Edit tour

Windows Analysis Report
scan copy.exe

Overview

General Information

Sample name:	scan copy.exe
Analysis ID:	1465193
MD5:	70081b623e77616333b19e7bc186dd66
SHA1:	bc730c03095bbb3fb85773d564774b7fa2a4f2c9
SHA256:	90c2430071000bba0378a0e404c636df13958a02fa97b4ed19c1230da402da8f
Tags:	exe
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

scan copy.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\scan copy.exe" MD5: 70081B623E77616333B19E7BC186DD66)

scan copy.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\scan copy.exe" MD5: 70081B623E77616333B19E7BC186DD66)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6660014548:AAH8CVYDbJ7NB6q8RItwZQxjcAXTPkK63gc/sendMessage?chat_id=2142414120"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1476a:$a1: get_encryptedPassword 0x14a56:$a2: get_encryptedUsername 0x14576:$a3: get_timePasswordChanged 0x14671:$a4: get_passwordField 0x14780:$a5: set_encryptedPassword 0x15d5d:$a7: get_logins 0x15cc0:$a10: KeyLoggerEventArgs 0x15959:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x196c8:$x1: $%SMTPDV$ 0x180ac:$x2: $#TheHashHere%& 0x19670:$x3: %FTPDV$ 0x1804c:$x4: $%TelegramDv$ 0x15959:$x5: KeyLoggerEventArgs 0x15cc0:$x5: KeyLoggerEventArgs 0x19694:$m2: Clipboard Logs ID 0x198d2:$m2: Screenshot Logs ID 0x199e2:$m2: keystroke Logs ID 0x19cbc:$m3: SnakePW 0x198aa:$m4: \SnakeKeylogger\
00000002.00000002.3846637840.0000000003742000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe0be2:$a1: get_encryptedPassword 0x101222:$a1: get_encryptedPassword 0x12165a:$a1: get_encryptedPassword 0xe0ece:$a2: get_encryptedUsername 0x10150e:$a2: get_encryptedUsername 0x121946:$a2: get_encryptedUsername 0xe09ee:$a3: get_timePasswordChanged 0x10102e:$a3: get_timePasswordChanged 0x121466:$a3: get_timePasswordChanged 0xe0ae9:$a4: get_passwordField 0x101129:$a4: get_passwordField 0x121561:$a4: get_passwordField 0xe0bf8:$a5: set_encryptedPassword 0x101238:$a5: set_encryptedPassword 0x121670:$a5: set_encryptedPassword 0xe21d5:$a7: get_logins 0x102815:$a7: get_logins 0x122c4d:$a7: get_logins 0xe2138:$a10: KeyLoggerEventArgs 0x102778:$a10: KeyLoggerEventArgs 0x122bb0:$a10: KeyLoggerEventArgs
00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xe5b40:$x1: $%SMTPDV$ 0x106180:$x1: $%SMTPDV$ 0x1265b8:$x1: $%SMTPDV$ 0xe4524:$x2: $#TheHashHere%& 0x104b64:$x2: $#TheHashHere%& 0x124f9c:$x2: $#TheHashHere%& 0xe5ae8:$x3: %FTPDV$ 0x106128:$x3: %FTPDV$ 0x126560:$x3: %FTPDV$ 0xe44c4:$x4: $%TelegramDv$ 0x104b04:$x4: $%TelegramDv$ 0x124f3c:$x4: $%TelegramDv$ 0xe1dd1:$x5: KeyLoggerEventArgs 0xe2138:$x5: KeyLoggerEventArgs 0x102411:$x5: KeyLoggerEventArgs 0x102778:$x5: KeyLoggerEventArgs 0x122849:$x5: KeyLoggerEventArgs 0x122bb0:$x5: KeyLoggerEventArgs 0xe5b0c:$m2: Clipboard Logs ID 0xe5d4a:$m2: Screenshot Logs ID 0xe5e5a:$m2: keystroke Logs ID
00000002.00000002.3846637840.0000000003501000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: scan copy.exe PID: 7260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: scan copy.exe PID: 7260	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: scan copy.exe PID: 7260	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x45c1f:$a1: get_encryptedPassword 0x45f01:$a2: get_encryptedUsername 0x45a35:$a3: get_timePasswordChanged 0x45b30:$a4: get_passwordField 0x45c35:$a5: set_encryptedPassword 0x48047:$a7: get_logins 0x47faa:$a10: KeyLoggerEventArgs 0x47c43:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: scan copy.exe PID: 7260	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x47c43:$x5: KeyLoggerEventArgs 0x47faa:$x5: KeyLoggerEventArgs 0x4855e:$x5: KeyLoggerEventArgs 0x48892:$x5: KeyLoggerEventArgs 0x4a15e:$m2: Clipboard Logs ID 0x4a264:$m2: Screenshot Logs ID 0x4a2ba:$m2: keystroke Logs ID 0x4a3ef:$m3: SnakePW 0x4a250:$m4: \SnakeKeylogger\
Process Memory Space: scan copy.exe PID: 7344	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: scan copy.exe PID: 7344	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: scan copy.exe PID: 7344	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2807e:$a1: get_encryptedPassword 0x28360:$a2: get_encryptedUsername 0x27e94:$a3: get_timePasswordChanged 0x27f8f:$a4: get_passwordField 0x28094:$a5: set_encryptedPassword 0x2a4a6:$a7: get_logins 0x2a409:$a10: KeyLoggerEventArgs 0x2a0a2:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: scan copy.exe PID: 7344	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2a0a2:$x5: KeyLoggerEventArgs 0x2a409:$x5: KeyLoggerEventArgs 0x2a9bd:$x5: KeyLoggerEventArgs 0x2acf1:$x5: KeyLoggerEventArgs 0x2c5bd:$m2: Clipboard Logs ID 0x2c6c3:$m2: Screenshot Logs ID 0x2c719:$m2: keystroke Logs ID 0x2c84e:$m3: SnakePW 0x2c6af:$m4: \SnakeKeylogger\
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.scan copy.exe.13d31278.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.scan copy.exe.13d31278.7.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.scan copy.exe.13d31278.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b6a:$a1: get_encryptedPassword 0x12e56:$a2: get_encryptedUsername 0x12976:$a3: get_timePasswordChanged 0x12a71:$a4: get_passwordField 0x12b80:$a5: set_encryptedPassword 0x1415d:$a7: get_logins 0x140c0:$a10: KeyLoggerEventArgs 0x13d59:$a11: KeyLoggerEventArgsEventHandler
0.2.scan copy.exe.13d31278.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a47e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x196b0:$a3: \Google\Chrome\User Data\Default\Login Data 0x19ae3:$a4: \Orbitum\User Data\Default\Login Data 0x1ab22:$a5: \Kometa\User Data\Default\Login Data
0.2.scan copy.exe.13d31278.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x136e6:$s1: UnHook 0x136ed:$s2: SetHook 0x136f5:$s3: CallNextHook 0x13702:$s4: _hook
0.2.scan copy.exe.13d31278.7.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17ac8:$x1: $%SMTPDV$ 0x164ac:$x2: $#TheHashHere%& 0x17a70:$x3: %FTPDV$ 0x1644c:$x4: $%TelegramDv$ 0x13d59:$x5: KeyLoggerEventArgs 0x140c0:$x5: KeyLoggerEventArgs 0x17a94:$m2: Clipboard Logs ID 0x17cd2:$m2: Screenshot Logs ID 0x17de2:$m2: keystroke Logs ID 0x180bc:$m3: SnakePW 0x17caa:$m4: \SnakeKeylogger\
0.2.scan copy.exe.13d518b8.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.scan copy.exe.13d518b8.9.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.scan copy.exe.13d518b8.9.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b6a:$a1: get_encryptedPassword 0x12e56:$a2: get_encryptedUsername 0x12976:$a3: get_timePasswordChanged 0x12a71:$a4: get_passwordField 0x12b80:$a5: set_encryptedPassword 0x1415d:$a7: get_logins 0x140c0:$a10: KeyLoggerEventArgs 0x13d59:$a11: KeyLoggerEventArgsEventHandler
0.2.scan copy.exe.13d518b8.9.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a47e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x196b0:$a3: \Google\Chrome\User Data\Default\Login Data 0x19ae3:$a4: \Orbitum\User Data\Default\Login Data 0x1ab22:$a5: \Kometa\User Data\Default\Login Data
0.2.scan copy.exe.13d518b8.9.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x136e6:$s1: UnHook 0x136ed:$s2: SetHook 0x136f5:$s3: CallNextHook 0x13702:$s4: _hook
0.2.scan copy.exe.13d518b8.9.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17ac8:$x1: $%SMTPDV$ 0x164ac:$x2: $#TheHashHere%& 0x17a70:$x3: %FTPDV$ 0x1644c:$x4: $%TelegramDv$ 0x13d59:$x5: KeyLoggerEventArgs 0x140c0:$x5: KeyLoggerEventArgs 0x17a94:$m2: Clipboard Logs ID 0x17cd2:$m2: Screenshot Logs ID 0x17de2:$m2: keystroke Logs ID 0x180bc:$m3: SnakePW 0x17caa:$m4: \SnakeKeylogger\
2.2.scan copy.exe.140000000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.scan copy.exe.140000000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.scan copy.exe.140000000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1496a:$a1: get_encryptedPassword 0x14c56:$a2: get_encryptedUsername 0x14776:$a3: get_timePasswordChanged 0x14871:$a4: get_passwordField 0x14980:$a5: set_encryptedPassword 0x15f5d:$a7: get_logins 0x15ec0:$a10: KeyLoggerEventArgs 0x15b59:$a11: KeyLoggerEventArgsEventHandler
2.2.scan copy.exe.140000000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c27e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b4b0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b8e3:$a4: \Orbitum\User Data\Default\Login Data 0x1c922:$a5: \Kometa\User Data\Default\Login Data
2.2.scan copy.exe.140000000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x154e6:$s1: UnHook 0x154ed:$s2: SetHook 0x154f5:$s3: CallNextHook 0x15502:$s4: _hook
2.2.scan copy.exe.140000000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198c8:$x1: $%SMTPDV$ 0x182ac:$x2: $#TheHashHere%& 0x19870:$x3: %FTPDV$ 0x1824c:$x4: $%TelegramDv$ 0x15b59:$x5: KeyLoggerEventArgs 0x15ec0:$x5: KeyLoggerEventArgs 0x19894:$m2: Clipboard Logs ID 0x19ad2:$m2: Screenshot Logs ID 0x19be2:$m2: keystroke Logs ID 0x19ebc:$m3: SnakePW 0x19aaa:$m4: \SnakeKeylogger\
0.2.scan copy.exe.13d518b8.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.scan copy.exe.13d518b8.9.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.scan copy.exe.13d518b8.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1496a:$a1: get_encryptedPassword 0x34da2:$a1: get_encryptedPassword 0x14c56:$a2: get_encryptedUsername 0x3508e:$a2: get_encryptedUsername 0x14776:$a3: get_timePasswordChanged 0x34bae:$a3: get_timePasswordChanged 0x14871:$a4: get_passwordField 0x34ca9:$a4: get_passwordField 0x14980:$a5: set_encryptedPassword 0x34db8:$a5: set_encryptedPassword 0x15f5d:$a7: get_logins 0x36395:$a7: get_logins 0x15ec0:$a10: KeyLoggerEventArgs 0x362f8:$a10: KeyLoggerEventArgs 0x15b59:$a11: KeyLoggerEventArgsEventHandler 0x35f91:$a11: KeyLoggerEventArgsEventHandler
0.2.scan copy.exe.13d518b8.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x154e6:$s1: UnHook 0x3591e:$s1: UnHook 0x154ed:$s2: SetHook 0x35925:$s2: SetHook 0x154f5:$s3: CallNextHook 0x3592d:$s3: CallNextHook 0x15502:$s4: _hook 0x3593a:$s4: _hook
0.2.scan copy.exe.13d518b8.9.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198c8:$x1: $%SMTPDV$ 0x39d00:$x1: $%SMTPDV$ 0x182ac:$x2: $#TheHashHere%& 0x386e4:$x2: $#TheHashHere%& 0x19870:$x3: %FTPDV$ 0x39ca8:$x3: %FTPDV$ 0x1824c:$x4: $%TelegramDv$ 0x38684:$x4: $%TelegramDv$ 0x15b59:$x5: KeyLoggerEventArgs 0x15ec0:$x5: KeyLoggerEventArgs 0x35f91:$x5: KeyLoggerEventArgs 0x362f8:$x5: KeyLoggerEventArgs 0x19894:$m2: Clipboard Logs ID 0x19ad2:$m2: Screenshot Logs ID 0x19be2:$m2: keystroke Logs ID 0x39ccc:$m2: Clipboard Logs ID 0x39f0a:$m2: Screenshot Logs ID 0x3a01a:$m2: keystroke Logs ID 0x19ebc:$m3: SnakePW 0x3a2f4:$m3: SnakePW 0x19aaa:$m4: \SnakeKeylogger\
0.2.scan copy.exe.13d31278.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.scan copy.exe.13d31278.7.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.scan copy.exe.13d31278.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1496a:$a1: get_encryptedPassword 0x34faa:$a1: get_encryptedPassword 0x553e2:$a1: get_encryptedPassword 0x14c56:$a2: get_encryptedUsername 0x35296:$a2: get_encryptedUsername 0x556ce:$a2: get_encryptedUsername 0x14776:$a3: get_timePasswordChanged 0x34db6:$a3: get_timePasswordChanged 0x551ee:$a3: get_timePasswordChanged 0x14871:$a4: get_passwordField 0x34eb1:$a4: get_passwordField 0x552e9:$a4: get_passwordField 0x14980:$a5: set_encryptedPassword 0x34fc0:$a5: set_encryptedPassword 0x553f8:$a5: set_encryptedPassword 0x15f5d:$a7: get_logins 0x3659d:$a7: get_logins 0x569d5:$a7: get_logins 0x15ec0:$a10: KeyLoggerEventArgs 0x36500:$a10: KeyLoggerEventArgs 0x56938:$a10: KeyLoggerEventArgs
0.2.scan copy.exe.13d31278.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x154e6:$s1: UnHook 0x35b26:$s1: UnHook 0x55f5e:$s1: UnHook 0x154ed:$s2: SetHook 0x35b2d:$s2: SetHook 0x55f65:$s2: SetHook 0x154f5:$s3: CallNextHook 0x35b35:$s3: CallNextHook 0x55f6d:$s3: CallNextHook 0x15502:$s4: _hook 0x35b42:$s4: _hook 0x55f7a:$s4: _hook
0.2.scan copy.exe.13d31278.7.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198c8:$x1: $%SMTPDV$ 0x39f08:$x1: $%SMTPDV$ 0x5a340:$x1: $%SMTPDV$ 0x182ac:$x2: $#TheHashHere%& 0x388ec:$x2: $#TheHashHere%& 0x58d24:$x2: $#TheHashHere%& 0x19870:$x3: %FTPDV$ 0x39eb0:$x3: %FTPDV$ 0x5a2e8:$x3: %FTPDV$ 0x1824c:$x4: $%TelegramDv$ 0x3888c:$x4: $%TelegramDv$ 0x58cc4:$x4: $%TelegramDv$ 0x15b59:$x5: KeyLoggerEventArgs 0x15ec0:$x5: KeyLoggerEventArgs 0x36199:$x5: KeyLoggerEventArgs 0x36500:$x5: KeyLoggerEventArgs 0x565d1:$x5: KeyLoggerEventArgs 0x56938:$x5: KeyLoggerEventArgs 0x19894:$m2: Clipboard Logs ID 0x19ad2:$m2: Screenshot Logs ID 0x19be2:$m2: keystroke Logs ID
Click to see the 23 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6660014548:AAH8CVYDbJ7NB6q8RItwZQxjcAXTPkK63gc/sendMessage?chat_id=2142414120"}

