114.97.3	443	6428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 15:19:58 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-06-30 15:19:58 UTC	707	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:19:58 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3362 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PrAfq52MoanOaMYvnZNeHiYfoIom60QN3myNj7zJvaVklxrK4C3BLGG9P5BVcTOq%2BH6%2Bu1Or6zNXynG9YUa5DZmz4Cd%2FvoRPiT3OS9oIpBkflLHK%2F2ZNLHSadr229DclTSjWgNxh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bf233f99350f79-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 15:19:58 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 15:19:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49711	188.114.97.3	443	6428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 15:19:59 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-06-30 15:20:00 UTC	703	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:20:00 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3364 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Sdv3kxJYG7IyC%2BWeK4G0dd%2BCCb5bKX3Df51tIb9KVh62GYoqpPgSFH1dKZypmSfj0MXjMhXdUEKsyKjKy7Q83rUbBro4DKJfXTuDWakK0ym5TWR7rhHzKKKBg5jvO4uQD3xQ5jSV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bf23482b28435c-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 15:20:00 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 15:20:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49716	188.114.97.3	443	6428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 15:20:02 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-06-30 15:20:02 UTC	707	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:20:02 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3366 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I3hus4QR52kAzDy%2BWQAXJtL0lHLabTxJdyUKpJHNX0i2TD72oGz1PpEyTjXiYBlcUEIBwQEtp3fnT1FUU42BMRH6h3cp95jKIdzCQ0%2Ba8BtqhX4Cxa%2BnC%2BlGoNGjJ51DBTDVXBO7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bf23592ade4271-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 15:20:02 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 15:20:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49984	188.114.97.3	443	6428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 15:21:01 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-06-30 15:21:01 UTC	705	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:21:01 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3425 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sso64gYqTDAVecK3xlCZsyE9kZjqq6s%2BsPyh8L5t235ahDQk3RJ6qI3aCwWmBB2ro8Wg6jQSaF1uz2cSo%2FXM1JFo9RkedIvJhtPZrH9WsO%2BYu9gKerZvDP84Anq7CPqe3V1eyDrR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bf24c96d51430f-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 15:21:01 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 15:21:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49986	188.114.97.3	443	6428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 15:21:14 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-06-30 15:21:15 UTC	705	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:21:14 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3438 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z77fF3tUsUSvJYjxnQtopBFc%2BANk%2FTjodwzJaGlFSIlAM6CUJ82quOY1ezfEywfY5VQVz63BgkK%2FrAcWbTp8oNMNCnNt7dBmjw4cL7utZgkQOcMa9y3X7Dha03VZ3wXvJtFMxG4Y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bf251cac594362-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 15:21:15 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 15:21:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	11:19:52
Start date:	30/06/2024
Path:	C:\Users\user\Desktop\MT Marine Tiger.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\MT Marine Tiger.exe"
Imagebase:	0x20d0dde0000
File size:	1'960'608 bytes
MD5 hash:	2DCF1E9B4CA5AFA19D7473F108AEA256
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2169216156.0000020D0FEBB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2171481565.0000020D1FD68000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2169216156.0000020D0FBB7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:19:53
Start date:	30/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Imagebase:
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	11:19:53
Start date:	30/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:	0xe50000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000002.2903792503.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.2904940215.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:19:54
Start date:	30/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	11:19:54
Start date:	30/06/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 1968 -s 1044
Imagebase:	0x7ff758140000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:21:14
Start date:	30/06/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:21:14
Start date:	30/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:21:14
Start date:	30/06/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x160000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 00007FFD348B37DC Relevance: 2.9, Strings: 2, Instructions: 433COMMON

Download Yara Rule

Strings

fish, xrefs: 00007FFD348B3830
X]y4, xrefs: 00007FFD348B3870

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID: X]y4$fish
API String ID: 0-768267135
Opcode ID: d4fc1b58c8df00e489c168569e123b03eb9c350f8082592f73bf992e7db4b249
Instruction ID: 26c26b4723c9786fc13a443b32973e1535c8f1d4b32cc8686bfc57667f50b12d
Opcode Fuzzy Hash: d4fc1b58c8df00e489c168569e123b03eb9c350f8082592f73bf992e7db4b249
Instruction Fuzzy Hash: B4C13931B1CA4A0FE758EB6898A55B977E1EF97210B04417ED58BC3292DE6CFC4683C1

Function 00007FFD34980060 Relevance: 2.1, Instructions: 2061COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172998082.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34980000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d125a9eb5a86f546db3234a011c1bd5b899b5404b05c778a1dec645ef99e341e
Instruction ID: 5cd1af37dccb4c046dcd183e756a99e6601d5f17c83da74fd12ca9b7727fb567
Opcode Fuzzy Hash: d125a9eb5a86f546db3234a011c1bd5b899b5404b05c778a1dec645ef99e341e
Instruction Fuzzy Hash: 8ED23972A0E7854FE796DB2C88A56A47BE0FF57300F0A05FEC189CB197D92DA806D351

Function 00007FFD348B1608 Relevance: 1.9, Strings: 1, Instructions: 698COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD348B433F

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 3d0c8e907dfef80b5da1d434da78d111552a6b2a2fea4499c8ff6e1f255c41a6
Instruction ID: 16efab7712ec50febeb941396ec70f11d65871f2379f728812629d6b939a4d02
Opcode Fuzzy Hash: 3d0c8e907dfef80b5da1d434da78d111552a6b2a2fea4499c8ff6e1f255c41a6
Instruction Fuzzy Hash: E6124231B1CA4A4FE759DB2894E25B177D0EF46314B1842BAD58EC7297DE68F84287C0

Function 00007FFD348B8A60 Relevance: 1.5, Instructions: 1459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e45030d44979c374b45628d76a1a5e5d72836eb9ea603d098dc4c9ff4af3b36
Instruction ID: 90aa9e45fdeebe9511f8fcaa6058ba04bcfd5d7fe79e681eb90790623666ff2c
Opcode Fuzzy Hash: 5e45030d44979c374b45628d76a1a5e5d72836eb9ea603d098dc4c9ff4af3b36
Instruction Fuzzy Hash: 89A2E431B086498FEBA8DB58D4A5AB9B7E1FF56340F1400BED04EC7292DE38AC41DB41

Function 00007FFD348BB651 Relevance: 1.0, Instructions: 1023COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 859e28674489325e1d796bead7d99edee1d5a488d287fef0f2c7c2f16705660a
Instruction ID: 1810b4933236f9a5d4ea2877f18ebc949988ef8bbd1628ec0490ea7bc2bcfb5d
Opcode Fuzzy Hash: 859e28674489325e1d796bead7d99edee1d5a488d287fef0f2c7c2f16705660a
Instruction Fuzzy Hash: 33622531A1D78A4FE716DB3888A44A47BF1FF57304B1841BED589CB5A3DE2CA846C781

Function 00007FFD348B8A58 Relevance: .9, Instructions: 871COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2a479343517e6679153d121129af7600fca880e7af9b735526352c2c56677a
Instruction ID: 80f6859851b8570590a5b08a7ebbfcbbb9e0255ff77d022da16c7d24ae33d0eb
Opcode Fuzzy Hash: 4b2a479343517e6679153d121129af7600fca880e7af9b735526352c2c56677a
Instruction Fuzzy Hash: 4742B630B18A494FDB68DF2CD4A567977E1FF5A301F1401BEE48EC7292DE68AC429781

Function 00007FFD348B1610 Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12d19976a055e617f0638faedd57fe1cd594002bc734b633e272f0e55dd6624
Instruction ID: b9a14b5c6347a23205acb28c8e3b30898135cf5dce4a2ae5662f65c2b7274ad3
Opcode Fuzzy Hash: b12d19976a055e617f0638faedd57fe1cd594002bc734b633e272f0e55dd6624
Instruction Fuzzy Hash: 48E12031B0C9064FEF689F2884A15B573D1EF96310B2442BDD58EE75A2DE2CF84297C2

Function 00007FFD348BB270 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0d1f6f9bc679495b640a2da1bc5e9bd094c95b08892aa9b843ae1504745dd5
Instruction ID: ad0d42feeddee7a96519e109f4b1b4062212ce9a575f2d77ad199f78ce3c8c44
Opcode Fuzzy Hash: ea0d1f6f9bc679495b640a2da1bc5e9bd094c95b08892aa9b843ae1504745dd5
Instruction Fuzzy Hash: D6D16A3160CB854FE31DCB2984E11B5BBE1FF96311B14867ED5D6C32A1DE6CA846C782

Function 00007FFD348C41C9 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72def6403a26a3981dca94f92b2f67015c1b657b88e0b1c5008dea2c60235275
Instruction ID: 01cb5ad75fef67ed7ccf8daf791a2b183c103d526824d4f6217611f88feb7ddb
Opcode Fuzzy Hash: 72def6403a26a3981dca94f92b2f67015c1b657b88e0b1c5008dea2c60235275
Instruction Fuzzy Hash: 6F41593160D7891FD72E9B7898631B47BA5EB83320B0981BFD48BC7193DD286C468392

Function 00007FFD348B04B0 Relevance: 3.8, Strings: 3, Instructions: 1COMMON

Download Yara Rule

Strings

0M_^, xrefs: 00007FFD348B13D0
[/M_^, xrefs: 00007FFD348B1560
#0M_^, xrefs: 00007FFD348B1498

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID: #0M_^$[/M_^$0M_^
API String ID: 0-494952869
Opcode ID: 2a6cdca193e208f19368872570b6ff9f562c8919074e92e0420997daca4b3f6f
Instruction ID: 1b68d187b2d52c525c7f3a37f8a113cd48217a58fa2cb28c2c599827d84d4207
Opcode Fuzzy Hash: 2a6cdca193e208f19368872570b6ff9f562c8919074e92e0420997daca4b3f6f
Instruction Fuzzy Hash:

Function 00007FFD348B19F9 Relevance: 3.1, Strings: 2, Instructions: 581COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD348B20A4
huz4, xrefs: 00007FFD348B1A19

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID: d$huz4
API String ID: 0-1311405493
Opcode ID: 338f153196699507d4ad2d239f353fa39238e13f6185e4caefe31c2666144180
Instruction ID: 2a6a1b01fd427baa3009c5c357c75960338dca79fb848a1882a284a57e56d0df
Opcode Fuzzy Hash: 338f153196699507d4ad2d239f353fa39238e13f6185e4caefe31c2666144180
Instruction Fuzzy Hash: FA020631B0DA494FE7A9DB1C84A567577E1EF96340B1901BAD14ECB2A3DE29FC42C381

Function 00007FFD348B14E0 Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

[/M_^, xrefs: 00007FFD348B1560
/M_^, xrefs: 00007FFD348B1501

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID: /M_^$[/M_^
API String ID: 0-4069083276
Opcode ID: c6318ad88f42c25045e78992733c8b02c5c356f5885afa291dff30455e298748
Instruction ID: eec79347d8972481efe5e44e95bcd6a59712f6ef2f31ce5ecc317bb807e8d00b
Opcode Fuzzy Hash: c6318ad88f42c25045e78992733c8b02c5c356f5885afa291dff30455e298748
Instruction Fuzzy Hash: 9C21A611B0E1961BD221B3BC68F51F67BA4CF43369B0C52FBD2CDCA053EC6D64869285