Multi AV Scanner detection for submitted file

Source: scan copy.exe	ReversingLabs: Detection: 26%
Source: scan copy.exe	Virustotal: Detection: 28%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: scan copy.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49708 version: TLS 1.0

Source: scan copy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\scan copy.exe	Code function: 4x nop then jmp 00007FFB4B588DEDh	2_2_00007FFB4B588ACA
Source: C:\Users\user\Desktop\scan copy.exe	Code function: 4x nop then jmp 00007FFB4B58A1ADh	2_2_00007FFB4B589F5B
Source: C:\Users\user\Desktop\scan copy.exe	Code function: 4x nop then jmp 00007FFB4B58A7A0h	2_2_00007FFB4B589F5B
Source: C:\Users\user\Desktop\scan copy.exe	Code function: 4x nop then jmp 00007FFB4B587F74h	2_2_00007FFB4B587D62
Source: C:\Users\user\Desktop\scan copy.exe	Code function: 4x nop then jmp 00007FFB4B58A7A0h	2_2_00007FFB4B58A6BC
Source: C:\Users\user\Desktop\scan copy.exe	Code function: 4x nop then jmp 00007FFB4B587BB9h	2_2_00007FFB4B587793
Source: C:\Users\user\Desktop\scan copy.exe	Code function: 4x nop then jmp 00007FFB4B5889B5h	2_2_00007FFB4B5881EF

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49708 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: scan copy.exe, 00000002.00000002.3846637840.0000000003732000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036E7000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.0000000003612000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: scan copy.exe, 00000002.00000002.3846637840.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: scan copy.exe, 00000002.00000002.3846637840.0000000003501000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: scan copy.exe, 00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: scan copy.exe, 00000002.00000002.3846637840.0000000003732000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036E7000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.0000000003642000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: scan copy.exe, 00000002.00000002.3846637840.0000000003501000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: scan copy.exe, 00000002.00000002.3846637840.0000000003732000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036E7000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.0000000003612000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.0000000003670000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: scan copy.exe, 00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.0000000003612000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: scan copy.exe, 00000002.00000002.3846637840.00000000036D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: scan copy.exe, 00000002.00000002.3846637840.0000000003612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33p

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.scan copy.exe.13d31278.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.scan copy.exe.13d31278.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.scan copy.exe.13d31278.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.scan copy.exe.13d31278.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.scan copy.exe.13d518b8.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.scan copy.exe.13d518b8.9.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.scan copy.exe.13d518b8.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.scan copy.exe.13d518b8.9.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.scan copy.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.scan copy.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.scan copy.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.scan copy.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.scan copy.exe.13d518b8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.scan copy.exe.13d518b8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.scan copy.exe.13d518b8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.scan copy.exe.13d31278.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.scan copy.exe.13d31278.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.scan copy.exe.13d31278.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: scan copy.exe PID: 7260, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: scan copy.exe PID: 7260, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: scan copy.exe PID: 7344, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: scan copy.exe PID: 7344, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: scan copy.exe

Static PE information: No import functions for PE file found

Source: scan copy.exe, 00000000.00000002.1406727100.0000000003B00000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs scan copy.exe
Source: scan copy.exe, 00000000.00000002.1406727100.0000000003B00000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs scan copy.exe
Source: scan copy.exe, 00000000.00000002.1409364424.000000001D1E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs scan copy.exe
Source: scan copy.exe, 00000000.00000002.1406674340.0000000003640000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs scan copy.exe
Source: scan copy.exe, 00000000.00000002.1407555144.0000000013A71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAxiom.dll@ vs scan copy.exe
Source: scan copy.exe, 00000000.00000002.1406727100.0000000003A61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs scan copy.exe
Source: scan copy.exe, 00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs scan copy.exe
Source: scan copy.exe, 00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs scan copy.exe
Source: scan copy.exe, 00000000.00000002.1409031509.000000001C540000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAxiom.dll@ vs scan copy.exe
Source: scan copy.exe, 00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs scan copy.exe
Source: scan copy.exe	Binary or memory string: OriginalFilenamedcJt.exe6 vs scan copy.exe

Source: 0.2.scan copy.exe.13d31278.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.scan copy.exe.13d31278.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.scan copy.exe.13d31278.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.scan copy.exe.13d31278.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.scan copy.exe.13d518b8.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.scan copy.exe.13d518b8.9.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.scan copy.exe.13d518b8.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.scan copy.exe.13d518b8.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.scan copy.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.scan copy.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.scan copy.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.scan copy.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.scan copy.exe.13d518b8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.scan copy.exe.13d518b8.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.scan copy.exe.13d518b8.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.scan copy.exe.13d31278.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.scan copy.exe.13d31278.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.scan copy.exe.13d31278.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: scan copy.exe PID: 7260, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: scan copy.exe PID: 7260, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: scan copy.exe PID: 7344, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: scan copy.exe PID: 7344, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: scan copy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: scan copy.exe, SliderControl.cs

Base64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAB7xJREFUeNqMV1tsFGUUPjM7u223291FoBfagqXbC9q6IGrrpYXEWDBa8ZpoTEx88cUEjA+++FKoaHzQBDQxvniJwapQgyEWhYhYtRCkFNpyK0KrvUNvu+3eL+N3/unszna36p+c/LM7M+c7l++c/4y0c+dO+o8lFxcX3+vxeHbIsvwspDQajVoikYikqqqEpZrNZhX/h7Cu4t5h/P4yGAxex7vxf1O8f/9+ktiAffv2pd3ctWuXvHp1fn0wGHhLUZSGgoJ8xeWqpIKiEnI4HJSVZSFZkimuxikUjtC810vj4yM0cOUyjY2NAj90cmZm5lW73T4E/RkNgfGZDdizp3VlLBZ912QyvVRVWWXeUFNLNXdUEzwkVSXsEYpEwgRvCcaR2azAoCyyWMwkyxJdvTZI58+dpYsX+/2zs7MfzM3NtR44cMCXyQBl6Z8tLS3rOIwI+8a6+npyu90UCoZodtZD8XgMYGYymWTsOYl3VEQhjCj4/X5WS2XrSqiqcj1dvOy2njh+7I3BwcG65ubm548cOTK5FC/FgN27d6+FhydqamrW19U/QGuKCskz56FAIEg5OdmUnZ0ND2UAqkIALQBZTCZ4o2TBkDDdujWNiJipusJFK1askn45cXwrIvFjU1PT9mPHjk2kEEy/aG1tXQVifbdhQ/X65id2UGFBPhRNwWuVnE4t59FohHw+X0IWFvw0P79AXu+82H0+vwirw5EnjBoZGaGVThs99fQztG3bdrfD4Ty4ZcsWZ0YDotHY2xz2++ruB7kkmpmZI7s9T3jOuWeAUCgsDNIkLlKiCxsXCgWFMSyKYhJknZiAw0jR1oebqLGx4UFwpgVGyikG7N27tx55fbmu/n4qXlME8FmA24Q3CwsLIqxaqMkAbDQgnhDmAyJJHo9X8MJud6A6xmjVijza9ujjEtL7Snl5+ZaEAYWFRSbUzDtVVdWK210rQpuXZxP55WuRagGuZgBPBWZecHS06zhI6SPohr48pPMWudavpYcaGnPKysrezMUSBqBs7ka5NdxxZw3YHhZK2HPOp+61pji+RNSE6OBLhRenhcuVf/v9AboPUa6trW2EUfcIA7xe71P5BQWmO1HngUBAkI1ZbwRngFRPk8KRYazUyiDDu6qIApxEKc9SSVEBuVwuM/j2Ih6xIALycxWuCkEw9hxkFECSwE8F1wwweklpoMst5gW/z9G4y72RwIMm/L1SgWUlBUXFIpRspWYICeWZcqwZpS5yQ0tNLBYTYuxwHEHeZNkk9PJzvDOh15SuQ2k78/FQiQLLLHaHUyjQ86l3Nz38xvDyzkrYE92rRF9fIloaowmHtA5qJjv4Z7FYsnCzVIEiKctigaJoorNpYVdTQh6LxQWhGFwH1YnG3ZEB9d1ogLbToo6YaG5rCwv53JBFCqBMPBOL6blMZTaDcSNiIiUNooSxDKoJg8kpRiTToUWAr/m8kGHIYi+yKnhB5XOd88MhNYaduxu/kEyPTjY14bFR0g2QFsms9ZFoVCWbLY/gsq5LQmdU1DCGC5uVW24y5BxunOkJr3WmG8OuiSmDEekp0LqoiqaUS0FVEsc5VpDLMDg/Py/OdX6BAbkfcDVkajCZwDl6LDrjNVGETr7mc0G7L5PVmks+8Aj6mXQzMnJ77SYmGR4qVDUmwPXOZQQ1lpgx3MkIpILr1xq4srjL4nCbwNkwPj4+A3XjMh/BVzBGcdgikWgaeGqXoyXg6aIBy2ngbDh7D9LR+e6zNDAwcAHqhmWMUl+Njo4FB64PoTnYRZkZwY1dTicXG5spCungyZ2fdTjsNH5rhvr6eml0dPQ3qJzkFFxB2H++gBnOmmsFS20iCnpJGjOQrHHZYIi0pCKMqUhyw2rNQe0rdPrU79Tb23sdmCegMsDFqCIfr/X19gUuX71GazAP6OWol5x+nanbLZeOVPJJcMxKw2M36YejHXTp0qV2kL0vMZC0tbUNTE1PfYgBUp32+KiysmKxBNUM/X150SNiNIJ3my0XU1KQDrYdoFNYmJIPwSlPykiGgWEPiNH5y08/kDk7h6qrqxIVkTSCEse0PoymRybZjPg+s54d6Th6hL7v+H5iaGjoI9w4nzYTtre3L8CA57u6Tl9o/+Zr8kdU2rRpo+AEG6Kddklw1q+JZNj1ySkm2J+Tk0XzvhAdPHiIPv/s07lz5869hynrO3gfyTiW88jc2NjYHA6H2qamph54rHmHxJGYw2g+PDws2jIfYhZLshVrZzwlxjGrNYt42jIrMv09epO+bvuCOjo6Jnp6et7H8PMJnvMu+13Aq7Ozc3jz5s1PIiUtN27cePmhhgZr/YMNGKNqRHfkUY0N4ajw5MRgzHAWnqY47+OT09TV9Rv9CMIh5V34MPkY7xxeCp7RAF7d3d1TlZWVr4Oth2DEm6e6uhpdrgqLe9PdVHp7GeXaneTEyC6raFrIeUSVick7MnyZerr/oH7UeV9f35/9/f3tCPm34NF5gIczYSnLjVDgA79wEpNLz5kzZzaWlpa+UF5+8hHM+oX4QsrGKIXyNiXGLEQkOjk5Oc0dDk3mV/SXTvCmF8Bz/zaqSfyJbFw8eHA3A2Hor7/+psHBGwTm8i3+GFwNKVqU2yC5i8wMQBiIv/1GIPz55af/sf4RYACTajXlBRuURAAAAABJRU5ErkJggg=='