Function 00007FFD348B06F8 Relevance: 1.6, Strings: 1, Instructions: 375COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD348B20A4

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 470155a6141103308396158090f168edfe6be79067f8cd932bcc80d67db935fe
Instruction ID: 3d9f293a728168af9fa03e6c1f8023e61e56ad6d4e36855ce97e3a083b12c6fa
Opcode Fuzzy Hash: 470155a6141103308396158090f168edfe6be79067f8cd932bcc80d67db935fe
Instruction Fuzzy Hash: 87B1FE30B18A094FE369EB58C4A5572B3E1FF56310B1446B9D68FC76A6DE29F84387C0

Function 00007FFD348B0D35 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

H^z4, xrefs: 00007FFD348B0E00

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID: H^z4
API String ID: 0-3986868669
Opcode ID: 56594e7c9d3ffbc54edfd22a6de3b9d08105e1b8b9d3299df87d757f1a451b02
Instruction ID: e6de8b02163a4e9c55aa28d1391e448de85195d04afc398de2f52eb9fb221a10
Opcode Fuzzy Hash: 56594e7c9d3ffbc54edfd22a6de3b9d08105e1b8b9d3299df87d757f1a451b02
Instruction Fuzzy Hash: 6551B351B1CA490FE794A72C54A63B46BD2EF9B214F1942BAE14DC72D7DC9CAC018391

Function 00007FFD348B8ED0 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

#, xrefs: 00007FFD348B907B

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-3629985089
Opcode ID: ce4920b62b135a5c9c5034e7f66dd5152c5012cb41d25e930361ee3a7fd305a9
Instruction ID: 2b8efb5f6177ec41476ce6786129fcaf17fe05fe92e07d0acf6b0c208607ca05
Opcode Fuzzy Hash: ce4920b62b135a5c9c5034e7f66dd5152c5012cb41d25e930361ee3a7fd305a9
Instruction Fuzzy Hash: 12510330A1CB854FE76ADB2888A50B177E0EF53300B1545BED59BC7AA3DD69B8038791

Function 00007FFD348B2DE0 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD348B433F

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 45a22deaae8fa4aa74c0cfd311c5f4224b94baae7408eb607e903c9c0124a4b2
Instruction ID: d6fd58ac483c034ccbfa31ac24ca73d0440ebec600a212fedb9796e0b067b49a
Opcode Fuzzy Hash: 45a22deaae8fa4aa74c0cfd311c5f4224b94baae7408eb607e903c9c0124a4b2
Instruction Fuzzy Hash: 17519E30A28A094FE75CDF08C4D693173E1FB5A704B5441B8DA5ECB297EE69F852C6C1

Function 00007FFD348BD873 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD348BD8CB

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 148d8ebb36501768a909379c1ac63103cd059bd10700f4422410b3111a5c65d5
Instruction ID: 19f22b00893bd9f25086dd1b50cd4bd3e44c4aee022f413021b7f8f84654f2c0
Opcode Fuzzy Hash: 148d8ebb36501768a909379c1ac63103cd059bd10700f4422410b3111a5c65d5
Instruction Fuzzy Hash: 71113A32B1CA495FE7A8EB18549617473C0FF94305B04047EE88EC3292EE6DA84293C1

Function 00007FFD348B2BA2 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

Py4, xrefs: 00007FFD348B2C14

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID: Py4
API String ID: 0-2561284556
Opcode ID: 4266f37c2434b50a63b5f8a8d0faf26b084eddc4bee1398aaaaceb28cf6532d6
Instruction ID: a297308973149251fbea32f15807764c9230554b6ee88f36544b44491f201811
Opcode Fuzzy Hash: 4266f37c2434b50a63b5f8a8d0faf26b084eddc4bee1398aaaaceb28cf6532d6
Instruction Fuzzy Hash: 2711E46191C68A0FEB929BB898791E97FF1EF46210F0404E7D448DA093DEA959468381

Function 00007FFD348BFDF0 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194cfadd92cca99370a8ee8b446e2e92616b95974322b8107cd64cc09e4b058a
Instruction ID: 348ac19af27754c75f19feaf2fb87b866ba0d4f3a71cbae14077d80d72e63b38
Opcode Fuzzy Hash: 194cfadd92cca99370a8ee8b446e2e92616b95974322b8107cd64cc09e4b058a
Instruction Fuzzy Hash: 3A124431A0CB4A4FE368DB2884A15B5B7D1FF97340F10467ED58AC72A2DE2DAC4697C1

Function 00007FFD348B8190 Relevance: .6, Instructions: 598COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9cf01e37d84ac5a48d4e1ab927f7040bc505b0f7f0b9842c1ef294e273772a0
Instruction ID: 39520932ebcb6560de87a3c216f34255f627c409166722f98e5fa16df8e8c339
Opcode Fuzzy Hash: f9cf01e37d84ac5a48d4e1ab927f7040bc505b0f7f0b9842c1ef294e273772a0
Instruction Fuzzy Hash: 98021871F1C94A4FE7A4DB9C84AA7B977D1FF9A310F1401B9D24CC7292DEAC68058780

Function 00007FFD348C30C5 Relevance: .6, Instructions: 565COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aeaee069b78bc9f2bf2c4a12c1c55bd7a1d76c4bc8e98e3ed5297d05e8abc4b
Instruction ID: 3f320945a2fc360322f836ae99146e3028c67f0bc7ee78f67af5e2c8707e1a4c
Opcode Fuzzy Hash: 7aeaee069b78bc9f2bf2c4a12c1c55bd7a1d76c4bc8e98e3ed5297d05e8abc4b
Instruction Fuzzy Hash: 32F12471B1C9464FE768D71CA8E65A4B7C1EF9A321B1402BBE54ECB692DE1CAC0743C1

Function 00007FFD348B8A48 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f63e4f4b8f6e236d17b295b1f2cafcebd45369434c433ad2e050475e94c2b0
Instruction ID: 7264d1648563a641ff37c5d89d98b2a6db180ff173e5138c872248dddd6675ca
Opcode Fuzzy Hash: 81f63e4f4b8f6e236d17b295b1f2cafcebd45369434c433ad2e050475e94c2b0
Instruction Fuzzy Hash: 82E1C831B0990A4FEBA8DB1CD4A4A7977D1FF5A301B1400BEE58EC7292DE69EC4197C1

Function 00007FFD348B3331 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1627a1b153baadeba1b69e69753273b0b2307fc9e8a2958a8e6104f7c9fe2c72
Instruction ID: bac8f3bbef2ba8fbfbf37ba28e1719f5bd2a988b7766ec500b66a524824816c5
Opcode Fuzzy Hash: 1627a1b153baadeba1b69e69753273b0b2307fc9e8a2958a8e6104f7c9fe2c72
Instruction Fuzzy Hash: A5C15A21B1CA564FE7299B1998E51B977D2FF97301B58427DC08BC72C6DDECB84292C0

Function 00007FFD348BC56A Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f15094ada3fe2f5d2749db83bc14c7f67da82cbe8cb2c82afed8ead1644579
Instruction ID: af16714dba038aea99d8bd465bf92a5adb066b1373bd44dbfb3f5d2796249297
Opcode Fuzzy Hash: f0f15094ada3fe2f5d2749db83bc14c7f67da82cbe8cb2c82afed8ead1644579
Instruction Fuzzy Hash: E0B12931B0C9494FDBA8DB1CD4A5A7977D1EF9A301B1400BEE18EC7292DE69EC4297C1

Function 00007FFD348BF2CB Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4cbab0cfeaf392bc0a949dd0df4270f090cf9580983b768f82e0c614b15f41b
Instruction ID: 1bcad517e70d40efd4a4f8303ea94a8eac6bdd18138c268c2945aa4269fc6b2f
Opcode Fuzzy Hash: b4cbab0cfeaf392bc0a949dd0df4270f090cf9580983b768f82e0c614b15f41b
Instruction Fuzzy Hash: 3A91D431B1890A4FE7A4DB4C84A63B533C1FFA9311F5445B9E64DC7692DEACAC0A97C0

Function 00007FFD348BAEAF Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47b79cca045f007818737c821d6edf65646abaa729bc53884054115897f6aae
Instruction ID: 012794dfbc1789d055aec270c4c048ad3ff2395a2e6c3554707d7d62c97e17fc
Opcode Fuzzy Hash: b47b79cca045f007818737c821d6edf65646abaa729bc53884054115897f6aae
Instruction Fuzzy Hash: 73913771B1CB860FE71DC72948E11B5BBD2EFC6301B04867EE5DAC3295DD68A8429781

Function 00007FFD348B7363 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f1bec338a2dc47349148011739073b7c5e7658be74de748be61e4f70932f715
Instruction ID: 7ef95186eb8613389a692e3d1dd7f22cc297e2f01e52aa2788a98fab3483cf4c
Opcode Fuzzy Hash: 9f1bec338a2dc47349148011739073b7c5e7658be74de748be61e4f70932f715
Instruction Fuzzy Hash: F681A431E09A498FDF85DB68C4A5AAC7BF1FF56300F5440BAD44DD7292DE78A841CB40

Function 00007FFD348C0118 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b93162f09d1871b122a567f634afcd6850cbb382faa83c4a72723f6b4e4d16
Instruction ID: bdf47786641b2a28460d46d163323f3aa900e786e6759a1b78e1ac063a5fe754
Opcode Fuzzy Hash: 07b93162f09d1871b122a567f634afcd6850cbb382faa83c4a72723f6b4e4d16
Instruction Fuzzy Hash: E9815671A0CB894FE7A49B5894A1A75B7D1EF9B380F0001BBD58DC72A2DD2CAC029781

Function 00007FFD348B8E75 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00af8da27a11100636737b987923ffa6e9e4c0d246ecf88b5d08fda96d77efcd
Instruction ID: 14041304e0e211bf5378ea45ffe7348bf334c85f7d8ba2319ab3842c48cca082
Opcode Fuzzy Hash: 00af8da27a11100636737b987923ffa6e9e4c0d246ecf88b5d08fda96d77efcd
Instruction Fuzzy Hash: D681E230A1DB854FE72ADB2888A44717BE0EF56304B1444BED59AC7693DE69BC07C781

Function 00007FFD348C2365 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248c38e9dc28f8c82aaf55cef4337544a23254c3e36f41ff28630e7d0644fc11
Instruction ID: 8336d9fd7aa723c414935c553547b47fa0b6158ac3efa4276aed2795612f7db8
Opcode Fuzzy Hash: 248c38e9dc28f8c82aaf55cef4337544a23254c3e36f41ff28630e7d0644fc11
Instruction Fuzzy Hash: B471B131A089494FDB98EB5CD4A56E9B7E1FFA9310F04416AE40ED72A6DE34EC41CB81

Function 00007FFD348B04B8 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98fcbb1b43139bf19e5ff8c776f86c36b3f1eccf23b02f9e624eef9737acac23
Instruction ID: 9468d15b811e1824be9e5583c31c6f635dd78301be39dbca8da3f09cc485307a
Opcode Fuzzy Hash: 98fcbb1b43139bf19e5ff8c776f86c36b3f1eccf23b02f9e624eef9737acac23
Instruction Fuzzy Hash: 6571D130B1CA094FF758AB7884653BAB7D2EFCA350F14407AE50ED72D3DD6CA8425281