Source: scan copy.exe, 00000000.00000002.1403401756.0000000000E8C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBP

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\scan copy.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\scan copy.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\scan copy.exe

Mutant created: NULL

Source: scan copy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: scan copy.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\scan copy.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: scan copy.exe, 00000002.00000002.3846637840.000000000381E000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3849382347.0000000013594000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000037EF000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000037E1000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.000000000382B000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: scan copy.exe	ReversingLabs: Detection: 26%
Source: scan copy.exe	Virustotal: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\scan copy.exe "C:\Users\user\Desktop\scan copy.exe"
Source: C:\Users\user\Desktop\scan copy.exe	Process created: C:\Users\user\Desktop\scan copy.exe "C:\Users\user\Desktop\scan copy.exe"
Source: C:\Users\user\Desktop\scan copy.exe	Process created: C:\Users\user\Desktop\scan copy.exe "C:\Users\user\Desktop\scan copy.exe"	Jump to behavior

Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\scan copy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\scan copy.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\scan copy.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: scan copy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: scan copy.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: scan copy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: scan copy.exe, PhotoBoothHome.cs

.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\scan copy.exe	Code function: 0_2_00007FFB4B5791C9 push E9FFFFFFh; iretd	0_2_00007FFB4B5791CF
Source: C:\Users\user\Desktop\scan copy.exe	Code function: 0_2_00007FFB4B5704FA push ebx; iretd	0_2_00007FFB4B57058A
Source: C:\Users\user\Desktop\scan copy.exe	Code function: 0_2_00007FFB4B57057D push ebx; iretd	0_2_00007FFB4B57058A

Source: scan copy.exe

Static PE information: section name: .text entropy: 7.932942116726256

Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\scan copy.exe	Memory allocated: 17C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Memory allocated: 1BA60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Memory allocated: 2B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Memory allocated: 1B500000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 599530	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 597450	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 597338	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 597229	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 597100	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596545	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 595342	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 594676	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 594547	Jump to behavior

Source: C:\Users\user\Desktop\scan copy.exe	Window / User API: threadDelayed 7882			Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Window / User API: threadDelayed 1978			Jump to behavior

Source: C:\Users\user\Desktop\scan copy.exe TID: 7320	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7508	Thread sleep count: 7882 > 30	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7508	Thread sleep count: 1978 > 30	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -599530s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -597450s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -597338s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -597229s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -597100s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -596545s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -595891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -595342s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -594676s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe TID: 7504	Thread sleep time: -594547s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 599530	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 597450	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 597338	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 597229	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 597100	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596545	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 595342	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 594676	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Thread delayed: delay time: 594547	Jump to behavior

Source: scan copy.exe, 00000002.00000002.3845537333.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\scan copy.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\scan copy.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\scan copy.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\scan copy.exe

Memory written: C:\Users\user\Desktop\scan copy.exe base: 140000000 value starts with: 4D5A

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\scan copy.exe

Thread register set: target process: 7344

Jump to behavior

Source: C:\Users\user\Desktop\scan copy.exe

Process created: C:\Users\user\Desktop\scan copy.exe "C:\Users\user\Desktop\scan copy.exe"

Jump to behavior

Source: C:\Users\user\Desktop\scan copy.exe	Queries volume information: C:\Users\user\Desktop\scan copy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Queries volume information: C:\Users\user\Desktop\scan copy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\scan copy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.scan copy.exe.13d31278.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.scan copy.exe.13d518b8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.scan copy.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.scan copy.exe.13d518b8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.scan copy.exe.13d31278.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3846637840.0000000003742000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3846637840.0000000003501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: scan copy.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: scan copy.exe PID: 7344, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\scan copy.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\scan copy.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\scan copy.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.scan copy.exe.13d31278.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.scan copy.exe.13d518b8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.scan copy.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.scan copy.exe.13d518b8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.scan copy.exe.13d31278.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: scan copy.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: scan copy.exe PID: 7344, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.scan copy.exe.13d31278.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.scan copy.exe.13d518b8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.scan copy.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.scan copy.exe.13d518b8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.scan copy.exe.13d31278.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3846637840.0000000003742000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3846637840.0000000003501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: scan copy.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: scan copy.exe PID: 7344, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
scan copy.exe	26%	ReversingLabs	Win32.Trojan.Generic
scan copy.exe	29%	Virustotal		Browse
scan copy.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
reallyfreegeoip.org	0%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://checkip.dyndns.org	1%	Virustotal		Browse
http://checkip.dyndns.com	0%	Virustotal		Browse
http://checkip.dyndns.com	0%	Avira URL Cloud	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33p	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	1%	Virustotal		Browse
http://checkip.dyndns.org/q	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	Avira URL Cloud	safe
http://reallyfreegeoip.org	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org	0%	Virustotal		Browse
http://reallyfreegeoip.org	0%	Virustotal		Browse
http://checkip.dyndns.org/q	0%	Virustotal		Browse
https://reallyfreegeoip.org/xml/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.com	132.226.8.169	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	scan copy.exe, 00000002.00000002.3846637840.0000000003732000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036E7000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.0000000003612000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.0000000003670000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036D4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	scan copy.exe, 00000002.00000002.3846637840.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036D4000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33p	scan copy.exe, 00000002.00000002.3846637840.0000000003612000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	scan copy.exe, 00000002.00000002.3846637840.0000000003732000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036E7000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.0000000003612000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036D4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	scan copy.exe, 00000002.00000002.3846637840.0000000003501000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	scan copy.exe, 00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://reallyfreegeoip.org	scan copy.exe, 00000002.00000002.3846637840.0000000003732000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036E7000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.0000000003642000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.00000000036D4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	scan copy.exe, 00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3846637840.0000000003612000.00000004.00000800.00020000.00000000.sdmp, scan copy.exe, 00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
188.114.97.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465193
Start date and time:	2024-07-01 12:24:25 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	scan copy.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 68% Number of executed functions: 101 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target scan copy.exe, PID 7260 because it is empty
Execution Graph export aborted for target scan copy.exe, PID 7344 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:25:19	API Interceptor	13869789x Sleep call for process: scan copy.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Find-DscResource_QoS.ps1	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	MT STENA IMPRESSION Vessel Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	LAQ-PO088PDF.bat	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	MT STENA IMPRESSION Vessel Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	MT Sea Gull 9 Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	MT Sea Gull 9 Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Commodity Details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
188.114.97.3	6Z4Q4bREii.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	000366cm.nyashka.top/phpflowergenerator.php
	DHL Arrival Notice.exe	Get hash	malicious	FormBook	Browse	www.coinwab.com/efdt/
	arrival notice_pdf.exe	Get hash	malicious	FormBook	Browse	www.evoolihubs.shop/fwdd/?CbPtaF=K/pqHoAOWNF4P+w91QXSNI32+N7yog1OarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTes4MJP5Wyr3Pze4srZjnfJQNxaR/LCxeJK4=&NV=CzkTp6UpmNmd
	BbaXbvOA7D.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	228282cm.nyashka.top/ExternalimagevmRequestlongpollsqldbLocal.php
	j05KsN2280.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	640740cm.nyashka.top/providerEternalGameWindowstest.php
	QUOTATION_JUNQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/L69kvhYI/download
	Techno_PO LV12406-00311.xla.xlsx	Get hash	malicious	Unknown	Browse	qr-in.com/cpGHnqq
	QUOTATION_JUNQTRA031244#U0652PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/Txmfx0A2/download
	RITS Ref 3379-06.exe	Get hash	malicious	FormBook	Browse	www.ad14.fun/az6h/
	QUOTATION_JUNQTRA031244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/khvbX8Pe/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
checkip.dyndns.com	f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Renameme@1.xls	Get hash	malicious	Unknown	Browse	104.21.18.65
	Order 00293884800595.bat.exe	Get hash	malicious	GuLoader	Browse	172.67.74.152
	https://oceanofgames.com/	Get hash	malicious	Unknown	Browse	172.67.213.70
	http://johnlewisfr.vip	Get hash	malicious	Unknown	Browse	104.26.13.204
	Renameme@1.xls	Get hash	malicious	Unknown	Browse	104.21.18.65
	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Potwierdzenie zam#U00f3wienia.doc.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	172.67.74.152
	INQUIRY#809676-JULY1.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.148.197
	https://0o2r8g.lotedes.com/iaxgkyg7/	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	Setup-10.msi	Get hash	malicious	Unknown	Browse	188.114.97.3
UTMEMUS	CDMZxujRpn.elf	Get hash	malicious	Mirai	Browse	132.192.25.142
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Find-DscResource_QoS.ps1	Get hash	malicious	Unknown	Browse	132.226.8.169
	LEpsypIZxU.elf	Get hash	malicious	Mirai, Moobot	Browse	128.169.91.82
	itinerary_1719382117.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Halkbank_Ekstre_20240625_082306_910668.bat.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	242010.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3

Process:	C:\Users\user\Desktop\scan copy.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1510
Entropy (8bit):	5.380493107040482
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNl+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAA
MD5:	3C7E5782E6C100B90932CBDED08ADE42
SHA1:	D498EE0833BB8C85592FB3B1E482267362DB3F74
SHA-256:	361A6FF160343A2400F7D3FA4A009EA20C994B9788C190EB9D53E544BB376490
SHA-512:	3A90D61631F4DC920860AEA31FDB5E56A102206311705D5D084E809D364F680B4E95F19CE9849D3F9CB3C2C273393FD2F2C67720BAAA885125EE358D59462B0A
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.927498035897839
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	scan copy.exe
File size:	841'216 bytes
MD5:	70081b623e77616333b19e7bc186dd66
SHA1:	bc730c03095bbb3fb85773d564774b7fa2a4f2c9
SHA256:	90c2430071000bba0378a0e404c636df13958a02fa97b4ed19c1230da402da8f
SHA512:	1e34aa19d8299387e54fe9764ab9c5334a0b91049ed31a7333c3b1fbbeb43dd0b449eb7b538a64ae7c2ebc13dc2ed63e2a8a9667e0b472edff2d7dc50f2251d6
SSDEEP:	12288:cj2+TW+8LeXbSIrEPrWgeBG9BH79/UXQU4PIFQhIe8Gk1zesgqkkdR9CTt9XQo:cWLe+9oG9poQU47leeYkK9CTt9XQ
TLSH:	98050214B6499BAAD26F0FFD0D604845072D6B2B3320D7BF1EC862E9818678DE705E77
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....$.f.........."...0.................. .....@..... ....................................@...@......@............... .....

File Icon


Icon Hash:	8008e01b49e40982

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x668224B4 [Mon Jul 1 03:38:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xce000	0x18d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcb9a8	0xcba00	3d6fc12a320b78d96ec064b6d122bd8a	False	0.8325120376764886	data	7.932942116726256	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xce000	0x18d0	0x1a00	1923d2747ac559a3ac1324e9ea54768a	False	0.7791466346153846	data	7.034119856091495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xce0c8	0x1496	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8907020872865276
RT_GROUP_ICON	0xcf570	0x14	data	1.05
RT_VERSION	0xcf594	0x338	data	0.4381067961165049

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 12:25:20.720160961 CEST	49707	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:20.725189924 CEST	80	49707	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:20.725248098 CEST	49707	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:20.725864887 CEST	49707	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:20.731575966 CEST	80	49707	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:25.857558966 CEST	80	49707	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:25.865782976 CEST	49707	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:25.872138023 CEST	80	49707	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:29.174895048 CEST	80	49707	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:29.200443983 CEST	49707	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:29.206187963 CEST	80	49707	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:31.001928091 CEST	80	49707	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:31.036472082 CEST	49708	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:31.036506891 CEST	443	49708	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:31.036607027 CEST	49708	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:31.049001932 CEST	49708	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:31.049019098 CEST	443	49708	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:31.057456970 CEST	49707	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:31.633465052 CEST	443	49708	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:31.633569956 CEST	49708	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:31.639374018 CEST	49708	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:31.639390945 CEST	443	49708	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:31.639719009 CEST	443	49708	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:31.682451010 CEST	49708	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:31.692514896 CEST	49708	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:31.740497112 CEST	443	49708	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:31.805414915 CEST	443	49708	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:31.805512905 CEST	443	49708	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:31.805558920 CEST	49708	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:31.809329987 CEST	49708	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:31.812494993 CEST	49707	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:31.817265034 CEST	80	49707	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:34.116159916 CEST	80	49707	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:34.119281054 CEST	49709	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:34.119332075 CEST	443	49709	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:34.119393110 CEST	49709	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:34.119683027 CEST	49709	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:34.119699955 CEST	443	49709	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:34.166847944 CEST	49707	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:34.589287043 CEST	443	49709	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:34.590681076 CEST	49709	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:34.590722084 CEST	443	49709	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:34.738286018 CEST	443	49709	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:34.738543034 CEST	443	49709	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:34.738604069 CEST	49709	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:34.739274025 CEST	49709	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:34.742295027 CEST	49707	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:34.743520021 CEST	49710	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:34.747452021 CEST	80	49707	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:34.747503042 CEST	49707	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:34.748322010 CEST	80	49710	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:34.748395920 CEST	49710	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:34.748677969 CEST	49710	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:34.754122019 CEST	80	49710	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:37.534995079 CEST	80	49710	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:37.536542892 CEST	49713	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:37.536581039 CEST	443	49713	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:37.536669970 CEST	49713	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:37.537338018 CEST	49713	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:37.537354946 CEST	443	49713	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:37.588713884 CEST	49710	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:38.012253046 CEST	443	49713	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:38.013243914 CEST	49713	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:38.013267040 CEST	443	49713	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:38.159202099 CEST	443	49713	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:38.159457922 CEST	443	49713	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:38.159517050 CEST	49713	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:38.159835100 CEST	49713	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:38.164207935 CEST	49714	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:38.171308994 CEST	80	49714	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:38.171392918 CEST	49714	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:38.171607018 CEST	49714	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:38.177834034 CEST	80	49714	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:39.952022076 CEST	80	49714	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:39.953347921 CEST	49715	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:39.953385115 CEST	443	49715	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:39.953602076 CEST	49715	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:39.953867912 CEST	49715	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:39.953877926 CEST	443	49715	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:39.994967937 CEST	49714	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:40.662543058 CEST	443	49715	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:40.663892984 CEST	49715	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:40.663906097 CEST	443	49715	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:40.791877031 CEST	443	49715	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:40.792015076 CEST	443	49715	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:40.792079926 CEST	49715	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:40.792608976 CEST	49715	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:40.796020031 CEST	49714	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:40.797101021 CEST	49716	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:40.801084042 CEST	80	49714	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:40.801146030 CEST	49714	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:40.801836967 CEST	80	49716	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:40.801908016 CEST	49716	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:40.802009106 CEST	49716	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:40.806788921 CEST	80	49716	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:41.602785110 CEST	80	49716	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:41.605782986 CEST	49717	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:41.605818987 CEST	443	49717	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:41.605906010 CEST	49717	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:41.606158972 CEST	49717	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:41.606168985 CEST	443	49717	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:41.651228905 CEST	49716	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:42.083527088 CEST	443	49717	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:42.085004091 CEST	49717	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:42.085022926 CEST	443	49717	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:42.212232113 CEST	443	49717	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:42.212333918 CEST	443	49717	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:42.212447882 CEST	49717	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:42.213042974 CEST	49717	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:42.216384888 CEST	49716	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:42.217566013 CEST	49718	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:42.221957922 CEST	80	49716	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:42.222029924 CEST	49716	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:42.222440004 CEST	80	49718	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:42.222507954 CEST	49718	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:42.222640038 CEST	49718	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:42.227430105 CEST	80	49718	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:43.097995996 CEST	80	49718	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:43.099622965 CEST	49719	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:43.099658012 CEST	443	49719	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:43.099720955 CEST	49719	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:43.100027084 CEST	49719	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:43.100042105 CEST	443	49719	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:43.151222944 CEST	49718	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:43.568572998 CEST	443	49719	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:43.569721937 CEST	49719	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:43.569753885 CEST	443	49719	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:43.694386005 CEST	443	49719	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:43.694493055 CEST	443	49719	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:43.694557905 CEST	49719	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:43.701937914 CEST	49719	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:43.720295906 CEST	49718	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:43.720875978 CEST	49720	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:43.728476048 CEST	80	49720	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:43.728570938 CEST	49720	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:43.729218960 CEST	80	49718	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:43.729270935 CEST	49718	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:43.729681969 CEST	49720	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:43.734519958 CEST	80	49720	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:44.541748047 CEST	80	49720	132.226.8.169	192.168.2.8
Jul 1, 2024 12:25:44.542936087 CEST	49721	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:44.542980909 CEST	443	49721	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:44.543085098 CEST	49721	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:44.543292999 CEST	49721	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:44.543306112 CEST	443	49721	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:44.588722944 CEST	49720	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:25:45.103230000 CEST	443	49721	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:45.104986906 CEST	49721	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:45.105004072 CEST	443	49721	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:45.243004084 CEST	443	49721	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:45.243104935 CEST	443	49721	188.114.97.3	192.168.2.8
Jul 1, 2024 12:25:45.243154049 CEST	49721	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:25:45.243680000 CEST	49721	443	192.168.2.8	188.114.97.3
Jul 1, 2024 12:26:42.543081999 CEST	80	49710	132.226.8.169	192.168.2.8
Jul 1, 2024 12:26:42.543174982 CEST	49710	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:26:49.541465998 CEST	80	49720	132.226.8.169	192.168.2.8
Jul 1, 2024 12:26:49.541693926 CEST	49720	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:27:24.557723045 CEST	49720	80	192.168.2.8	132.226.8.169
Jul 1, 2024 12:27:24.562643051 CEST	80	49720	132.226.8.169	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 12:25:20.702763081 CEST	62018	53	192.168.2.8	1.1.1.1
Jul 1, 2024 12:25:20.710649967 CEST	53	62018	1.1.1.1	192.168.2.8
Jul 1, 2024 12:25:31.023844004 CEST	56864	53	192.168.2.8	1.1.1.1
Jul 1, 2024 12:25:31.035911083 CEST	53	56864	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 1, 2024 12:25:20.702763081 CEST	192.168.2.8	1.1.1.1	0xcb9f	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:25:31.023844004 CEST	192.168.2.8	1.1.1.1	0xc1ba	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 1, 2024 12:25:20.710649967 CEST	1.1.1.1	192.168.2.8	0xcb9f	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 1, 2024 12:25:20.710649967 CEST	1.1.1.1	192.168.2.8	0xcb9f	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:25:20.710649967 CEST	1.1.1.1	192.168.2.8	0xcb9f	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:25:20.710649967 CEST	1.1.1.1	192.168.2.8	0xcb9f	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:25:20.710649967 CEST	1.1.1.1	192.168.2.8	0xcb9f	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:25:20.710649967 CEST	1.1.1.1	192.168.2.8	0xcb9f	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:25:31.035911083 CEST	1.1.1.1	192.168.2.8	0xc1ba	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:25:31.035911083 CEST	1.1.1.1	192.168.2.8	0xc1ba	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	132.226.8.169	80	7344	C:\Users\user\Desktop\scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 12:25:20.725864887 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 1, 2024 12:25:25.857558966 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 10:25:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 02208433e095411cd3e314d3ef033805 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 1, 2024 12:25:25.865782976 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 1, 2024 12:25:29.174895048 CEST	745	IN	HTTP/1.1 504 Gateway Time-out Date: Mon, 01 Jul 2024 10:25:29 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: c4cc9fd69adf7b73a72e4f6f7c370fd8 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jul 1, 2024 12:25:29.200443983 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 1, 2024 12:25:31.001928091 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 10:25:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 16708467801121b14a344517c4316595 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 1, 2024 12:25:31.812494993 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 1, 2024 12:25:34.116159916 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 10:25:33 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 14295a61e420d5c0867e23b90101fae4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49710	132.226.8.169	80	7344	C:\Users\user\Desktop\scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 12:25:34.748677969 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 1, 2024 12:25:37.534995079 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 10:25:37 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 29fe0b0a57b2ca1c08eb47a40e85b445 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49714	132.226.8.169	80	7344	C:\Users\user\Desktop\scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 12:25:38.171607018 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 1, 2024 12:25:39.952022076 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 10:25:39 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 499bc6df4645aa694a2c28f378b45fdc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49716	132.226.8.169	80	7344	C:\Users\user\Desktop\scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 12:25:40.802009106 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 1, 2024 12:25:41.602785110 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 10:25:41 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8e610a084d1c9926c4fff398b7e71c18 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49718	132.226.8.169	80	7344	C:\Users\user\Desktop\scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 12:25:42.222640038 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 1, 2024 12:25:43.097995996 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 10:25:42 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: dcb04047f328a90d412da434f2328cb3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49720	132.226.8.169	80	7344	C:\Users\user\Desktop\scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 12:25:43.729681969 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 1, 2024 12:25:44.541748047 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 10:25:44 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cd285ae9f91736f7b07bf2ba641181f0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49708	188.114.97.3	443	7344	C:\Users\user\Desktop\scan copy.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 10:25:31 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-01 10:25:31 UTC	704	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 10:25:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 72095 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SLfudij54aUnCiobrHN0AMpwvpfZ34%2BK1HZdr2io9Ta7yWq38eRd57O3G6NqVcRxvNJVT5lURSe9PZZ59p%2BPckxDGd3nbywGUXJdMXqTFN4YnMMLAP2xYBDQqH7QlibYtQQrj1Yt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c5b14d6af30fa5-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 10:25:31 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 10:25:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49709	188.114.97.3	443	7344	C:\Users\user\Desktop\scan copy.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 10:25:34 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-01 10:25:34 UTC	712	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 10:25:34 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 72098 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oiiU%2FczmSODTUsz%2BoFrlrkszqVRmDCiGYwNOWYQN9oHqOcDN%2Fl4kTZLduOqG8%2B6%2BjxJRBvCwHVdypboyOC7ncPJ24VoC6dyZa79OtaQHJg4HDtyFUH7yDyz6Y53%2BgibmIzcYE7La"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c5b15fcbcc191b-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 10:25:34 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 10:25:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49713	188.114.97.3	443	7344	C:\Users\user\Desktop\scan copy.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 10:25:38 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-01 10:25:38 UTC	708	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 10:25:38 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 72102 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k8WGxUdvDGKl%2B01T79nS83BpcCDwSo%2B26aS44URkekonMPGDp1GTbP%2B5gAE7tplLJioAaFwT0n3bsO6PFv0vztzQk5USM3v283xq9ZzGGu%2BKzyVSUTUgwVjPeRzwcAAIB8WmVXR4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c5b175298d42d5-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 10:25:38 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 10:25:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49715	188.114.97.3	443	7344	C:\Users\user\Desktop\scan copy.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 10:25:40 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-01 10:25:40 UTC	704	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 10:25:40 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 72104 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AKZtAjwEMdxnvNtaPLWth%2FCIRtuhGXvg2llMd0TsAiuli4hGrRUvvRL8FwS2lWe1tjmo2%2FGkhTlY97idBUiKtfXitJmkPPgPVMUN2eOAJH3fdb2jeJolP0XlT3s47zFRilLAkpVd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c5b1859c7072a5-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 10:25:40 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 10:25:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49717	188.114.97.3	443	7344	C:\Users\user\Desktop\scan copy.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 10:25:42 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-01 10:25:42 UTC	710	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 10:25:42 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 72106 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZV%2BI8kV9TWjNB8HDuW9qA1lOh9VQxBHECPSOJBrosFei6pqk5xnFlGdho%2Bw0zcS3sPBFS1kpjXlf%2B7GUaZqABnxCo%2BacWGezODqSz7cx14Bg%2BGn3oOsB7vmMBFAt2yAxKy5VbEvj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c5b18e7e7980cd-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 10:25:42 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 10:25:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49719	188.114.97.3	443	7344	C:\Users\user\Desktop\scan copy.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 10:25:43 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-01 10:25:43 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 10:25:43 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 72107 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MGZTg%2BKlXHu1%2FOQA3P3Khrrj7W2m9WSWMVIpTtSMImVKy7OouBsbQXuxRKV4b4DZff9Umd7iNlInN7hBvpTQxstDw%2FjcC6DSOgVwwKKjo15bN8R4Fhl7xVuJzCF6nKskaeSKcIq6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c5b197bced7d00-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 10:25:43 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 10:25:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49721	188.114.97.3	443	7344	C:\Users\user\Desktop\scan copy.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 10:25:45 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-01 10:25:45 UTC	710	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 10:25:45 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 72109 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eaqLxgOAJfON6fGspSTiZXi7qglu9EH1mNz2MS%2BEqeA3BEYQkCKVaUMKcvPN%2BzLjhs9KPsjmfB3cq%2BwRdNR%2B9Ya4dj9pZumHdIoeruvChfTqJmIHIvbu2cDQiQZ7i8Ub%2Bfi9mzHD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c5b1a16b490f78-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 10:25:45 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 10:25:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	06:25:18
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\scan copy.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\scan copy.exe"
Imagebase:	0x5d0000
File size:	841'216 bytes
MD5 hash:	70081B623E77616333B19E7BC186DD66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1407555144.0000000013C65000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:25:19
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\scan copy.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\scan copy.exe"
Imagebase:	0x570000
File size:	841'216 bytes
MD5 hash:	70081B623E77616333B19E7BC186DD66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.3851147525.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3846637840.0000000003742000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3846637840.0000000003501000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FFB4B577DE2 Relevance: 5.9, Strings: 4, Instructions: 898COMMON