Function 00007FFD348C2380 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2e4c995db5052e8cefcf2dc1bf17e9ca6eee1af662e0c092e4607a384b4e36
Instruction ID: 6fe5b335a66d9a0401c1df992267071aae1d2f7e39852f88409924c8ec704c26
Opcode Fuzzy Hash: de2e4c995db5052e8cefcf2dc1bf17e9ca6eee1af662e0c092e4607a384b4e36
Instruction Fuzzy Hash: EF61B231A0894D4FDB98EB5CD4A56B9B7E1FF99310F04416AE40ED72A6DE34EC418B81

Function 00007FFD348B04C0 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56afd47419ccc2864a848288f143075d2c39404ee66cbb474afa1fea525629a3
Instruction ID: 07d968c1f895823f123d726bf9d0044ad28d256ded79f76b77c6d9f16edb8d73
Opcode Fuzzy Hash: 56afd47419ccc2864a848288f143075d2c39404ee66cbb474afa1fea525629a3
Instruction Fuzzy Hash: 13515A21B1D64E0FE759AB6898A21B577C1EF43324F1402B9D58EC7197DDADB84383C1

Function 00007FFD348B1675 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5ece052c90a26cdbe1beb0ebed17deb13af67a771bba648e111105bc3f133f
Instruction ID: a3ef6e947d021bb9d09949aa1424e750093f5875715a30c285ca30fab348633a
Opcode Fuzzy Hash: 7a5ece052c90a26cdbe1beb0ebed17deb13af67a771bba648e111105bc3f133f
Instruction Fuzzy Hash: 4C61E320B1CA490FE754AB7894753BA77D2EFCA350F1441BAE54ED72D3DD6CAC025281

Function 00007FFD348B1678 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537adf0a9cbe72107c2b23329bcefe3d72a21ee21c3fc9d0d13fed9ca97a5a76
Instruction ID: a9c0fc57ec7bac77b3c973d5c289c7dbca58368a433ecf4cf26a238f86cc7618
Opcode Fuzzy Hash: 537adf0a9cbe72107c2b23329bcefe3d72a21ee21c3fc9d0d13fed9ca97a5a76
Instruction Fuzzy Hash: FC61E320B1CA090FE754AB7894753BA77E2EFCA350F18417AE54ED72D3DD6CAC025281

Function 00007FFD348B6076 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e97d899bd30200974ef615294137d22eacb2026ca8aef35398cf95aea3e0bd2
Instruction ID: 53633eade12e0ec29b871941363eea98b53c173bc2e626c01d8d26de43895781
Opcode Fuzzy Hash: 0e97d899bd30200974ef615294137d22eacb2026ca8aef35398cf95aea3e0bd2
Instruction Fuzzy Hash: C271D435A0891A4FEF88EF54C4A0AF973E1FF55304B140679D51AEB2A6DE79F8418BC0

Function 00007FFD348B29ED Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b480e9d4b3a4f52f44cd0d1323047ddfc5693dc365d9a5b1076100d9f00f469a
Instruction ID: 0bbf7ed8c9f001f378d56646c86ceb402ba1d3282732983f10d7af388683897f
Opcode Fuzzy Hash: b480e9d4b3a4f52f44cd0d1323047ddfc5693dc365d9a5b1076100d9f00f469a
Instruction Fuzzy Hash: 7651EB31B189094FEB98EB6C98B96B877D2FF8A341F04017AD50ED7292DE6DE84147C1

Function 00007FFD348BC21D Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eda9d3499fbc62f24286375a05624a61bf7d276a1fa91bdb1d137d947c7fee1
Instruction ID: e479230474b89b643033d62cb92e96e12e949256fbf539b5395663c77d20d75a
Opcode Fuzzy Hash: 2eda9d3499fbc62f24286375a05624a61bf7d276a1fa91bdb1d137d947c7fee1
Instruction Fuzzy Hash: 21513A3070E7894FD359972D84A10B67BE1FF9B720B44067EE5CBC7292DD69A84283C1

Function 00007FFD348C35D0 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2f6174db4bcd8bead82863aaf4a5936806760c953036dc7e6766e55c2dbcd1
Instruction ID: b3cca8fbdf4021b615986ece197fb5a603d62a369d37110dbd170fc02fce98ba
Opcode Fuzzy Hash: 7b2f6174db4bcd8bead82863aaf4a5936806760c953036dc7e6766e55c2dbcd1
Instruction Fuzzy Hash: 8051C992B5DAC60FE769A7B844B66A1B7E4EF56214F0842FBD04ED3183DD3CB8058741

Function 00007FFD348BF5A9 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba02c690639392563bc03ef44f635b05974b58371f3e19598930646d43f17ab
Instruction ID: 45cc2ed646de1ee111cab2ae5632f90c4c1f9f070d1ea9e39a0e1e62fd87e5ce
Opcode Fuzzy Hash: 8ba02c690639392563bc03ef44f635b05974b58371f3e19598930646d43f17ab
Instruction Fuzzy Hash: 8C514071E18A4D8FEB94EFA8C8A97ADBBE1FF59300F540179D40CD7292DE7968418B40

Function 00007FFD348C2E85 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8966a7c2424ecebeb70aa934150dec540c2e7f68d9b62ba4b24247a7dec2ff8
Instruction ID: a44a9d10ec299bff4fb9b9bd0121f48c50adf768fb4370e8931f19b662a011ee
Opcode Fuzzy Hash: e8966a7c2424ecebeb70aa934150dec540c2e7f68d9b62ba4b24247a7dec2ff8
Instruction Fuzzy Hash: 88519731E0895D8FDF94EF28D4A56AD7BF1FF5A300F1800AAD409D72E2CA29AC41C740

Function 00007FFD348B8188 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d59822be46c2de895c0f40b9e6a90508f178125da2c9d3fb43bd4c2f4b27242
Instruction ID: a2447d6ad39fcdd656217ac252fa17016511ef1a81597b6cab32ddf17b6fa84c
Opcode Fuzzy Hash: 2d59822be46c2de895c0f40b9e6a90508f178125da2c9d3fb43bd4c2f4b27242
Instruction Fuzzy Hash: E341E271A1890D4FEB58EF48D8A66F977E1FF5A310F040179E54ED7292DE68BC418780

Function 00007FFD348B1590 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d965d5b17c5e3f8fc24de4eb3f42aeaf2f4a61ad6f08055925a47b4768a0c9ab
Instruction ID: 06f2ef137d4c95a4eb5f744a78623ec3d35e270db0c514683c5eaa3cc1abbafd
Opcode Fuzzy Hash: d965d5b17c5e3f8fc24de4eb3f42aeaf2f4a61ad6f08055925a47b4768a0c9ab
Instruction Fuzzy Hash: 5941FD31B1890D4FEB98EB6C94B92B9B7D2FF8A305F14017DD10ED7282CE69A8418781

Function 00007FFD348B31C9 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be895f87eb2cf4273c0cc61fbdb34effa5a788f33f2abd08e53a12e59992256a
Instruction ID: 75af1eb9de525915590597a45f2655c088e2bb83d0fd67227094cd0ccb3f000e
Opcode Fuzzy Hash: be895f87eb2cf4273c0cc61fbdb34effa5a788f33f2abd08e53a12e59992256a
Instruction Fuzzy Hash: 6F41E416B0CA4A0FE765976C58B92B83BD0EF56311F0401BBE549C72D3DD9C684593C2

Function 00007FFD349810C9 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172998082.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34980000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0df4d7ac333f4a789c57e1a72bb4742d96eccb62fa597907a5972253fb04ab
Instruction ID: 82e7139dedfd30a6de205852ca82251b6420fd1843eee79f5a3b301890cf3bfd
Opcode Fuzzy Hash: 5b0df4d7ac333f4a789c57e1a72bb4742d96eccb62fa597907a5972253fb04ab
Instruction Fuzzy Hash: 33412A31A0DA894FDB86DF18C8E59E87BE0FF56300B1505FED44ACB197DA2CA841C791

Function 00007FFD348B8868 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e88a8160c2ed4021b65ff023d5f656ce23c8a9ec7097cbed0850e7985e5936
Instruction ID: 5f258f558e94258b245626bbaf598c6c0f3218738a3bbed30f760d1779cc35f2
Opcode Fuzzy Hash: 14e88a8160c2ed4021b65ff023d5f656ce23c8a9ec7097cbed0850e7985e5936
Instruction Fuzzy Hash: 12413F31A1491D8FDF94EF58D4A4AA97BE2FF99315F14016AD40AE72A1CA75EC40CB80

Function 00007FFD348B3E3D Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff00720b2529c02ab0eaa7ef61074da351e560bc775f4ab00d53c41990593cc
Instruction ID: 9f4aa191c28558047191f50a6947f40f88b05235d7ad136ccd9cc278c6264bba
Opcode Fuzzy Hash: 9ff00720b2529c02ab0eaa7ef61074da351e560bc775f4ab00d53c41990593cc
Instruction Fuzzy Hash: BE41273060DA954FD70A9B2888B55B57BD0FF57304B0845FED08ACB2A3DE6DE545C782

Function 00007FFD348B09E5 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0b7ded043d76f4cf198669ffbc4a6ed65ec24d77f337fded1d9d075e80b436
Instruction ID: fec1fd2e8f8ddf36fa84a6c0fa2347fd8ba8ff25d42e3dfd19c021b6ab4feb04
Opcode Fuzzy Hash: 9a0b7ded043d76f4cf198669ffbc4a6ed65ec24d77f337fded1d9d075e80b436
Instruction Fuzzy Hash: AE316822B1DA4E0FE759AA6898965B577C1EF53320F151278D98AC7147EC9DFC8342C0

Function 00007FFD348BF05E Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8400f68774227ab8382a4a56b44bedad18ff6922db2b7091c663215907a3dae7
Instruction ID: ecb083c9dafc5c4699de31344239b15ebf336b116ce74f34b8e483e33f82bdd8
Opcode Fuzzy Hash: 8400f68774227ab8382a4a56b44bedad18ff6922db2b7091c663215907a3dae7
Instruction Fuzzy Hash: 8B31A032B0890A4FDB54EB4CE4A59A9B7E1FF99310B14416AD50EC7296DE38FC468780

Function 00007FFD348B8860 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a4347f0a9df46948168d7f84e671f0fcd3c2ff047ae20358c6ff13597ea9cb
Instruction ID: 46f5a8a1adc9a9f69c9948c5525eb032995c1616c5d293b43b2301e292ce62c5
Opcode Fuzzy Hash: b9a4347f0a9df46948168d7f84e671f0fcd3c2ff047ae20358c6ff13597ea9cb
Instruction Fuzzy Hash: 33316A30A1491E8FDF94EF5CE4A86BA77E1FF5A305F44056AE00AD72A1CB75ED408B80