Download Yara Rule

Strings

HZ`K, xrefs: 00007FFB4B5787E4
pU`K, xrefs: 00007FFB4B577E7D
Y`K, xrefs: 00007FFB4B578836
{z}, xrefs: 00007FFB4B578424

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID: HZ`K$pU`K${z}$Y`K
API String ID: 0-2392001837
Opcode ID: 198743d9411e9ad701528b3e29e3d0e9ce76c23eab908ad8daa19f73fcb914c7
Instruction ID: 3d9a745fc5d351bd9864816071947013eae0aad99db22eea87a43fdfbc4dcbd8
Opcode Fuzzy Hash: 198743d9411e9ad701528b3e29e3d0e9ce76c23eab908ad8daa19f73fcb914c7
Instruction Fuzzy Hash: BA725F70619A8D8FEBB9EF18C8A5BE977E1FF59300F504179C84DCB2A2DA346941CB41

Function 00007FFB4B575D44 Relevance: 2.1, Strings: 1, Instructions: 826COMMON

Download Yara Rule

Strings

~, xrefs: 00007FFB4B575423

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 2bf4269085e0adee7eb86a18a8ff1fefd32a10f53105296a4fcda93ec5c31af3
Instruction ID: 7f4bf4b6332d912042ee9713161717a1a57636bf5d9d7de24e6e2dd750cebb9b
Opcode Fuzzy Hash: 2bf4269085e0adee7eb86a18a8ff1fefd32a10f53105296a4fcda93ec5c31af3
Instruction Fuzzy Hash: 69627270A1991DCFEB95EF18C894BA8B3A1FF58301F5041F9D14DD72A2DA35AD82CB40

Function 00007FFB4B5769EA Relevance: 1.9, Strings: 1, Instructions: 641COMMON

Download Yara Rule

Strings

[, xrefs: 00007FFB4B576CB9

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID: [
API String ID: 0-784033777
Opcode ID: 9d0f161d34efbeabaff737cff94755d32f26a3687e2e34658ae10e9691fdea44
Instruction ID: 472796efb6881f1028680460fbfd1dca6eec62473c44d495d3ac0ed3b094c383
Opcode Fuzzy Hash: 9d0f161d34efbeabaff737cff94755d32f26a3687e2e34658ae10e9691fdea44
Instruction Fuzzy Hash: 7742EB74A1892D8FDBA5EF68C894BA9B7B1FF58300F5041F9D04DE72A1DA35A981CF40

Function 00007FFB4B57B0BB Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

0b`K, xrefs: 00007FFB4B57B0BC

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID: 0b`K
API String ID: 0-516934476
Opcode ID: af0e60024bd660f2f5aae44152a544ba088eeb8bce012b0b7842dc5e25ce68a9
Instruction ID: 59d89f7055f4c75269f13748c107d47b1eb2813b2bc2c7e8004b3c03ba26bd7f
Opcode Fuzzy Hash: af0e60024bd660f2f5aae44152a544ba088eeb8bce012b0b7842dc5e25ce68a9
Instruction Fuzzy Hash: 06C12074A1961D8FDB58DF58C590BEAB7B2FF98300F2081A9C45DD7396CA35A982CF40

Function 00007FFB4B57455B Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

o+, xrefs: 00007FFB4B5745A7

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID: o+
API String ID: 0-251698391
Opcode ID: 98e6acb5642abb6fe616db505ca6ba8ec9304ba71b5b09fdea829540ec9039b5
Instruction ID: 819ae061c084e7bc67ae33d96805db2c4522bb4d1dd35400c4334e5ed01364a5
Opcode Fuzzy Hash: 98e6acb5642abb6fe616db505ca6ba8ec9304ba71b5b09fdea829540ec9039b5
Instruction Fuzzy Hash: CA11D8B0E0C51D9FEB58EE28C5A4AB8B7B5EF19314F1040A9D19ED2292CA345981CB41

Function 00007FFB4B574521 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

o+, xrefs: 00007FFB4B5745A7

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID: o+
API String ID: 0-251698391
Opcode ID: 81c5c76acc12b009446d3bcdf0bcdaa2d982e3b8d9a0dd6d03f9c82d6025ff18
Instruction ID: 6f526bc2e86e9c9a18ac6da7d639cfb9a4541d0ab2857b7b0688ac5d7cd38610
Opcode Fuzzy Hash: 81c5c76acc12b009446d3bcdf0bcdaa2d982e3b8d9a0dd6d03f9c82d6025ff18
Instruction Fuzzy Hash: 72F0B770A0C52C8FEB55EF18C598AA8B7B5FB5A300F5040A9D09ED32A1CA34A981CF01

Function 00007FFB4B57BAF2 Relevance: .8, Instructions: 751COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb6870354c54fff011b1a47971046fb9fe3143a5f13c969a4e99705439613d2
Instruction ID: 985cbbd9de80b184bb3482978c2887017a9b2551a72509327f00095157c5f218
Opcode Fuzzy Hash: 9eb6870354c54fff011b1a47971046fb9fe3143a5f13c969a4e99705439613d2
Instruction Fuzzy Hash: 76525E7462498E8FE769EF18C491BE473A2FB5C304F6041BCC95ECB795CA75A982CB10

Function 00007FFB4B571D62 Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0af777757ff6b827ad20398dea41d738cd2028f07d29aae0b15d0d9c261d10
Instruction ID: 43fb3ec99b3dd80666d33135cfc6a7913566aa8ee2960e6b7b30824829ac966e
Opcode Fuzzy Hash: 7a0af777757ff6b827ad20398dea41d738cd2028f07d29aae0b15d0d9c261d10
Instruction Fuzzy Hash: D2123A70A09A598FDBA9EF28C855AA9B3F1FF59300F1041F9D45DD72A2CE35A981CF40

Function 00007FFB4B57464C Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d0b78e1891a7e82c04988bc7c8368b20d7b91221f7a9ff74321c21a7d30480
Instruction ID: c281cf6fd971e444776a5c81af6e2144a149e6617bdae2d737128b692c192848
Opcode Fuzzy Hash: c6d0b78e1891a7e82c04988bc7c8368b20d7b91221f7a9ff74321c21a7d30480
Instruction Fuzzy Hash: CCF1A771A0895D8FDF99EF18C8A9BA8B7F1EB68301F1441E9D04DE7291CA75AD81CF40

Function 00007FFB4B57414D Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0828dbc417b83604721966986da2bb75a92ae7ad907c955b4aa1a753e475d40
Instruction ID: 3fed4295bfc89614bd6d1f35bae79ab723a273fa147e87c14c1ab90db13a7ec5
Opcode Fuzzy Hash: a0828dbc417b83604721966986da2bb75a92ae7ad907c955b4aa1a753e475d40
Instruction Fuzzy Hash: 4DC105B190D68D8FD702BF7CD9655E9BBA0FF46320F0442B6D598C70A3EA28A446C791

Function 00007FFB4B5741F2 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88f792539cac1599d6a89d6f29b7386a82fd84429e604ec5c8a8973521e556e
Instruction ID: ff1d9e9aaa21dfd28b271bd63f54365fa1e4f6c7e2dbb2d566b2ce9527725a9f
Opcode Fuzzy Hash: a88f792539cac1599d6a89d6f29b7386a82fd84429e604ec5c8a8973521e556e
Instruction Fuzzy Hash: 61A112B190D68D8FD702FF78D8615E9BBF0EF46310F0442BAD598C70A3EA28A446C791

Function 00007FFB4B575E71 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501fe756987b8089f22d64f8df50aadb3ec8b8849fac1c8cc1f7b8ad4a201a59
Instruction ID: ab886ceb613723f7b8978a0963ce400ce59d9fb84f0d01133864a02f2ded21d3
Opcode Fuzzy Hash: 501fe756987b8089f22d64f8df50aadb3ec8b8849fac1c8cc1f7b8ad4a201a59
Instruction Fuzzy Hash: FB91EFB1A0CA4D8FDB91FF68D860AE9BBF0FB95310F0081BAD15DD7192DA3599428B41

Function 00007FFB4B5748AF Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe6f21b3105db671afdd62c2ee8e7a69867dce21579669feb51c74ef67a12af
Instruction ID: 5c6c322c8316477c690ef7dc82d114f2d789eff775d88a8185d7d44002dd106a
Opcode Fuzzy Hash: ffe6f21b3105db671afdd62c2ee8e7a69867dce21579669feb51c74ef67a12af
Instruction Fuzzy Hash: 348197B190895D8FDF99EF28C899BA8B7B1EB68301F0441E9D00DD7292DA35AD85CF41

Function 00007FFB4B575F6D Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d92d098cb03e2dd1c74e08587e167f68a1774ba0dbf1ed56c594f57aca8ad5
Instruction ID: 3bec6830686fe9dff7ea974376b99bae38ce253996c29114b7be0467541f97c5
Opcode Fuzzy Hash: c5d92d098cb03e2dd1c74e08587e167f68a1774ba0dbf1ed56c594f57aca8ad5
Instruction Fuzzy Hash: E861A6B0E1D68A4FDB86EF74C964AE9BBF1EF59310F1480BAD18DD7193CA285842C740

Function 00007FFB4B5713A6 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e838acd962edc34f90af9d99b5b6a05f7a2458bcea91bdff35dab3f7a23ea37d
Instruction ID: 4f20bbd1fb7bf11500c2813d140bb9c03ab6e583301b878883cda6a96e0546c9
Opcode Fuzzy Hash: e838acd962edc34f90af9d99b5b6a05f7a2458bcea91bdff35dab3f7a23ea37d
Instruction Fuzzy Hash: 3771ADB0E0950ECFDB94EF68C495AADB7F2FF58300F0041A6D059E7262DA34A992CF50

Function 00007FFB4B578D5C Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c734ebd885a887eb88d801aefb37f0984d7847d5f32238247f289437abcb48e1
Instruction ID: 08a4c2fde2ab325ba2ec44fc9c708a196bfb6dfa20187ef8a5d35be65cedea80
Opcode Fuzzy Hash: c734ebd885a887eb88d801aefb37f0984d7847d5f32238247f289437abcb48e1
Instruction Fuzzy Hash: 3251A970A1DA5D8FDF98EF59C9A4BACB7B1FB58301F1040A9D55EE3291CB349980CB41

Function 00007FFB4B574CE2 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ec381236c1d0d3ad7670a7e6574c2339af16d9adba0989c5c8a45e07800ba3
Instruction ID: 9efe786e0fae7467b0fc5d71e5ba412c25ed8f1f922703ab424a78c43de1f1db
Opcode Fuzzy Hash: 65ec381236c1d0d3ad7670a7e6574c2339af16d9adba0989c5c8a45e07800ba3
Instruction Fuzzy Hash: 5F51AC71A1891D8FDF99EF28C8A9BA8B7A1FB68300F0441E9D01DD7291DE35AD858F41

Function 00007FFB4B574B46 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869d1cc1501b0a08f769b9edb1768045ebd5e14409dd8d8e1dad55ea5fb9da24
Instruction ID: 7b2a93d64bda79776b55e5b9ed6d46c8a6657945dcd65f84e0fff4fe1f6fd5a8
Opcode Fuzzy Hash: 869d1cc1501b0a08f769b9edb1768045ebd5e14409dd8d8e1dad55ea5fb9da24
Instruction Fuzzy Hash: 8C418970A1991D8FDB99EF58C899BA8B7F1FB68300F5041E9D04DE3252DA35AD81CF41

Function 00007FFB4B5707AD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7ee39892676c0c6ee17e1b236d0756030240be4fd1ba6b95ef5c11c5d90362
Instruction ID: 81ad14d39d43708ade8484624246d1905f484dd7896d2e686190320a6457c460
Opcode Fuzzy Hash: 9a7ee39892676c0c6ee17e1b236d0756030240be4fd1ba6b95ef5c11c5d90362
Instruction Fuzzy Hash: A141CAD2E0DA87ABF7556BF8C93A094BFD0FF61255B0C81B6C4A4474D3DD199829C2C1

Function 00007FFB4B577B74 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345dc99e48e20ca5ca8fde27686a207ba3bab62340fefafc959254fa51aae638
Instruction ID: f7205768f2e0c4c5a858c15469d1a8c7138e715d482a7d48f476f348fd88378b
Opcode Fuzzy Hash: 345dc99e48e20ca5ca8fde27686a207ba3bab62340fefafc959254fa51aae638
Instruction Fuzzy Hash: 114109B1E0821A8FDF58EFA8E5A45FDB7F1EF48314F10407AD61AE3291DA346841CB50

Function 00007FFB4B57920F Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8173fd94c6d290feac2337a0c5e17af91e3904e19bcd79d74e64e8ad204276d5
Instruction ID: e7b3d4fe0af3cf242a1cf453e06519f8446e9cf3e73864ec9161db8e9743c495
Opcode Fuzzy Hash: 8173fd94c6d290feac2337a0c5e17af91e3904e19bcd79d74e64e8ad204276d5
Instruction Fuzzy Hash: 4B41C17091C68E9FDB49EF38C8959EABBA1FF55300F0045BAD459C71A2DF34A845CB90

Function 00007FFB4B57A160 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e562effe903d7c503f50fb5c6e92a95e7b5d394a3c218859fd2d749d762a9dda
Instruction ID: 8f66b763cb246580df1c68ffa23094c9e2b41800233e7ab03be7d722cecd54f5
Opcode Fuzzy Hash: e562effe903d7c503f50fb5c6e92a95e7b5d394a3c218859fd2d749d762a9dda
Instruction Fuzzy Hash: CC51C57461868D8FDBA8EF19C860BE977A2FB58314F10806DD94DCB392CB75A942CB01

Function 00007FFB4B57B86E Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198cad32fee669aba93a3c2b9c273be752f6482990ae584fe54ab3c2e8314594
Instruction ID: 1f639166edaeee26fc38e5b5d675349a1c39a2af69ed6cc97fe73849b5fb3e63
Opcode Fuzzy Hash: 198cad32fee669aba93a3c2b9c273be752f6482990ae584fe54ab3c2e8314594
Instruction Fuzzy Hash: 4931AEB190C68D4FDBA9EF34C8657E9BBA1FF19300F0441BAE558CB1A2DA2856448B81

Function 00007FFB4B571AB2 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eaaf94eb2a516bdbba0d7b6a02b3d9d39bf7a25b2ea9f4ee052b84bbdc113a0
Instruction ID: 809101cc7c373f68d2c95487a884dc00ebc85115ae6d85c6aa73f2d2c10be092
Opcode Fuzzy Hash: 0eaaf94eb2a516bdbba0d7b6a02b3d9d39bf7a25b2ea9f4ee052b84bbdc113a0
Instruction Fuzzy Hash: 84417C70A09A498FDB99EE28C855AE5B7F1EF54301F1041FDC55DD72A1CA39A886CF40

Function 00007FFB4B57A002 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a37f36fad7f1c0688e22425b559309ecbd32d56394fc489aa44f2f6636b51c
Instruction ID: 73b3fd4a10c426c3bfb3699ada395365f0aa4bcc6d21366bd55edb76f64c864e
Opcode Fuzzy Hash: f6a37f36fad7f1c0688e22425b559309ecbd32d56394fc489aa44f2f6636b51c
Instruction Fuzzy Hash: A9411FB460C6498FDB78DF14C5A47E877A1FB54345F10803ECA5ECB2A2CB796545CB40

Function 00007FFB4B573A28 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666575c58638b59e6d456c1c8f0ebf91cd60734cc3b8174779b78cdbd8cf90f
Instruction ID: cd0530a6935321687b456c58395bc4485db8f42dee103e411585a926deae2a33
Opcode Fuzzy Hash: 0666575c58638b59e6d456c1c8f0ebf91cd60734cc3b8174779b78cdbd8cf90f
Instruction Fuzzy Hash: 8F31C5B0A1CA5DDFDF95EFA8D564AADBBF1FB58300F104029D15EE3291DA34A841CB40

Function 00007FFB4B574148 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f56663d19110df38d6b67d50d7cd8391bd19de89401ca23ab77e7b148750c7
Instruction ID: 5df31b9ce42bf6213914fe5f75cac4eb1db0fbc8d65d8477e884a18b5f8750b1
Opcode Fuzzy Hash: 66f56663d19110df38d6b67d50d7cd8391bd19de89401ca23ab77e7b148750c7
Instruction Fuzzy Hash: 953184B190C68D4FDBA9EF24C9657E9BBA1FF18300F0441BAE55CC71D2DA386654CB81

Function 00007FFB4B571B24 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454fd0f8b98a044178ada5ceb40b7256a899e55c4b8191ec9c78d50b490e4c50
Instruction ID: f98d7d47ba03f3e9016e379a3a127d808b9c01379bd5e5b155a9e604fbebeee8
Opcode Fuzzy Hash: 454fd0f8b98a044178ada5ceb40b7256a899e55c4b8191ec9c78d50b490e4c50
Instruction Fuzzy Hash: D9310A70A0991D8FDBD9EF28C855AE9B3B1EB58301F1041E9D11DE72A1CA79A986CF40

Function 00007FFB4B571ABB Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af37b0bf9c02cd582b0a06786026cc7bc3c0190450fb002001239f800a1f09a
Instruction ID: a6755588b7df991d05a66e9f9307000fdcf89c1e86cc4ebfd1bd5b602a5b797a
Opcode Fuzzy Hash: 5af37b0bf9c02cd582b0a06786026cc7bc3c0190450fb002001239f800a1f09a
Instruction Fuzzy Hash: 46311970A09A1C8FDB99EF24C855AE9B3B1EF58301F1001EDD54EE76A1CE79A985CF40

Function 00007FFB4B5797A6 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0383b87e00dac7dd72ff39a1317e0e0b1cbe26f30b4e79fa793fe6249363f2a9
Instruction ID: 8964bac2aa37d7f2020ed324b0d812e3a14d24c32a44ddffec0af7cb7cfc3cb5
Opcode Fuzzy Hash: 0383b87e00dac7dd72ff39a1317e0e0b1cbe26f30b4e79fa793fe6249363f2a9
Instruction Fuzzy Hash: 21310174A1451ACFDB94EF68C580BDCB7F1FF58320F1081A9E508EB266DB34A9818F50

Function 00007FFB4B57A314 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7413adc48cf9dffb3683a505062a2e2e63fa57eb0e42155f82f71f2a9b874010
Instruction ID: 45029c19600d6ff8028487d3e15f6d69eaad18527d8d9dd31e2be23b417007c3
Opcode Fuzzy Hash: 7413adc48cf9dffb3683a505062a2e2e63fa57eb0e42155f82f71f2a9b874010
Instruction Fuzzy Hash: 4631EC7561858D8FDFA9EF19C4A0BE877A1FF58311F10416AD94ECB292CB35A942CF80

Function 00007FFB4B577AA7 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7de2e96a0aed40a705cfdfdd67d04a705c1303844d5c46e98aeb382aef93c2
Instruction ID: 22a62be42157b81d098bb895d7d06f2bf1c9a1ddeee560acd3cc447e55e64922
Opcode Fuzzy Hash: fd7de2e96a0aed40a705cfdfdd67d04a705c1303844d5c46e98aeb382aef93c2
Instruction Fuzzy Hash: 2521FFB0A1DA1E8FDB94EF28C564BA8B7B1FF59300F5090F5815DD72A2DA3469818F41

Function 00007FFB4B5717DD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9efb0b06e1f9d3bd6a03f87f7efa70606bd2c45c72a303a74bf80f83e9ecd93
Instruction ID: 0e55faf39141b11c872256a7afc8bf4be9a2977f2b13bbbd75f1fe380c863b60
Opcode Fuzzy Hash: d9efb0b06e1f9d3bd6a03f87f7efa70606bd2c45c72a303a74bf80f83e9ecd93
Instruction Fuzzy Hash: 7011B270A0E64D4FDBD9EA34C8657E9B7E1EF55310F0441FDC08AD72A2CA39984ACB41

Function 00007FFB4B57C471 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fdaed06c10f9f8d4d46d96cdb93e9c905d5932a51666bdc14f0f49ba1bd45b7
Instruction ID: 34a8a0cb904c6cec073d3f511ac230dd5beb1132710044fb74628b8b1317e741
Opcode Fuzzy Hash: 7fdaed06c10f9f8d4d46d96cdb93e9c905d5932a51666bdc14f0f49ba1bd45b7
Instruction Fuzzy Hash: 6911E0B290D68D8FEB59EF34C9217B9BBB1FF05300F1801BED199D3292DA686914C751

Function 00007FFB4B5716D8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838e9ac8f3fade59696dc2566995f5f16172855cf56da7dc1663b7d19756b76a
Instruction ID: 7b929c0c67a4be60870173a49225327ef9b1338cc16281577f177188fc07ec90
Opcode Fuzzy Hash: 838e9ac8f3fade59696dc2566995f5f16172855cf56da7dc1663b7d19756b76a
Instruction Fuzzy Hash: CD113A70A0951D8FDB95EE28C894BA973E1FF98300F1042E9D45DD72A2CA35A992CF40

Function 00007FFB4B5796BA Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fecbbc08596bd7e35f163cc9d4f99891df76fa13681262754344db2a1f961a4
Instruction ID: 043bad88bc10b8083568bf9f975a8d70a39cf224e24155af64bd0062c53a672e
Opcode Fuzzy Hash: 3fecbbc08596bd7e35f163cc9d4f99891df76fa13681262754344db2a1f961a4
Instruction Fuzzy Hash: BF1119B0E1851ADFDB98EF68C590AECB3B1FF58311F5041B9D11DEB2A2DB34A8418B50

Function 00007FFB4B574F81 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f556bfdaee654473d3d4ae90b94076f60ba4928cd5b915b261755ac49310a4de
Instruction ID: 271c44066019645a62ac1802f7667c9a9f5dcaf3f542019c6730ec5c9039af42
Opcode Fuzzy Hash: f556bfdaee654473d3d4ae90b94076f60ba4928cd5b915b261755ac49310a4de
Instruction Fuzzy Hash: 1B11A5B148E2C55FD7135B349D325E5BF749F43210F0981E7E5D88A4E3C51D255AC3A2

Function 00007FFB4B57174E Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9e3ad0885fddf0d29ac04dd4027f4f6a7def260982b079f7d183d4cb4ce4dc
Instruction ID: b03fff090d6350922e9ea7881b4393f543ef0928393308fb9daeea0b2fedcc3e
Opcode Fuzzy Hash: 0e9e3ad0885fddf0d29ac04dd4027f4f6a7def260982b079f7d183d4cb4ce4dc
Instruction Fuzzy Hash: E2118370A0991D8FDF95EF28C894B9973E2FB98341F5041E9D04DD7256CA75A982CF40

Function 00007FFB4B574F05 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1985d7b2c42150f6b693ea4a7b915aa196d1d2a5916e1b0e0592f4935a6f123f
Instruction ID: ae61a93d45a5cd2b5c61ea139fd18e723fc92d7ab9d7189a7c733e90be2725b6
Opcode Fuzzy Hash: 1985d7b2c42150f6b693ea4a7b915aa196d1d2a5916e1b0e0592f4935a6f123f
Instruction Fuzzy Hash: C5011A7191895D8FDFA5EE18C898FA5B7B0FB58305F1441E9D01DD3291CA359AC5CB40

Function 00007FFB4B5716E8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2674f46c28590b0d99175750359ed69e7f036c9dff05aadab0177cfb2188caf
Instruction ID: e68bba48642d64feedc895eb1008078577e34a0e70da94c6d7f8a2fa95695053
Opcode Fuzzy Hash: c2674f46c28590b0d99175750359ed69e7f036c9dff05aadab0177cfb2188caf
Instruction Fuzzy Hash: A011B774909A1C8FDB95EF28C8957A9B3A1FF59301F1000E9D54EE7252DA75AA82CF40

Function 00007FFB4B576707 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6824dae6fd0f2f6a6bb7f048d9aa60e070a4029fe3304e56ec67de1ba6c625af
Instruction ID: 4439b14d8c61b326076eedb566debece9f820bc4e2dd8f6ddca12d195305face
Opcode Fuzzy Hash: 6824dae6fd0f2f6a6bb7f048d9aa60e070a4029fe3304e56ec67de1ba6c625af
Instruction Fuzzy Hash: 93116370A0896D8FDFA4EF18C894BA8B7B1FB64300F5081E9C04DE3251DA31AAC5CF40

Function 00007FFB4B57098D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4286b275d944d72b3b6224ea9401290b2feadbf52779f74b7ffe40e81b4cb502
Instruction ID: 00a1d37c4bb55473c42d73206fbc3b1f69e81139f387dba3c8eeeab99156f345
Opcode Fuzzy Hash: 4286b275d944d72b3b6224ea9401290b2feadbf52779f74b7ffe40e81b4cb502
Instruction Fuzzy Hash: 3CF0D1B094D68A4FE745EF74C9646E6BBE0FF4A200F0800BAE4A8C70A3CE28A550C711

Function 00007FFB4B57659A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7379bff1e17e0a4a7c0b83101421e454a37de09948d6980248296b459f371495
Instruction ID: e4e4acb6551a66b9f5b44a1a63c5457cd28e7a75905a2a09da2132b70be13099
Opcode Fuzzy Hash: 7379bff1e17e0a4a7c0b83101421e454a37de09948d6980248296b459f371495
Instruction Fuzzy Hash: 5B01F270A0892C8FCFA8EF58C894BACB7B1FB69301F508199804EE7251CA319985DF00

Function 00007FFB4B57C4A0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36298c141146fd3ba770903e2201f3d3c5f58a57de76c13a0aec67f29d8805d
Instruction ID: 527d5c744733820e7ed0170b8244e574171b130f15e990003ffb18a5805242bf
Opcode Fuzzy Hash: e36298c141146fd3ba770903e2201f3d3c5f58a57de76c13a0aec67f29d8805d
Instruction Fuzzy Hash: 4EF0ADB0A1DA5D8FEBA8EE28C9207B9B7A2FB48300F100479D549D3291CE7418458740