Function 00007FFD348B0F31 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bf1236a2958e4f910bb84f4519808dfc8091594dbbebb15b16ee97333cc291
Instruction ID: 744a4517f7a5dfdf0b1faca6afb649d2c30f5f45d7f463eb8b940b03ac70abe5
Opcode Fuzzy Hash: 67bf1236a2958e4f910bb84f4519808dfc8091594dbbebb15b16ee97333cc291
Instruction Fuzzy Hash: 8431DB31B1896D5FDB55EB68D8A56EDB7B2FF99300F1400A9E04AC72D2DE74AC02C781

Function 00007FFD348BB435 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a81d6236b495c8d62f32ad058ffffb3a1607d9ac49b610f7761a4696d5469d
Instruction ID: 76fe6177efdcc2150ebafed91126bf419688f0ee35ef83b0c1eedb555dafa94b
Opcode Fuzzy Hash: 74a81d6236b495c8d62f32ad058ffffb3a1607d9ac49b610f7761a4696d5469d
Instruction Fuzzy Hash: 8831053160CB854FD709CB1C84A25B5BBE2FBD6311B14867EE5D6C32A1DE78E441CB82

Function 00007FFD348BAF0F Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f58c06abc2c9d2e85bc5bfb65381b3191832b98f562e00d84ffa99d0a0cd976
Instruction ID: 6973f1bac493d6c1a322d71e868502063f8d55983a43d3a7c74e5a21e574e3a0
Opcode Fuzzy Hash: 3f58c06abc2c9d2e85bc5bfb65381b3191832b98f562e00d84ffa99d0a0cd976
Instruction Fuzzy Hash: CE31C73060CB854FE318DB198491479BBE2FBC6301F14867EE5D6C3396DA74E5428B81

Function 00007FFD348B0C29 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61c883441d2b3a4dba3c3cf70029b10b9874f5c06afb803bbf6fe852ab06881
Instruction ID: 97a0ce34f7c67e1c504741ea6551908e0d52af76442c93b299c0183a9dc0c7d9
Opcode Fuzzy Hash: b61c883441d2b3a4dba3c3cf70029b10b9874f5c06afb803bbf6fe852ab06881
Instruction Fuzzy Hash: DC219161F1DA8E5FE795E76C98B22BD77E2EB8A210F0501B6D549C3292DE2C6C0643C1

Function 00007FFD348BB476 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16a97f1713b8bfe535afd51df3ee2536d897dc6063ba34a7231e6b76089f850
Instruction ID: bad430851a04d62ee5060df479f06d169114734f2b617d14b9fdecc5b47724de
Opcode Fuzzy Hash: b16a97f1713b8bfe535afd51df3ee2536d897dc6063ba34a7231e6b76089f850
Instruction Fuzzy Hash: 3331C13060CB854FD708DB18C4955B5BBE2FBD6311B148A7EE4DAC32A5DA74E541CB82

Function 00007FFD348B04D8 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e5d910083d529f2eb84bfe0723812ede49607d12ad7679bd42cbb9b8f3a7a6
Instruction ID: 5a34aee6fee6ac8c99dfda5056665a472e11f006bbe6159fe56367c250c81835
Opcode Fuzzy Hash: 55e5d910083d529f2eb84bfe0723812ede49607d12ad7679bd42cbb9b8f3a7a6
Instruction Fuzzy Hash: 3721A631B1496D5FEB54EB68D8A96BDB7B2FF99700F1400A9E00ED32D5DE74AC028780

Function 00007FFD348B3055 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1badca1c15dca12ddb882f183105c515549349dea2d290e0345eb9af9f691296
Instruction ID: f9836c107eb1cf0b8a5b6ed9c0b0dcdb205241e6df3e4dd9b3fdc266e4ff73cc
Opcode Fuzzy Hash: 1badca1c15dca12ddb882f183105c515549349dea2d290e0345eb9af9f691296
Instruction Fuzzy Hash: 8921E731B1DA494FDB55EB6898A51BC7BE1FF4B300F04007AE049DB293CE6898018381

Function 00007FFD348BBB29 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47b7f4f24a0388f090430878be4d594ad0c5329cd7c42c5f770802b59af4274
Instruction ID: 676cd3717d399f2d58b4286bea560e7d6fc8b9eb9d0bd53da61b7a1db10088b2
Opcode Fuzzy Hash: b47b7f4f24a0388f090430878be4d594ad0c5329cd7c42c5f770802b59af4274
Instruction Fuzzy Hash: F221F93061DB854FD346DB38C4E40A07BE1FF9620971446FFD499C72A6DE29E986C781

Function 00007FFD348C2DD9 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64109a550701152519f2cf168ff0676b146fceef23e6188f6a62d33ec5cc96ec
Instruction ID: 9b7f114311860b764f596e04257554160f941c68fce1ad9cf36c6d9876873908
Opcode Fuzzy Hash: 64109a550701152519f2cf168ff0676b146fceef23e6188f6a62d33ec5cc96ec
Instruction Fuzzy Hash: BF21B021E0CA494FE351EB24C4A82B9B7D0FF5A314F18057AD44DD71E2DE2CA9428781

Function 00007FFD348B9080 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b873f81c10398a4fcf12c87bd9d0a8a3a2adf66f1253d0483046810c95abeb21
Instruction ID: 34bd57d6eb19eee4af0472df04bd55ea133a721d97fbb658201ef11b1c5d181b
Opcode Fuzzy Hash: b873f81c10398a4fcf12c87bd9d0a8a3a2adf66f1253d0483046810c95abeb21
Instruction Fuzzy Hash: 24218C30A14A084FE769EF08C5955B1B3E0FF55300B6045B9C99FC7A96DE29F8538BC0

Function 00007FFD348B404D Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcae71c86f90651b98cf5b9bb0d1d7bad542fd8a525a67bb08e96ed500b34f8e
Instruction ID: daea5e438e690aa166444b14244d65328e4b114740dedf6d6da0fcb0e4a6de43
Opcode Fuzzy Hash: dcae71c86f90651b98cf5b9bb0d1d7bad542fd8a525a67bb08e96ed500b34f8e
Instruction Fuzzy Hash: 06115B21B0DA4A4FEB95A77884F56B677D1DF56210B1405BFD04EC71D3CE7CA8069380

Function 00007FFD348C42B8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ca07345bf72eefd2500f61a874978e269af7182c7a9a8b3ece96ecc2f59779
Instruction ID: 6486277b1042221ff8b9f466721868fccf3b11bc9a4540a481dcdc084af94ea6
Opcode Fuzzy Hash: 34ca07345bf72eefd2500f61a874978e269af7182c7a9a8b3ece96ecc2f59779
Instruction Fuzzy Hash: 4111223170C5081F9B2C9938886A47BB79BD3C7225B52C33EEA97C2296DD68981352C5

Function 00007FFD348C4454 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411e1f69822e953c25f0056b034562ecff7da93d7dacf487cf1ca50a8db6a017
Instruction ID: 07ed610d1cd9d9234b93680731bfe3c055b43123925a234ccc7941158cb6b2c2
Opcode Fuzzy Hash: 411e1f69822e953c25f0056b034562ecff7da93d7dacf487cf1ca50a8db6a017
Instruction Fuzzy Hash: B221BE3061C7018FD30DCB18C5A1576BBE1FB96705B24956ED587872A7CE38F886CB92

Function 00007FFD348C20DE Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e41f294a9958c6d7774ff3de9b050d0c55a60b4476090e5cab92e48c22ff1f31
Instruction ID: 35e0cb2bdc865a98307619a9843c69f41fa3206871cb9898dbfff6cafce6e9be
Opcode Fuzzy Hash: e41f294a9958c6d7774ff3de9b050d0c55a60b4476090e5cab92e48c22ff1f31
Instruction Fuzzy Hash: 6811257154E3CA1FE71656799C4A5E67F94EE83230F4902EFD085CB0A3E15A2817C762

Function 00007FFD348B103A Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a23e2b2e2d1200565ff50816b0d74d14e1d5d8318a7f2ae251e3c129ea84f1a
Instruction ID: 6db664df2a59f8807928400a9793a0e2c08a754ed30a63ccbea95b6281340715
Opcode Fuzzy Hash: 6a23e2b2e2d1200565ff50816b0d74d14e1d5d8318a7f2ae251e3c129ea84f1a
Instruction Fuzzy Hash: 70111231B0CD1D4FDF95EB5894E26ECB7A1EF59310F44553AD10ED3282CE69AC429780

Function 00007FFD348B8A38 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8181e8851366bf3aede54c93089cc8199cc8eadd3400a608e92c6655d7dde6e
Instruction ID: f0e06d839830306b0eb7c3bdd6321199311e54ca13361f037159187855910142
Opcode Fuzzy Hash: e8181e8851366bf3aede54c93089cc8199cc8eadd3400a608e92c6655d7dde6e
Instruction Fuzzy Hash: 8811C630619A054FD76CDB2CD0E497A77E1EF9A315B54053EE44EC32A1CE7CE841A781

Function 00007FFD348B0939 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5dfbbc6e724a156e87067c51d671a62230ace3bff78eccaaa18f378f92243c8
Instruction ID: ac4574ef86bb9dd40089a5bb244b15243a71eda488250427258dfdb092788221
Opcode Fuzzy Hash: c5dfbbc6e724a156e87067c51d671a62230ace3bff78eccaaa18f378f92243c8
Instruction Fuzzy Hash: 7211C624E1D2870FE31167F444762E57BA5AFC7214F5840B9E18CCB1C7CDACE4054392

Function 00007FFD348B4665 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420b1a6cb856e65bb6ebf3c560638ed457f4ec9a73c41c4b67345ebd67c37576
Instruction ID: 58dea71641fcba8610dbc6c2ad0c73f44dac9e8b9ae7448d91e3aca749391cd9
Opcode Fuzzy Hash: 420b1a6cb856e65bb6ebf3c560638ed457f4ec9a73c41c4b67345ebd67c37576
Instruction Fuzzy Hash: 3611807160DBC40FD782D73444655623FF0EF9F220B1802BBE488C7263CA64AC44C792

Function 00007FFD348C4496 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2e81e72a25186fae3364a58eb35bfe42db5cb404894c8e8705080ab2042463
Instruction ID: b2169336a35d8e72246af4aa61ce5847350ac88900df098d16e44e360fe3f170
Opcode Fuzzy Hash: cc2e81e72a25186fae3364a58eb35bfe42db5cb404894c8e8705080ab2042463
Instruction Fuzzy Hash: 41117C306187018F930CDF08C4E1876B7E1FBD9711B20566DE987876A6CA34F886CB82

Function 00007FFD348C437B Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dce8c454c2fc8bb80d560ed3204630fb2fe8013f6804e58d39706a76cabaf
Instruction ID: 69e9bc59e2b6a4fd40f41a63cc76b65a014ff5f544f260361a6048afa3e1a708
Opcode Fuzzy Hash: 153dce8c454c2fc8bb80d560ed3204630fb2fe8013f6804e58d39706a76cabaf
Instruction Fuzzy Hash: 32019E307586058BDB0C9A28C5A657A73A7EBC6305F60C63ED587C62DACE38E907C785