Function 00007FFB4B5766AB Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4934e6aa31bbaf0ba1703fa86e9358a00486674b60051978b273037049a882
Instruction ID: ae76b24dfe2fcb5c0e3a3ec2a5d6de2f8ca43e1b5525e115f5a08f1dd5be09d4
Opcode Fuzzy Hash: aa4934e6aa31bbaf0ba1703fa86e9358a00486674b60051978b273037049a882
Instruction Fuzzy Hash: 65F0F47090892D8FCFA4EF18C894BA9B7B1EB65301F5081D9804EE7251CE31A9C5CF40

Function 00007FFB4B579FEF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc21488af61323fb0db0f597a043cb149e23083991604a628821f528bb065eb
Instruction ID: 14bf984b3af2f6f5831a9a7fcc2bc9418466763d63048f683300e507ba3186d1
Opcode Fuzzy Hash: 9bc21488af61323fb0db0f597a043cb149e23083991604a628821f528bb065eb
Instruction Fuzzy Hash: 90F0F9B450868D8FDB64EF14C5A5BE87BA1FF58340F20812AD98DCB362DE346545CB40

Function 00007FFB4B579F8E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa06ed071e41314a5cdc920b406e48fd091abd18f0ff22b8e15dcbb87c79f1b2
Instruction ID: 5218df6362d866a17127ceb071b6ed551c26c3b493630b74473f8cf94e44e472
Opcode Fuzzy Hash: aa06ed071e41314a5cdc920b406e48fd091abd18f0ff22b8e15dcbb87c79f1b2
Instruction Fuzzy Hash: 02F017B450868D8FDB64EF14C4A1BE83BA2FF58340F20812AD88DCB362CB34A544CB40

Function 00007FFB4B576988 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef32c8028824dd6ffbb85eb700e121ee4692b9e50c4de17eb88a1813a6b7aea1
Instruction ID: 1925727452c3b7b88f996e02591c3c1debf6a447138f59c0c8bbd422c0929921
Opcode Fuzzy Hash: ef32c8028824dd6ffbb85eb700e121ee4692b9e50c4de17eb88a1813a6b7aea1
Instruction Fuzzy Hash: 86E075B0D1C61D8EDB95EF68C9556EDB7B0AB18300F5041A9801EE7251DA306A81CF40

Function 00007FFB4B576963 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8010c9796be4de349af1b4d5328bed642d343c4801aa9ee86aa95918814832
Instruction ID: e588068f622e6e711d6e336e951fb77e9c753b139f2c6ce9c5aed6229c013a6c
Opcode Fuzzy Hash: ff8010c9796be4de349af1b4d5328bed642d343c4801aa9ee86aa95918814832
Instruction Fuzzy Hash: ACE09A70A1C95DCEDBA5EB18CD64BE9B7B5EF59301F1140E5C14DE7262CA306A808F00

Function 00007FFB4B5708CA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808f24fc6a1860a0a16df8ef2437bba437e2d55b162ffd044ed6741855638141
Instruction ID: 0853ed52060b594e86b664d3a6ba0cfac24ea0c0e38f367ee64140f5a78873cc
Opcode Fuzzy Hash: 808f24fc6a1860a0a16df8ef2437bba437e2d55b162ffd044ed6741855638141
Instruction Fuzzy Hash: FAD0C9B1D0940C9EDB40EFA8E8955ECF7B5EF44214F4052B6D50DD3192DE346A518640

Function 00007FFB4B5771C7 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409819798.00007FFB4B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b570000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7744d8d359ea50b85fe9e38585e215ee2b58da0ec66a1e33d8dd004d4e3587
Instruction ID: 5147053ae40ebe601cf11fe7f52e53db35453dafd94356d791366a27708013e1
Opcode Fuzzy Hash: 6a7744d8d359ea50b85fe9e38585e215ee2b58da0ec66a1e33d8dd004d4e3587
Instruction Fuzzy Hash: 26D0C97050E00B8EC610BF68C9056D9F334FF46320F2153A6CA3A2B1F7963A2516DB80

Analysis Process: scan copy.exePID: 7344, Parent PID: 7260COMMON

Executed Functions

Function 00007FFB4B589F5B Relevance: .7, Instructions: 667COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ee2608607f75f58391a6d925dac963bc57be5ce5c83ae3086a1d616a938409
Instruction ID: d5bb7849dcb0efcea133daf7c988d383696d396ecbb29c3ad04bfde148de2632
Opcode Fuzzy Hash: a9ee2608607f75f58391a6d925dac963bc57be5ce5c83ae3086a1d616a938409
Instruction Fuzzy Hash: 8E4238B0D0961D8FDB94EF68C894BE9B7B1FF59300F5041A9D41DE3292DA38A986CF40

Function 00007FFB4B587D62 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6109f1b288dc22ee39e6da268c0fcd764f0c52a2380e30ce8eb0bfe8d59b3f82
Instruction ID: 739e72533fff2ea895675a4b6e116b8b0d071ef4da90c07205b14e14f18028c7
Opcode Fuzzy Hash: 6109f1b288dc22ee39e6da268c0fcd764f0c52a2380e30ce8eb0bfe8d59b3f82
Instruction Fuzzy Hash: DF02D4709096198FDBA5EF28C894BE9B7B1FF59305F1041EAD05DE3292DB35AA81CF40

Function 00007FFB4B588ACA Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de0f1f03cc760afeee37d7772a13226d190228cbd1ab7ee1b61b8675679c881
Instruction ID: c7fd3638646476ef146df77251b4c14a84903806eae5d8372b85744d40cdd57c
Opcode Fuzzy Hash: 5de0f1f03cc760afeee37d7772a13226d190228cbd1ab7ee1b61b8675679c881
Instruction Fuzzy Hash: BEF12570919A1D8FDB94EF68C894BADB7F1FF59300F5041AAD40DE3292DA38A981CF50

Function 00007FFB4B587793 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ddcc70569731c690f9aebb5c45d75caf95a92e160684d216ca71c3556ab3d7
Instruction ID: 17f9dd9bae9b996874fb3235eb63171514686f2bb41ef71fcde2a979fe4fa02e
Opcode Fuzzy Hash: 71ddcc70569731c690f9aebb5c45d75caf95a92e160684d216ca71c3556ab3d7
Instruction Fuzzy Hash: E8F1867090991D8FDFA8EF28C899BA9B7B1FF59301F5041E9D01DE7262DA35A981CF40

Function 00007FFB4B58A6BC Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58cf7ee21f86e204a7925cb4acab291726a42a3320c777be76f7140a3625a17e
Instruction ID: 55ccd24e5f1b2b6a555e04e5c25b2eda34bdc6495ff3ff5f32ec8f0691a597b4
Opcode Fuzzy Hash: 58cf7ee21f86e204a7925cb4acab291726a42a3320c777be76f7140a3625a17e
Instruction Fuzzy Hash: 21017870D1861E8AEB10EFA4C4407FDB2B1EF81301F008139C228A71EACB78659ACF80

Function 00007FFB4B585CF2 Relevance: 14.2, Strings: 11, Instructions: 436COMMON

Download Yara Rule

Strings

h>cK, xrefs: 00007FFB4B585EB9
(<cK, xrefs: 00007FFB4B585E39
p<cK, xrefs: 00007FFB4B585E49
M_I, xrefs: 00007FFB4B585E44
>cK, xrefs: 00007FFB4B585EA9
@?cK, xrefs: 00007FFB4B585EE9
H=cK, xrefs: 00007FFB4B585E79
;cK, xrefs: 00007FFB4B585E29
0:cK, xrefs: 00007FFB4B585DC9
P;cK, xrefs: 00007FFB4B585E09
x:cK, xrefs: 00007FFB4B585DD9

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID: >cK$(<cK$0:cK$@?cK$H=cK$P;cK$h>cK$p<cK$x:cK$;cK$M_I
API String ID: 0-2906591630
Opcode ID: f3594bfcba4939dbe4ebe120ae50063c503b318d36e66ff3bcb0879f2202be30
Instruction ID: b01a2f822c8db428d8f4152a316bcf0acb552bcb3d885713f8365bb7a3d54e3f
Opcode Fuzzy Hash: f3594bfcba4939dbe4ebe120ae50063c503b318d36e66ff3bcb0879f2202be30
Instruction Fuzzy Hash: 50C186C295F58B07FA113E78FAFB0FE9681DF42761B88ADB6E2AC050E75C1864258590

Function 00007FFB4B581B65 Relevance: 10.5, Strings: 8, Instructions: 472COMMON

Download Yara Rule

Strings

xJGK, xrefs: 00007FFB4B581DE8
XK, xrefs: 00007FFB4B581BED
xJGK, xrefs: 00007FFB4B581D90
xJGK, xrefs: 00007FFB4B581DC6
xJGK, xrefs: 00007FFB4B581EC5
xJGK, xrefs: 00007FFB4B581C10
xJGK, xrefs: 00007FFB4B581C68
xJGK, xrefs: 00007FFB4B581C46

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID: xJGK$xJGK$xJGK$xJGK$xJGK$xJGK$xJGK$XK
API String ID: 0-1603173492
Opcode ID: 69aac69c333d29664db11e0b21be91b478d8705d57f1e0a08c7da2b37db44be7
Instruction ID: 9b4cf175f0bb8172eba4e66900642466b8ed7ac6fa1ace9d85a055a082936f0c
Opcode Fuzzy Hash: 69aac69c333d29664db11e0b21be91b478d8705d57f1e0a08c7da2b37db44be7
Instruction Fuzzy Hash: E3E1E2B1D0D68D8FEB46FF74C8656E9BBA1FF48300F0405BAD509D3192DA386856CB91

Function 00007FFB4B5808D3 Relevance: 2.8, Strings: 2, Instructions: 324COMMON

Download Yara Rule

Strings

K;N, xrefs: 00007FFB4B58096F
;N_^, xrefs: 00007FFB4B580901

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID: ;N_^$K;N
API String ID: 0-2106489120
Opcode ID: 85203747fecfd778c9c8ebb954a3b12d283125cf935a0f9a598082889f92236f
Instruction ID: 5483f871110c0b1a68dfbbd8985ebe9361fdc23b71956e39e257329fae13af4a
Opcode Fuzzy Hash: 85203747fecfd778c9c8ebb954a3b12d283125cf935a0f9a598082889f92236f
Instruction Fuzzy Hash: 09A11775A0892C8FDB94EF6CD895BECB7B1EF58311F1041BAD14DD7252DA34A882CB90

Function 00007FFB4B5808D8 Relevance: 2.8, Strings: 2, Instructions: 318COMMON

Download Yara Rule

Strings

K;N, xrefs: 00007FFB4B58096F
;N_^, xrefs: 00007FFB4B580901

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID: ;N_^$K;N
API String ID: 0-2106489120
Opcode ID: 8cd99a7923678412dfc33dbe9b27611d28c7d458ea9ae5b1f8ff8962bffe2e69
Instruction ID: 584529522ffad5d988338e705194967e42c9b157177b3e9743c543a8bbcf49c5
Opcode Fuzzy Hash: 8cd99a7923678412dfc33dbe9b27611d28c7d458ea9ae5b1f8ff8962bffe2e69
Instruction Fuzzy Hash: C0A11775A0892C8FDB94EF68D895BECB7F1FF59311F0041AAD14DD7252DA34A882CB80

Function 00007FFB4B5808E8 Relevance: 2.8, Strings: 2, Instructions: 309COMMON

Download Yara Rule

Strings

K;N, xrefs: 00007FFB4B58096F
;N_^, xrefs: 00007FFB4B580901

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID: ;N_^$K;N
API String ID: 0-2106489120
Opcode ID: cad72e6c327565e1a4d62fd91741f896c22e9f28e176e3810e1557740ccbf3a9
Instruction ID: d85fc85f8b5bf2f6d85a2dd374ae5e4bd1202ced8ef4c845e0b9ee3d236ee7ef
Opcode Fuzzy Hash: cad72e6c327565e1a4d62fd91741f896c22e9f28e176e3810e1557740ccbf3a9
Instruction Fuzzy Hash: 5FA11875A0892C8FDB94EF68D895BECB7F1FF59311F1041AAD14DD7252DA34A882CB80

Function 00007FFB4B5808F8 Relevance: 2.8, Strings: 2, Instructions: 302COMMON

Download Yara Rule

Strings

K;N, xrefs: 00007FFB4B58096F
;N_^, xrefs: 00007FFB4B580901

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID: ;N_^$K;N
API String ID: 0-2106489120
Opcode ID: bf2c746e01528a80d318f7c9f82053154d517e3b9bef7e6ee9d2ffe107266875
Instruction ID: 65d77c9c691c25fc2d4db66e158cee5ec04fa2a2c2fe9daf341a2bc5cba20b7b
Opcode Fuzzy Hash: bf2c746e01528a80d318f7c9f82053154d517e3b9bef7e6ee9d2ffe107266875
Instruction Fuzzy Hash: 55A10875A0892C8FDB94EF68D895BECB7F1FF59311F1041AAD14DD7252DA34A881CB80