Function 00007FFD348BC3D1 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e82a3b122d26faca982eb4e4a78efc9b02b4deeeb3c31c1f66fb67e6fcf0af
Instruction ID: 434e5b6ee02efdcfb23e83a4f0f9351c6ab437772f665bfa6e24f1c868a54420
Opcode Fuzzy Hash: b1e82a3b122d26faca982eb4e4a78efc9b02b4deeeb3c31c1f66fb67e6fcf0af
Instruction Fuzzy Hash: 95F0F23561CF894FC766D73C949056577F1FF5931030901EBC489C7596DE58EC468391

Function 00007FFD348C4078 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea3d6dcca47e19e846969c3e49d5c9ff3452785b81de2a3c559c553f86b04763
Instruction ID: 5a0a3ee7ced12dc947c7fe00c176b8047b4b259834b334d8322c7decd65fccdf
Opcode Fuzzy Hash: ea3d6dcca47e19e846969c3e49d5c9ff3452785b81de2a3c559c553f86b04763
Instruction Fuzzy Hash: 0F012630B58A054FD35CE72C89911A973D3EBC6360B448239D906CB3D9DE79AD82C7C0

Function 00007FFD348C34BA Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9729985ac9a0e0865af21d0bc1666b3eb7bd60d2babd1ffbe5a796fa2c8e01a6
Instruction ID: 56b3b16e082a1fd6e8c05b741f4839803c3e0f8c6f41434dc0cb8cd14fe4149f
Opcode Fuzzy Hash: 9729985ac9a0e0865af21d0bc1666b3eb7bd60d2babd1ffbe5a796fa2c8e01a6
Instruction Fuzzy Hash: EEF0F635B0C8164BC20CAA2C999217A7187D7C6711B1083BED94ACA3EADD28DC1781C1

Function 00007FFD348C3A94 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417e7c722944c6bed4245d081b0840a15016dc21c3161d7d5409cf4451c326c5
Instruction ID: 9123ca2a14e98cbaea6d18e4d0a7ca1b168be463e3a4fcdcd42784eefbbe0f6d
Opcode Fuzzy Hash: 417e7c722944c6bed4245d081b0840a15016dc21c3161d7d5409cf4451c326c5
Instruction Fuzzy Hash: E2F06830B186054FC71CEB3C8595075B3D7EBC6714720927ED18BC629ADD38E8178584

Function 00007FFD348B2999 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee84f32f3a8796fdfaf3c3cb2bd62f7fddffe418cf890130b25797e04de8f184
Instruction ID: 67d625b1d6840df7402a19911b69793f78e54de269d961d81651f60d4dc1335b
Opcode Fuzzy Hash: ee84f32f3a8796fdfaf3c3cb2bd62f7fddffe418cf890130b25797e04de8f184
Instruction Fuzzy Hash: E7F0B421B0DB484FC795A77C68AA1987BE1EF5B35074901F6D009CF293DD5CDC054391

Function 00007FFD348C2121 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bafe06ea7cc3344210bdeda99d1710d860c261b795225e7ae16889a6edc36b6
Instruction ID: 87ae9328078a8c22fa66ce3f20c93b133fd3f241549d245c373397543a8d61f4
Opcode Fuzzy Hash: 4bafe06ea7cc3344210bdeda99d1710d860c261b795225e7ae16889a6edc36b6
Instruction Fuzzy Hash: 2F01D62580E3C25FE70747784CA1555BF509E03260B4E03FBC5D4CB1E7D65D6416D752

Function 00007FFD348B2CD8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbeb8fc5c114e9e3416c048925725fd29fc765a8e5b9939bad61ec0f6c9b38b9
Instruction ID: 24ad864aa2f19f7d3d244898a82c96d70ef70d09882827144bd6db90b3d2bec6
Opcode Fuzzy Hash: bbeb8fc5c114e9e3416c048925725fd29fc765a8e5b9939bad61ec0f6c9b38b9
Instruction Fuzzy Hash: DEF0A035718D0D4F86B8EB2CD494A7673E1EFA831031506BAD44ED3668DE24FC428780

Function 00007FFD348B04C8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46c87eee4f7867faaae0d92eb9b6ba87eaca33f6fe58f1191c3c9f4fc7b99e1
Instruction ID: fcd73b504446863ef2353ce7261f7e5bb34697140311525a03cb28c219f331da
Opcode Fuzzy Hash: a46c87eee4f7867faaae0d92eb9b6ba87eaca33f6fe58f1191c3c9f4fc7b99e1
Instruction Fuzzy Hash: 9FF03014F3944A4FFAA4B76C54B636866D1BF97315F8405B4F04DCB292DDACE8404381

Function 00007FFD348C3DDC Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220b7fd8f31027b731d76be910bb21cd885582fe960a32b7b63810cf5b734d8b
Instruction ID: eb9b11c44f56e347da052e1d5b3407823731f92f73c980414246c00274b90f5e
Opcode Fuzzy Hash: 220b7fd8f31027b731d76be910bb21cd885582fe960a32b7b63810cf5b734d8b
Instruction Fuzzy Hash: A7F0B431F0C60A4BE768FABC98E54B6B383DBE5310B14437FC207C6695ED39B9426280

Function 00007FFD348B0620 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c33db20b63fa5ca0265d8b82c14a03287f5e91f53c13a2fc5534855f069124e
Instruction ID: 5a005998671c25f1673d3e26397a4c0f52040626772abcdf7f073e87d38cba23
Opcode Fuzzy Hash: 0c33db20b63fa5ca0265d8b82c14a03287f5e91f53c13a2fc5534855f069124e
Instruction Fuzzy Hash: C9F0822191D6C60FE326173488656A57FE0EF87280F4941FAD2CACB0D7ED8C680A93D2

Function 00007FFD348C3AF7 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6597efd7a0515c70ae0fa21b62214d78ab7eee984afd6809f06f1263b4b1a0c9
Instruction ID: c3f8ae1da416aae2a7b11f8f0b3da50272c5f2005f49f2d17494a5eab0ab3adb
Opcode Fuzzy Hash: 6597efd7a0515c70ae0fa21b62214d78ab7eee984afd6809f06f1263b4b1a0c9
Instruction Fuzzy Hash: 93F08231B1C6064F8B1CDA2895A507972DBD7D6360724D33EE48BC62E9DE3899074589

Function 00007FFD348BB0A8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51abf1a212d2abf52e46be2e5bd75ef012bee3d5e1d5a515951f376ad3e8d585
Instruction ID: f780f801911b1f7a7d1953afb4b7468c7e60b484ebd49ba1bc33029232ef200e
Opcode Fuzzy Hash: 51abf1a212d2abf52e46be2e5bd75ef012bee3d5e1d5a515951f376ad3e8d585
Instruction Fuzzy Hash: 9EE0DF12B0ED460FDBA8D2ADA8E51B097C1DBD9224708027BD12CC3796DC8CAC468380

Function 00007FFD348B29B0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd9bfa20fa78b40194a25e5eb31fc40fc38f0f9fa2bc60593aae33ffaf5c3a4b
Instruction ID: 11660808adaaeac5f0cb4b49b8ef49732156fec391d05e9dec01f43a64279038
Opcode Fuzzy Hash: fd9bfa20fa78b40194a25e5eb31fc40fc38f0f9fa2bc60593aae33ffaf5c3a4b
Instruction Fuzzy Hash: 43E04F30B159084FCB98B77CA8595A872D5EF8E35174405B9E40ECB296DD69DC414380

Function 00007FFD348B0CFE Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f67149b1e946715a0b109c4ef16b5073a89bbfd336c2a17edf8981ef6d6b41a
Instruction ID: 9cf4c7a626079aa72af0c8a218ea286a5a227bc958cc9dee07cac8795c124c8d
Opcode Fuzzy Hash: 8f67149b1e946715a0b109c4ef16b5073a89bbfd336c2a17edf8981ef6d6b41a
Instruction Fuzzy Hash: E4E07D3650DD8C0BDF40EA59AC114D67B90FBC630CF00019BE59CC7281C6119415C381

Function 00007FFD348C447B Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a63ebf924a4e5a328835a2e7fae59612b44cff53ce7b8bff37f8ff25193e593
Instruction ID: 2ebad364ca53f0e9f17965d81da5a273a04383fd4e5978ef6ca798297a997512
Opcode Fuzzy Hash: 8a63ebf924a4e5a328835a2e7fae59612b44cff53ce7b8bff37f8ff25193e593
Instruction Fuzzy Hash: 90E06C3160D2024EA31D5B14C5B14BBBA54DB87745F30517FD687C70A6CD2C95816552

Function 00007FFD348B0906 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59facfb0c59fed4a3549569893693ad4d0ce46701ca45c198960a397906e23f0
Instruction ID: 3472a5f88bbb0146ca7503623270ad421492706ab472e9561580974c326e9889
Opcode Fuzzy Hash: 59facfb0c59fed4a3549569893693ad4d0ce46701ca45c198960a397906e23f0
Instruction Fuzzy Hash: 3DE0C23294EE8C4FCB44EA696C510C57794FB4A308F01055AE59CC7282EA6699618382

Function 00007FFD348BA49C Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a8eed9892a87ddc606a26075bb16c5c993389c6236529c321e4b853d55c70d
Instruction ID: 2f1b0d7009c3fef9824b72d45d48c0c50b33f1cced8314033b718e6440fe0375
Opcode Fuzzy Hash: e1a8eed9892a87ddc606a26075bb16c5c993389c6236529c321e4b853d55c70d
Instruction Fuzzy Hash: A3E0263254F2C14FC302A63988A10497F816F83210BA884FEC184CF2E3D86D840AC742

Function 00007FFD349809FC Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172998082.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34980000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97aac1fb68ea8477944543ae26804b64eb87a8761acbaa4c110f243b2f8d1da6
Instruction ID: f038f671510a84ad3075e5bdf839916f57c06cb2983cc429b0464087d07f2776
Opcode Fuzzy Hash: 97aac1fb68ea8477944543ae26804b64eb87a8761acbaa4c110f243b2f8d1da6
Instruction Fuzzy Hash: C1E03230E146298EDB64EB08CC80BE9B3B2FF84200F0042F1D40DA3242CA306E80CF82

Function 00007FFD348B46EF Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf010af8b4258a77295bbc93523ea2aa9a463dabe5ec71be5a02ad79f26db052
Instruction ID: 439007ff29da14d07f37994ffc2936b0fb7be591beadb809772cbe529fa72523
Opcode Fuzzy Hash: cf010af8b4258a77295bbc93523ea2aa9a463dabe5ec71be5a02ad79f26db052
Instruction Fuzzy Hash: 05D01213B9DD0C0B4540558C7C521BCB3C1D7CA576750437BD44EC2248CD5A594342C3

Function 00007FFD348C4A5B Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7082783ca35fa60ddfaadef411303b23ca57dd378696d3c9217729f5be02be45
Instruction ID: 7091a8fb7d00e87ddaf6b68ee8dcc85c97d3c79670528a43eefaee6cbcd6cb97
Opcode Fuzzy Hash: 7082783ca35fa60ddfaadef411303b23ca57dd378696d3c9217729f5be02be45
Instruction Fuzzy Hash: AEE0E671B187014B965CDA6CC5E6436B7E2EFC9614B10942DA5C7873A5CD34B8029582

Function 00007FFD348C3529 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb4ce1051bbdc934571b91c0c81265aab7d98d49a26799d2b74c45b6f963b10
Instruction ID: 75a139705f1337209862dc8364620c211c35db215192bd480443a0d929f0d1d1
Opcode Fuzzy Hash: 8fb4ce1051bbdc934571b91c0c81265aab7d98d49a26799d2b74c45b6f963b10
Instruction Fuzzy Hash: 6FD0A723F1CD160AF618711C54E603852C29BE7A907049237C95AE32C2DD0C2C0311C1

Function 00007FFD348C48C8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e99ca91c09838f425d9f54d611566366d3865eed354694c5c90e645eae07e0
Instruction ID: d248576b6c6ecc2498abffcdbb255769c006b7f32cbe7c09efc3c95040509dff
Opcode Fuzzy Hash: e3e99ca91c09838f425d9f54d611566366d3865eed354694c5c90e645eae07e0
Instruction Fuzzy Hash: 00E0E6359097058FE354EB24C4945A673D2BF96345F114539D197C3351DE74F501DB41

Function 00007FFD348BDA87 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d528eb0f303922e7497cc7207d828343a3440fea37e6e8ab222acc72eca9a5
Instruction ID: 17a7e597beaf45038d56bd634b85651c54e716f544d821ab147ac76fe46a93bc
Opcode Fuzzy Hash: 31d528eb0f303922e7497cc7207d828343a3440fea37e6e8ab222acc72eca9a5
Instruction Fuzzy Hash: 41C02202B0CC4105E61811AC38B60B81AC0CBC6158B0500A7D098C82D1EC8D08C20082

Function 00007FFD348B4010 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02d03f13e013f8b75b81e241467fa0a2ed4627159014dbb68b4415471d60782
Instruction ID: 6ec3478c53449175c2347e76fda26a091cb3863e06d256e088908014ba1d890f
Opcode Fuzzy Hash: f02d03f13e013f8b75b81e241467fa0a2ed4627159014dbb68b4415471d60782
Instruction Fuzzy Hash: 11D0A73092A605DFC244FB3194D54297792FFC6305FF05978F44487395CABED4419781

Function 00007FFD348C476F Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72f8405551a42b4ab0df02eb01cab01b20743d7661b03130700b8ea0aa01964c
Instruction ID: 3f5297691e8b869851786387e32c106e05571cab4ea9264597e05529f4408462
Opcode Fuzzy Hash: 72f8405551a42b4ab0df02eb01cab01b20743d7661b03130700b8ea0aa01964c
Instruction Fuzzy Hash: 32D0123474C7058BC22C826CA46003471D3ABC6310314167D914BC3382CD6DAC835545

Function 00007FFD348B19DF Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed8e2fdcda38b672fe051e5fead4ccbea870225cdab588cbae9f08a608db2db
Instruction ID: 7eba676093d74d0ca6007c49847f40b301ab7f8324c38f09e5fabbc217ca36b9
Opcode Fuzzy Hash: eed8e2fdcda38b672fe051e5fead4ccbea870225cdab588cbae9f08a608db2db
Instruction Fuzzy Hash: 42B09225E5084A4BDF10A5A874261E9365AAF85218F746871A81DCB546DEBAA9240280

Non-executed Functions

Function 00007FFD348B96F8 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d65a6dc78e14e370d04eff420c25d5d3b9589f87805cdf9d1c15c5c41825ac
Instruction ID: a53fefedee5fd4369c6aebfa410eae293d667d44dbfae505baff4b1d1d22107b
Opcode Fuzzy Hash: 63d65a6dc78e14e370d04eff420c25d5d3b9589f87805cdf9d1c15c5c41825ac
Instruction Fuzzy Hash: BAC18966A8E3C60FE35347744CB54947FB5AE1362032E11EBC5D4CB0E3DA4D580AEB62

Function 00007FFD348C39E9 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2172750354.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_MT Marine Tiger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c0d5ac85f9486024c2ed4ff127671ea40df689a313e91c1445d1c8fe187103
Instruction ID: 54b78dabb816d3722399a5bbc7388f94cf7ae0d0ce79403851676d6a5f2578dc
Opcode Fuzzy Hash: c8c0d5ac85f9486024c2ed4ff127671ea40df689a313e91c1445d1c8fe187103
Instruction Fuzzy Hash: 86412632A0D3850FD31E8A795DA60A17FF6DB8322071982EFD5C6CB1A7E5295C0B8391

Analysis Process: RegAsm.exePID: 6428, Parent PID: 1968COMMON

Executed Functions

Function 03069858 Relevance: .9, Instructions: 851COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9490b0653a8fa578e2349180464536c95dcbee3dbc7bb1b2341948bdcb3c24bf
Instruction ID: 59cebf4fc412335f1de4d9e5e0eaf8d91aa39bdf6558980d37a857e172063af7
Opcode Fuzzy Hash: 9490b0653a8fa578e2349180464536c95dcbee3dbc7bb1b2341948bdcb3c24bf
Instruction Fuzzy Hash: FB728270B01209DFCB15DF68C984AAEBBF6FF88310F158559E806AB7A9D734E941CB50

Function 03066108 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d4027e8dcd6893ef9bbdac67c7de5d189a11642ae5fdf2ea8024d72ae92b78f
Instruction ID: 62d3b5907f306998037c3b7aba7a5008d89c0d47b44f3b9929a1a9c45c4875a1
Opcode Fuzzy Hash: 9d4027e8dcd6893ef9bbdac67c7de5d189a11642ae5fdf2ea8024d72ae92b78f
Instruction Fuzzy Hash: F712AC70A012198FDB14DFA9C854BAEBBF6FF88300F148569E44ADB399DB359D41CB90

Function 03063572 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a12543fb0ea5cdac16ed7fdfa8a0f577f3807a1b816853c4c5bc143113ac8fe
Instruction ID: 022b377ec7b4534775f8401db45cc98c6d52eb5f3fa3f90472fe0b4f53b6025e
Opcode Fuzzy Hash: 2a12543fb0ea5cdac16ed7fdfa8a0f577f3807a1b816853c4c5bc143113ac8fe
Instruction Fuzzy Hash: AE029F34F02258DFDB18DFB5D8509AEBBF6BFC8700B158569E406AB358CB359802CB91

Function 03066730 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c3accc5e2799b1cf94955a1b1e3ba310709bf1febdccd86442e9193b406375
Instruction ID: 14b575cc3b636249b6514135f63ab19a6fd6f7dc585384e46fb48ff3ed3a684a
Opcode Fuzzy Hash: a2c3accc5e2799b1cf94955a1b1e3ba310709bf1febdccd86442e9193b406375
Instruction Fuzzy Hash: 8E026070A01209DFCB54DFA9C984AAEBBF6FF88314F198469E405AB269D736DC41CF50

Function 0306B328 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa795bfe9d68d42ff301e698dfd23946bc74489366f87b2220fa6fc84b4b662e
Instruction ID: 14f100f00b753dc2f4beaaba1891213c98a965cac9f3d58cf901d648fe150b08
Opcode Fuzzy Hash: aa795bfe9d68d42ff301e698dfd23946bc74489366f87b2220fa6fc84b4b662e
Instruction Fuzzy Hash: 63E1E9B5E01618DFDB14CFAAC984A9DBBF2BF49310F158069E819AB365DB34E841CF50

Function 0306C190 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43d3f3b226c01490c27e7bb4a50f94cc08ab601f0999b187640a892911d2e1c
Instruction ID: 39237b81053ab8b4be500eb3c3a2ae2876dcbc5fbd4946b870d547a2222f95ea
Opcode Fuzzy Hash: d43d3f3b226c01490c27e7bb4a50f94cc08ab601f0999b187640a892911d2e1c
Instruction Fuzzy Hash: 7691D374E01218CFEB54DFAAD884A9DBBF2BF89300F14C069E859AB365DB749941CF50

Function 0306BEB0 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc49b3f205b7a21f642f3dc21a86dd924e5bce16f8cc1d3ef1ce9aad26cc4ae
Instruction ID: 1b5a83f607c0eb02df58105f912304c22a65cbddc551436c8f353185ae56900a
Opcode Fuzzy Hash: dbc49b3f205b7a21f642f3dc21a86dd924e5bce16f8cc1d3ef1ce9aad26cc4ae
Instruction Fuzzy Hash: EA910674E01618CFEB14DFAAD884A9DBBF2BF89300F14C069E819AB365DB349941CF10

Function 0306C470 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd5b2c9f8c78d2caa51eb9711bc34ae9442a6cb232d21638e920dff49b1b924
Instruction ID: e8f1888f9d15dfec43d1b351589dfd2a87a9d9059212a5a0991735706e4b8099
Opcode Fuzzy Hash: 9bd5b2c9f8c78d2caa51eb9711bc34ae9442a6cb232d21638e920dff49b1b924
Instruction Fuzzy Hash: C181D374E01218DFEB58DFAAD884A9DBBF2BF89300F14D069E459AB365DB349941CF10

Function 0306BBD2 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d4625e775773f70145c8ba0c29cc7a84e994c56791eb0684b580dbe8eacaa0
Instruction ID: 4d33dad2ef446dea838f983a7fbd8ec70568bcd3acbc72c7a18f930a0e68299d
Opcode Fuzzy Hash: e4d4625e775773f70145c8ba0c29cc7a84e994c56791eb0684b580dbe8eacaa0
Instruction Fuzzy Hash: 1581B2B4E01218DFDB58DFAAD884A9DBBF2BF89310F14C069E419AB365DB349941CF10

Function 0306CA70 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb6dbdbcd3fb066360b2c608bd9813afe6edfa97328096fe4dc9468d4eb7918
Instruction ID: d764fa1b2d9abf3f573cfcdb8ca4e2ecda70a34cf5a54f5e65dfeee4f11e0423
Opcode Fuzzy Hash: 5eb6dbdbcd3fb066360b2c608bd9813afe6edfa97328096fe4dc9468d4eb7918
Instruction Fuzzy Hash: 5781D274E01218DFEB58DFAAD884A9DBBF2BF89310F14C069E459AB365DB349841CF10

Function 03064AD9 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ea7b2c85198805037cc4e6c982cd14f7859a32f0808f24ba823a8c0b69dbb5
Instruction ID: eb852b820426fd093de968f26e5edf54430e84e4dff058a71b77c2333a682971
Opcode Fuzzy Hash: d2ea7b2c85198805037cc4e6c982cd14f7859a32f0808f24ba823a8c0b69dbb5
Instruction Fuzzy Hash: C081CF74E01218DFDB58DFAAD884A9DBBF2BF89310F14C069E819AB365DB349941CF10

Function 0306CD52 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a023e7442f62d21c12dc6b9a3f2a5a82b25533fd1f81891c4fae77544c716f0
Instruction ID: 40ddb44066db4ae5ea733e0e37cdee5f1e91ac78e539cf9e66bfb6f4b74b35b8
Opcode Fuzzy Hash: 2a023e7442f62d21c12dc6b9a3f2a5a82b25533fd1f81891c4fae77544c716f0
Instruction Fuzzy Hash: 1881C574E01218DFEB54DFAAD984A9DBBF2BF89300F14C069E459AB365DB349941CF10

Function 0306B4F2 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e6942d1290de192e5e85362387a3613514ee4b803a47b064b40622a303316a
Instruction ID: 8ed30b833c6cc4c242faa93403b1f14a82c3ba9949101272793246ff506d3bd6
Opcode Fuzzy Hash: 09e6942d1290de192e5e85362387a3613514ee4b803a47b064b40622a303316a
Instruction Fuzzy Hash: 2261B2B4E016189FDB58DFAAD984A9DBBF2FF89300F14C069E419AB365DB345941CF10

Function 030677F0 Relevance: .7, Instructions: 692COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8082e575207b85fada914f07d8907a1d505bbcf9ad5515e1fc1f9ad15c0807
Instruction ID: 875074dcab4005007c629c8f442535b11a352d2e321b16d858151054436ee7a5
Opcode Fuzzy Hash: db8082e575207b85fada914f07d8907a1d505bbcf9ad5515e1fc1f9ad15c0807
Instruction Fuzzy Hash: 55523034A00219CFEB54DBA4C864BAEBBB6FF98301F1081A9C14A6B395CF355D85DF61

Function 030687E9 Relevance: .5, Instructions: 493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d34b813d75f8fa2d67338a0448bdb88710f30c420c109a8944c2dbb67d9bae
Instruction ID: adec58f7d0091ec152af5deed47db954c8900313c48e861d921d104e9258c3ac
Opcode Fuzzy Hash: 76d34b813d75f8fa2d67338a0448bdb88710f30c420c109a8944c2dbb67d9bae
Instruction Fuzzy Hash: 6DF180703061018FDB69DB2DC958B3D77EAEF85700F1984AAE612CF3A9EA65CC81C751

Function 03066E58 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669ab9027b06bcaa1eafe40d13489c69915f43a9a8521dc369318824c95c25db
Instruction ID: 3224ee5bff4f02558f74b2f8323261f7a487b3d6f14406704d8c40e3985a53ec
Opcode Fuzzy Hash: 669ab9027b06bcaa1eafe40d13489c69915f43a9a8521dc369318824c95c25db
Instruction Fuzzy Hash: F1125C30A01209DFCB14DF68D884A9EBBF6FF89718F158599E909DB265D730ED41CB50

Function 0306A818 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3b10b3c77f4973cdcd3640c5dd00aa8e18bc7cd4420d8e2372793d29381e50
Instruction ID: 72aa0e10cf265e26f186941fc574ae535110cecc16c99031e4737eff3e77da37
Opcode Fuzzy Hash: 7b3b10b3c77f4973cdcd3640c5dd00aa8e18bc7cd4420d8e2372793d29381e50
Instruction Fuzzy Hash: 65F119B5F016158FCB14DF6CC984AADBBF6BF88310B1A8099E515AB366CB35EC41CB50

Function 03060C8F Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c4f69175439f64bf959a91d824cbea94220293f955ca092ff41070cc4ae3d40
Instruction ID: 622eb21f6339690c7339b2bf3b769e9616d00c84c5abee6b72f8b0c0a727e56c
Opcode Fuzzy Hash: 5c4f69175439f64bf959a91d824cbea94220293f955ca092ff41070cc4ae3d40
Instruction Fuzzy Hash: 2D22B074E0121ACFCB54EF68E894A9DBBB2FB49301F1082B9D84AA7314DB386D55CF40

Function 03060CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620d8d192dc242718cc670462bee420d7c1663dec44d78cd3592387ed35120ac
Instruction ID: 383ed950ee90b222e0e4842274c7e9fc7aa0129d4f850fde49d5faf3509f0326
Opcode Fuzzy Hash: 620d8d192dc242718cc670462bee420d7c1663dec44d78cd3592387ed35120ac
Instruction Fuzzy Hash: B422B075E0121ACFCB54EF68E894A9DBBB2FB49301F1082B9D94AA7314DB386D55CF40

Function 030656A8 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af608c8633d30b9828e38357ffdd8670aab008ccd153ef0a41fb4243fb97136c
Instruction ID: d582364f90fab1734faaef955385d3074f7bc18603c585a76291d0799d5b8a65
Opcode Fuzzy Hash: af608c8633d30b9828e38357ffdd8670aab008ccd153ef0a41fb4243fb97136c
Instruction Fuzzy Hash: 2BB1CF317062148FDB15EF28DC58B3E7BE6AB8A310F198969E446CB399DB38CC41C791

Function 03065C08 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244ce0a3970cc0e64b6eccf5dc7b212a5dc70fc785076ab83d74de5d2e9593c5
Instruction ID: 220dbf858f6db307cdc07a3b432d8b20f76f5aa6b35e3856c6adf13e7de853b6
Opcode Fuzzy Hash: 244ce0a3970cc0e64b6eccf5dc7b212a5dc70fc785076ab83d74de5d2e9593c5
Instruction Fuzzy Hash: D6818035B02506CFCB68DF69CC88AADB7F2FF8A214B188569D405DB3A9D731E841CB50

Function 03067438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1877304e2317681a83b3ecc48799a0b520ddc3865c05c5ec85aafe23d92ecbf
Instruction ID: 3c2d681af1a8ea24029ef2356be46b1ef6ec6180243a96f7d8f5b74824468ec7
Opcode Fuzzy Hash: f1877304e2317681a83b3ecc48799a0b520ddc3865c05c5ec85aafe23d92ecbf
Instruction Fuzzy Hash: 3A711C347012058FCB55DF2CC498AAD7BE5AF49B58F1900A9E846CB3B5DB74DC41CB91

Function 0306D36A Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ff9ff9e7abb8d839ee28edc42035eed66db0762410351975c9c67d20a98d3b
Instruction ID: b283c0042311f5f79f1faeba16c4e31834bc3fd131284e32aaa90986cc85fd21
Opcode Fuzzy Hash: 27ff9ff9e7abb8d839ee28edc42035eed66db0762410351975c9c67d20a98d3b
Instruction Fuzzy Hash: E651BA70122646DFD7143F24B5AC52B7FA9FB1F327B416E09E08E81098EB384459DB14

Function 0306D378 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0058c0ec44964d15b0fe546ce084bbeb6d5a4341b9a7940cb27483edadc6a24
Instruction ID: 239736b88e9d2f63d9dac7f7c534d1a2643e4799975f0a9c974b6022bac78cd7
Opcode Fuzzy Hash: c0058c0ec44964d15b0fe546ce084bbeb6d5a4341b9a7940cb27483edadc6a24
Instruction Fuzzy Hash: 73519A7012264ADFD7243F24B5BC52B7FA9FB1F327B416E19E08E81098EB3844599B14

Function 03069241 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b88c0eac21880e938fb7e37d8311748da6b93021393f9dc50ebb1bbbd8725a03
Instruction ID: fb1215d552f9e0577fae1d7db7daf30786673c59a0dcb576076bb9cbc2b570b1
Opcode Fuzzy Hash: b88c0eac21880e938fb7e37d8311748da6b93021393f9dc50ebb1bbbd8725a03
Instruction Fuzzy Hash: EB51DF71A01606DFCB21CF68D884AAFBBF5EF84311F1584A6E845D7319D730E916CBA1

Function 03069390 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7ed6cd456017fd45a0eb8c0059223b6738f918459d0624765d4ca372d81296
Instruction ID: ac93e12aa90e8711090b496df4e217c50d645ef81570deb3fd1be1d778c675b4
Opcode Fuzzy Hash: aa7ed6cd456017fd45a0eb8c0059223b6738f918459d0624765d4ca372d81296
Instruction Fuzzy Hash: 28518E347012159FDB10DF69C844BAFBBEAEB88350F188465E909CB799EB71CC41CB91

Function 0306D032 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c670fba3e233b941a7d2a688b712efaf24fb2a64fa886a03db8fa49daf06ffd3
Instruction ID: fd917f4738c36412cb8f944c32d1e30cfa00bf30802ca0a9c89827b51f9b4dda
Opcode Fuzzy Hash: c670fba3e233b941a7d2a688b712efaf24fb2a64fa886a03db8fa49daf06ffd3
Instruction Fuzzy Hash: 58518175E01218DFDB58DFA9D9849DDBBF2BF89310F24816AE819AB364DB319805CF00

Function 03063908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ab3a3ab41d831d2c400d6abd467d316c45e801e3770b285c1646fe30d999dc
Instruction ID: dfddc8b8f6d8a76817f8fae936ccc44c8e434df7e0403f257d2ae0d1b8a001c5
Opcode Fuzzy Hash: 94ab3a3ab41d831d2c400d6abd467d316c45e801e3770b285c1646fe30d999dc
Instruction Fuzzy Hash: 07519079E01248DFCB08DFA9D99499DBBF2FF89300B209469E805AB364DB35AD51CF50

Function 0306A650 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b971d4d3fb804d6570a8aef07c6e1f9fc62d42cd11d70c8425636e9bf4b0c05
Instruction ID: 77fc07fd8f7fd55e747ae6a54d8a8f0692d738864cc875725b3aa89e87a00549
Opcode Fuzzy Hash: 1b971d4d3fb804d6570a8aef07c6e1f9fc62d42cd11d70c8425636e9bf4b0c05
Instruction Fuzzy Hash: 6B41E0767013089FCB14EB69D854AAE7BF6FFC9210F148069E906E7385CE359C01CBA1

Function 03069A63 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6329930498af57055bd93f63fcdfb0a52f97dc3f1f6ccb1df210bac1abe681d
Instruction ID: 90c874caf7e443a54cc7a0a257161c15ecc9f227cde84ade743f0387a562542c
Opcode Fuzzy Hash: d6329930498af57055bd93f63fcdfb0a52f97dc3f1f6ccb1df210bac1abe681d
Instruction Fuzzy Hash: 0B41C031A05249DFCF11CFA8C844A9DBFF6AF8A310F048596E8159B699D335E950CBA0

Function 03063428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 641be350d989f8abacd47ff4b8dccc3047737c3a4ff6e3f2d0ac00851faf43cb
Instruction ID: 241b712aa7a7c6ec9b33effbedb4c2b0bf09ca1e2ce0bc6aeb2e8f3b8d6815e5
Opcode Fuzzy Hash: 641be350d989f8abacd47ff4b8dccc3047737c3a4ff6e3f2d0ac00851faf43cb
Instruction Fuzzy Hash: 70310639B023148BDB59DA6948A427EE5EAABC1210F0C44BDD806C77A8DF74CC4087E1

Function 03064DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b11720a43e168b9dbdfce776856129ad4393bbe8224f792567d2172235fac3e
Instruction ID: ca2504606b2856ef0177cd91c8fdcefc8a14553b1b86f0f044315562171c502f
Opcode Fuzzy Hash: 1b11720a43e168b9dbdfce776856129ad4393bbe8224f792567d2172235fac3e
Instruction Fuzzy Hash: AE31803170221A9FCB45EFA9D454AAF7BE6FF48204F144425F95687298CB38CC61CBA0

Function 030676D0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db17dfc8efa49398be5b0b652ae57f3e6866f3e374df20d7c948e40a94d2543
Instruction ID: 1913e907278697136974e420f8ebce0ff86e00ad357a256cfd2a55236c68c501
Opcode Fuzzy Hash: 4db17dfc8efa49398be5b0b652ae57f3e6866f3e374df20d7c948e40a94d2543
Instruction Fuzzy Hash: 0921B3343022014BDB2497399C94A7F36DBAFC8E1DB1840B9E606CB79CEE24CC42E780

Function 030676E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e1fbdfd92cb088fc23d7dbe1e279ca28773e0268168246a39a8354db1c1e91
Instruction ID: 947f9d0f60ec778c9a9cdbf748a3bde017ab128e0c3a2496743e1dfea33c0c1e
Opcode Fuzzy Hash: 87e1fbdfd92cb088fc23d7dbe1e279ca28773e0268168246a39a8354db1c1e91
Instruction Fuzzy Hash: 8B21B3383022054BEB24A7258854A3F36DBAFC8F1CF1840B8D606CB79CEE25CC81E780

Function 0306A809 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a54041af71dac5219ab5682d0078ac066e521e8ea7c99edc039b291742fcf2
Instruction ID: 0a45e1be82fdcba16abce961246e2f306ee019d397662d80ca934918c4063343
Opcode Fuzzy Hash: 25a54041af71dac5219ab5682d0078ac066e521e8ea7c99edc039b291742fcf2
Instruction Fuzzy Hash: AC315EB1F015068FCB04DF6DC888AAEB7F6BF85350B258159E515A73A9CB34DC42CBA0

Function 03062060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720074337bb9614726c7b400946ef30ea30c50c50a0677696e8875ac22a8060d
Instruction ID: ff64eb0ffb2de97cc02f18b2174147fc63370f7f261d1edea5b4d09438ff81ad
Opcode Fuzzy Hash: 720074337bb9614726c7b400946ef30ea30c50c50a0677696e8875ac22a8060d
Instruction Fuzzy Hash: 97210331A011069FCF14DF24D8409AE77A9EBD9350F50C8ADE80A9B384DB35EE42CBD1

Function 03065A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ab11ef72b6c81edfc3e42f707906b6f8dbca6b05d908be43a065126d84d769
Instruction ID: 708bed07ed25ac957f7fd218a7dca67acca0eb6b6f0382546b0749db09bce1a1
Opcode Fuzzy Hash: b5ab11ef72b6c81edfc3e42f707906b6f8dbca6b05d908be43a065126d84d769
Instruction Fuzzy Hash: AF21A135702A128BC729EB29CCA452EB396FF896517184579E806DB348CF34DC02CBC0

Function 0306D5B9 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6375fc27c7a723aa7f7d0b7f997322704676d794e2ae47c54baa9a0c151a99
Instruction ID: c363f0ea9b805c9b0a260250b81ded34c7f31c4f31dbe77e9a687869190e695f
Opcode Fuzzy Hash: 3b6375fc27c7a723aa7f7d0b7f997322704676d794e2ae47c54baa9a0c151a99
Instruction Fuzzy Hash: 29213931D11619DECB10EFE8E8546ECFBB4FF4A300F409629E81877254EB34AA59CB90

Function 0306D6B7 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd92feb06af1fa8a72500ec6370a4be793170bf86df2693fcc463475b725ff8
Instruction ID: b5db5f23a08bed519bc538ad2b409fc6269a4039319b1099eb2b2910449a435c
Opcode Fuzzy Hash: 9bd92feb06af1fa8a72500ec6370a4be793170bf86df2693fcc463475b725ff8
Instruction Fuzzy Hash: DF21F375E422198FDB18EFB0D850AEEB7B2FB89305F10A529C41177394CB399842CE54

Function 0306215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3bfab705b0781d61ae3a76cfc0beb46c5af6638583f3f1393b9f663530d8a9
Instruction ID: f626a25e4028564f066ffd06a614c30c96af48b9e83b594a2be54f398f4513c6
Opcode Fuzzy Hash: 6a3bfab705b0781d61ae3a76cfc0beb46c5af6638583f3f1393b9f663530d8a9
Instruction Fuzzy Hash: 5B117B32E093899FCB02DBB89C008DEFB34FF86310B258796E566B7191EA355805C791

Function 030639ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311fc6199afc439e07a49b9aaa9a8de9c3e9a470978643be6e6f13afcc989b7b
Instruction ID: d3d7e877077a89825119060184f98665d4e13440f6275c7e0e135965b7754529
Opcode Fuzzy Hash: 311fc6199afc439e07a49b9aaa9a8de9c3e9a470978643be6e6f13afcc989b7b
Instruction Fuzzy Hash: 48318078E12248CFCB44EFA8E59489DBBB2FF49305B2044A9E809AB324D735AD55CF41

Function 03064DB9 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f848944af9c6cd9ea61a44ae670a53d9b0b8c53ecf7d4c4fffc709aead5d175
Instruction ID: 23a50c02080a92449e93731c5e3496d1c48002b1806b6268f08a2448493a66ba
Opcode Fuzzy Hash: 8f848944af9c6cd9ea61a44ae670a53d9b0b8c53ecf7d4c4fffc709aead5d175
Instruction Fuzzy Hash: 36219D317462099FCB15EF69D444B6B3BE6EB48614F144469E9468B288CB38CC55CBE0

Function 03068EC1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec902f5f512a4730d58d7240267373bc2e36b7e8591d97dbb3a32d14e0651cfd
Instruction ID: 781e82cc5ac9cdd097e209b5f028ae398333e4508a3aae36913524a4b091237f
Opcode Fuzzy Hash: ec902f5f512a4730d58d7240267373bc2e36b7e8591d97dbb3a32d14e0651cfd
Instruction Fuzzy Hash: 28214B70E02259DFDB05CFA5E454AAEBFFAEF48304F14C069E451B6294DB35D901CB60

Function 0306D6C8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeaa888b15d38a9a119b6bcf80b078f62c062f7223c092d89f9868755b4fa6dc
Instruction ID: 8ba514dbd79bd9be0dae1ce5ef76a80ac37e11e85d7374918435bacf10e45d20
Opcode Fuzzy Hash: eeaa888b15d38a9a119b6bcf80b078f62c062f7223c092d89f9868755b4fa6dc
Instruction Fuzzy Hash: 90210374E022098BDB08EFB5D850AEEB7B6FB8A305F10A469C41577394CB399C41CF68

Function 03061F08 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7a4f687f42f4554270170e2c6ccc457f0256201ffdc29175acf39c27c21c42
Instruction ID: d9e5aa2f8b1fe302fac2e6bb7d8bb8cf71aa86c5e0bb906b8b6edd98324ed25a
Opcode Fuzzy Hash: ff7a4f687f42f4554270170e2c6ccc457f0256201ffdc29175acf39c27c21c42
Instruction Fuzzy Hash: EC214370C056498FCB01EFB8D4985EEBFF0BF4A310F1441AAC441B6258EB341A44CBA2

Function 03061F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1c192dff630a0f95bc71b45fe5dcde4fc01f93f91ba231044dc6fd1692017b
Instruction ID: d945b4fe72c7b8593c3bd0f10fc34c245edafd7719d236aad9a2c503eed64673
Opcode Fuzzy Hash: ef1c192dff630a0f95bc71b45fe5dcde4fc01f93f91ba231044dc6fd1692017b
Instruction Fuzzy Hash: 1C21C2B4C0160A8FDB40EFA8D8456EEBFF4FB49311F50856AD805B2214EB341A46CFA1

Function 03065607 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59c7df1f118961f2aa901312f8675caca61e2124f5e2acd5852a7c5e6fc6342
Instruction ID: 905f2356ccb5216f2bcd46d7fb2e1c0a5ba71fb31e5d9d732d65bf0ee07b6943
Opcode Fuzzy Hash: f59c7df1f118961f2aa901312f8675caca61e2124f5e2acd5852a7c5e6fc6342
Instruction Fuzzy Hash: 2101F9727012156FCB01DF69DC00AEE7FE6DBD9251B19806AF505D7284CA718C02CBA0

Function 03069709 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47008b7ee785be11bc01659e7e1afd8c5bce670a29fc0e17f4b6515f6f86d8a2
Instruction ID: 0eddc62d9e4b4e4b955033e931b5d9da379ed0574a6cf4426ea0805fbcc98418
Opcode Fuzzy Hash: 47008b7ee785be11bc01659e7e1afd8c5bce670a29fc0e17f4b6515f6f86d8a2
Instruction Fuzzy Hash: 26012C79A052199FEB44DEA8DC80BFFB7E9EB88310F048429E501DB245D635D9418BA0

Function 03062010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fff501df716d8af10afd48c702a5a7867c2a377bcb2d4b8b6ad0924f27f0930
Instruction ID: 48ee068fce460f799b7695533053f4f040a795cd67540f904bb06f1e001d5f1a
Opcode Fuzzy Hash: 7fff501df716d8af10afd48c702a5a7867c2a377bcb2d4b8b6ad0924f27f0930
Instruction Fuzzy Hash: 4DE0D836C1136757CB02A761E8015DEBB34EFA2210F4451A6D81027042FBB0261E83A1

Function 03062020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575b7641f5de22e28a637054fc2367d963ee4d5522586762f30d20ed5e401514
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: 575b7641f5de22e28a637054fc2367d963ee4d5522586762f30d20ed5e401514
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 03068258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: b0001fce57a27a29d4e1559f1665197028aa6c6ef41b6c254e4a392e03c3acb9
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 00C08C3320E1382AE634908FBC40EB7BB8CC3C13F4A294177FA1CE3200A8429C8001F9

Function 0306A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e775370eb9b2ce233a7be4a60a15e56e4bf382744874d4d1a49539a0b4a5690
Instruction ID: 5706d1acf2c2c28b7090a22a73beb26fb0358d57c00b118645b319b55bd988ea
Opcode Fuzzy Hash: 0e775370eb9b2ce233a7be4a60a15e56e4bf382744874d4d1a49539a0b4a5690
Instruction Fuzzy Hash: 87D0677BB411089FDF049F99E8409DDB7B6FB9C221B448116E915A3265C6319921DB60

Function 03065EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb59e782fb07004077c9223a2feb94a73260c0846348f81a2eaf9665152b2c0
Instruction ID: 13cac6bc125c2676e245b611ae3fa2cc9103289c0d4820c26a964722b44a7d79
Opcode Fuzzy Hash: aeb59e782fb07004077c9223a2feb94a73260c0846348f81a2eaf9665152b2c0
Instruction Fuzzy Hash: 9FD02B305083878BC322F738F8541543F75B982308F8085F9E8444B407FE7C5C188352

Function 03065EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2904790506.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3060000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b251ffa0bdbeaa40ba4560ac5f2343f67cd8a54b6b8456cde534f94e485d21
Instruction ID: 8a9d63089e51cd03c25bf2e7977f1c49bdcb7a78c2c1fe44e09d7d2f2a3c177c
Opcode Fuzzy Hash: 02b251ffa0bdbeaa40ba4560ac5f2343f67cd8a54b6b8456cde534f94e485d21
Instruction Fuzzy Hash: 16C0123060070BC7D515FB79F958695377AF6C0308F408578A10907516EFBC9C544790

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MT Marine Tiger.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Exploits

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MT Marine Tiger._b1fc61aa0f0ff659922dc1f816562af76c8bcc3_d4dd14a2_f9207a17-8494-4b79-9815-4bb98abb0750\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DB1.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EEB.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F3A.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\regasm.exe.log

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
MT Marine Tiger.exe