Function 00007FFB4B5807D0 Relevance: 1.6, Strings: 1, Instructions: 337COMMON

Download Yara Rule

Strings

K;N, xrefs: 00007FFB4B58096F

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID: K;N
API String ID: 0-4198949112
Opcode ID: d1500a49ae843e1cdaa4d08bde4914e28ed4ac94c0593f338eebf1bbeb15ba4b
Instruction ID: f63e6b0cbeae25c9845e73c23cfc399c9fced5644c107766be0be2b524206f1d
Opcode Fuzzy Hash: d1500a49ae843e1cdaa4d08bde4914e28ed4ac94c0593f338eebf1bbeb15ba4b
Instruction Fuzzy Hash: 9AB16C71A09A288FDB94EF6CD895BACBBF1FF59311F1440BAD14DD7152CA34A881CB90

Function 00007FFB4B580898 Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

K;N, xrefs: 00007FFB4B58096F

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID: K;N
API String ID: 0-4198949112
Opcode ID: ec75ad5af27ad84e8e81f4f9235ac045791eb5564aa1d58b873051c6326d42d9
Instruction ID: a38e0daff7086b2e71bc393c433bcc6c9df1f9d1ac2e5fa4818effc0ae26c211
Opcode Fuzzy Hash: ec75ad5af27ad84e8e81f4f9235ac045791eb5564aa1d58b873051c6326d42d9
Instruction Fuzzy Hash: 6AA11875A0892C8FDB94EF6CD895BEDB7B1FF58311F0041AAD14DD7252DA34A882CB80

Function 00007FFB4B5808A8 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

K;N, xrefs: 00007FFB4B58096F

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID: K;N
API String ID: 0-4198949112
Opcode ID: 7352f94674adc9ce89922c59301fe08c564408a769bdcb0c005aa68ca1402725
Instruction ID: 05e669d2bb543739015391ec86ddcaafba19e269c0d61fe1619bfc02c6ee6559
Opcode Fuzzy Hash: 7352f94674adc9ce89922c59301fe08c564408a769bdcb0c005aa68ca1402725
Instruction Fuzzy Hash: 2CA11875A0892C8FDB94EF68D895BECB7F1FF59311F1041AAD14DD7252DA34A882CB80

Function 00007FFB4B5808B8 Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

K;N, xrefs: 00007FFB4B58096F

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID: K;N
API String ID: 0-4198949112
Opcode ID: c21b18740a938cd6a973e445a56d4e612e797e5c8b5c497bea72e4d4acfd8e18
Instruction ID: f3c4d3c23615419b77ea534d8167b30413810ca46902bd34f4132d554c5aab04
Opcode Fuzzy Hash: c21b18740a938cd6a973e445a56d4e612e797e5c8b5c497bea72e4d4acfd8e18
Instruction Fuzzy Hash: 0AA11875A0892C8FDB94EF68D895BECB7F1FF59311F1041AAD14DD7252DA34A882CB80

Function 00007FFB4B5808C8 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

K;N, xrefs: 00007FFB4B58096F

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID: K;N
API String ID: 0-4198949112
Opcode ID: 0b9cfc9efa93c9c7120c62d64b36220f0534acd8a4f73ceac8dcf7e60f1e2b5c
Instruction ID: 23c2631baa635cb3a17e6856539aab86635e040e7f5166fef774d2052651a459
Opcode Fuzzy Hash: 0b9cfc9efa93c9c7120c62d64b36220f0534acd8a4f73ceac8dcf7e60f1e2b5c
Instruction Fuzzy Hash: 29A11871A0892C8FDB94EF68D899BECB7F1FF59311F1041AAD14DD7252DA34A881CB80

Function 00007FFB4B580908 Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

K;N, xrefs: 00007FFB4B58096F

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID: K;N
API String ID: 0-4198949112
Opcode ID: 793fa689ef2b47dfcab3cfd3858e99fb40c8bb5763c8e31c14d4e441f514eabe
Instruction ID: 607ad858a185f9cdd29c62564cf64ab835c5059a440ce87cb8d8f5f109e7e08a
Opcode Fuzzy Hash: 793fa689ef2b47dfcab3cfd3858e99fb40c8bb5763c8e31c14d4e441f514eabe
Instruction Fuzzy Hash: BAA10875A0892C8FDB94EF68D899BECB7F1FF59311F1041AAD14DD7252DA34A881CB80

Function 00007FFB4B580C80 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ec60c4b20c188abf8baf33dbf223dfcc46f1055e2ac4cf875694ef62362ac8
Instruction ID: b16fb5de5fb4a792738522b6bdd11fda7bb293d28ee73ee5928d47baf8f95fe8
Opcode Fuzzy Hash: f1ec60c4b20c188abf8baf33dbf223dfcc46f1055e2ac4cf875694ef62362ac8
Instruction Fuzzy Hash: D032F470A1896D8FDBD4FF28C8A8BA9B7B1FB98704F5041A9D40DD3256CA346D828F50

Function 00007FFB4B58710D Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf31821089601ebfce41a3410b1a5f63566b04cc73bce498f8932677aaac9ea
Instruction ID: 7df77f87b79784ff5b57df6bd2253bd47caf59baaba5a33f8cc60556f0bba29c
Opcode Fuzzy Hash: acf31821089601ebfce41a3410b1a5f63566b04cc73bce498f8932677aaac9ea
Instruction Fuzzy Hash: 5C32E5B0D0992D8FDB99EF28C895BE9B7B1FF58305F1041A9D01DE3292DA35A981CF50

Function 00007FFB4B58EFB5 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912a2d38eda671add9e5119d755b04a47de9e34bbc691a7bd772aea46ce0ec8a
Instruction ID: 30236dc8ff71cf4bf96b778bb3ac3e400789a9f2c0dd3d902bfa357c0f8f1bf6
Opcode Fuzzy Hash: 912a2d38eda671add9e5119d755b04a47de9e34bbc691a7bd772aea46ce0ec8a
Instruction Fuzzy Hash: 2D2258B090861D8FDB59EF68C4947EDB7B1FF58300F2085A9D41DE7296CB39A981CB50

Function 00007FFB4B5868E0 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 691b6e0bcacf909629a7e6b4b2d7aae9e2b167922df1ab4b504b22a5d3e25146
Instruction ID: aa1d10f78387f524b2df591cf1f7ae218f124a32346702f108c84c516bd5f5c0
Opcode Fuzzy Hash: 691b6e0bcacf909629a7e6b4b2d7aae9e2b167922df1ab4b504b22a5d3e25146
Instruction Fuzzy Hash: CAF1017084E68D8FDB42AF74C8646E9BFB0FF46310F0445BAD448C71A3DA2D695ACB61

Function 00007FFB4B586291 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb8da2e1f14e6171488178da1a1936c266ca1faef52689f60d295b8feb00ab0
Instruction ID: 5760d449f2fed7e78e7613a49e58fcc79b3229b4e465a34a42811eb1a45f1c68
Opcode Fuzzy Hash: 6cb8da2e1f14e6171488178da1a1936c266ca1faef52689f60d295b8feb00ab0
Instruction Fuzzy Hash: 51B1D8B284E78C8FDB526E34CD651E8BF60FF46210F4902F7E5548A0E3EA6D6529C352

Function 00007FFB4B58418B Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ab4d81d8f7075747f35e2c6bb9b0b6e2cef280317da315dda4b11ffcb84d73
Instruction ID: 10b3f05cf0c1a6c84df7d0e849fec08e9e6691592d01bfe32386952701b2b61f
Opcode Fuzzy Hash: f2ab4d81d8f7075747f35e2c6bb9b0b6e2cef280317da315dda4b11ffcb84d73
Instruction Fuzzy Hash: 74D15E7090CA5D8FDB95EF68C865BA8BBF1FF59300F0041AAD41DD72A2DA35A985CB01

Function 00007FFB4B584D5B Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532f9f16dbfbf3cabbe6224906e2b3869bad01071330a30df37e3c122bc257a3
Instruction ID: 2efdf855901b380cff6bfc9b910d374399d5a668cdcfdd02dce339cf4a10ccba
Opcode Fuzzy Hash: 532f9f16dbfbf3cabbe6224906e2b3869bad01071330a30df37e3c122bc257a3
Instruction Fuzzy Hash: 25D14C7090CA5D8FDF95EF68C895BA8BBF1FF59300F0041AAD00DE7292DA35A985CB51

Function 00007FFB4B58496B Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9613e08cdbaafa1e8b0e710771a4772cbf794890bc24b16ec772cc03b32ed427
Instruction ID: da0b237404c617ad623ab1bbbac92d855e9e788eb29d534b03722022986d3b12
Opcode Fuzzy Hash: 9613e08cdbaafa1e8b0e710771a4772cbf794890bc24b16ec772cc03b32ed427
Instruction Fuzzy Hash: B3D15F7090CA5D8FDF95EF68C895BA8BBF1FF59300F0041AAD40DD72A2DA359981CB41

Function 00007FFB4B58514B Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7258df0a6dc3c29272c151093aff43c9fef9344bb970c6b6965789079ada5e6
Instruction ID: 70aad9e2009163310d2a6b650547c2e63ddbe003c3adc06bda962e03dc46bcbd
Opcode Fuzzy Hash: b7258df0a6dc3c29272c151093aff43c9fef9344bb970c6b6965789079ada5e6
Instruction Fuzzy Hash: 7CD1407090CA5D8FDF95EF68D865BA8BBF1FF59300F0041AAD04DE7292DA35A985CB01

Function 00007FFB4B58457B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c2c9e4b03e82b002bc2e6db735a7c4d8d4c5e18221ffab5f211b239162db255
Instruction ID: c65eec85c3928c921692cc076528737cb9f7b338bf3e5888f7b60f3fa89c7dbc
Opcode Fuzzy Hash: 9c2c9e4b03e82b002bc2e6db735a7c4d8d4c5e18221ffab5f211b239162db255
Instruction Fuzzy Hash: 6CD14E70908A5D8FDF95EF68C894BA8BBF1FF59300F1041AAD40DE72A2DA359985CF41

Function 00007FFB4B583A35 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c12ffaeb592e0e31103f1057f1846a3b9dc1f65bda3454e8d79cb4d56742424
Instruction ID: d949b02e7ee51ed4c07cb0c1836cf81219f70b5a7ae03bdc08e102b643f77644
Opcode Fuzzy Hash: 8c12ffaeb592e0e31103f1057f1846a3b9dc1f65bda3454e8d79cb4d56742424
Instruction Fuzzy Hash: E4C150B190CA5D8FDF95EF68C4A5BA8BBF1FF59300F1040AAD05DE7252DA346985CB01

Function 00007FFB4B58553B Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7871bf8595b39667ce3476aee14fbf8228ac87a66e292391b0ba1928f3f3b223
Instruction ID: c3d08c2aaff3ea3204a6f2d817bf9302ac9e4435218e18440e8f5f1ab45a0f8a
Opcode Fuzzy Hash: 7871bf8595b39667ce3476aee14fbf8228ac87a66e292391b0ba1928f3f3b223
Instruction Fuzzy Hash: 4CB13970908A5D8FDF95EF68D895BACBBF1FF59300F0441AAD04CD72A2DA34A981CB41

Function 00007FFB4B583E66 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e415f5571999c77f4ab856727bc2454542508fae2a28678651a77d9939027b60
Instruction ID: 161221cf7536cf42750a21c038e1334d96a177e9d8d6d7cef78a41cd2cacd8b0
Opcode Fuzzy Hash: e415f5571999c77f4ab856727bc2454542508fae2a28678651a77d9939027b60
Instruction Fuzzy Hash: 56A14EB090CA5D8FDF95EF68C855BA8BBF1FF69300F1041AAD00DE7292DA356985CB11

Function 00007FFB4B586B39 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2756fab5da094fc87e2347da1df37d38125f6974eadc254bc83da8ef1a6b80
Instruction ID: 382559fdde7c95ebb4bd770985fdae9836c7ba6eba1a27b4265f0a93fd0d9355
Opcode Fuzzy Hash: ab2756fab5da094fc87e2347da1df37d38125f6974eadc254bc83da8ef1a6b80
Instruction Fuzzy Hash: 7D91237190D68D8FDB06EFA4C8202EDBBF1FF8A310F0442BAD458D7192DA38595AC761

Function 00007FFB4B586B08 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2bb1a0543c1ec865d331342567671bd492122d615ad08bd297646b55be48df1
Instruction ID: 295f4d220ddccb498905e29ef5586265e5983e0023435a522b4ed342f4beee4b
Opcode Fuzzy Hash: d2bb1a0543c1ec865d331342567671bd492122d615ad08bd297646b55be48df1
Instruction Fuzzy Hash: 4281127194D68D8FDB46ABA4C8212E9BFF1FF4A310F0442BAD448CB193DA2C595AC761

Function 00007FFB4B583A70 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6afcb5298af7b82bf6993a723c5c3fc6ce7054869022a3b5fc2c5ff30c113071
Instruction ID: 5cfff835b62c1cd1cbd3ee6ccf04448708563b57f961a9d3993e71b586b04645
Opcode Fuzzy Hash: 6afcb5298af7b82bf6993a723c5c3fc6ce7054869022a3b5fc2c5ff30c113071
Instruction Fuzzy Hash: BB913EB090CA5D8FDF94EF68C4657A8BBF1FF59300F1040AAD05DE3292DA356985CB01

Function 00007FFB4B586DC9 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2798ead126d51a4955ba5a4b54c2d054749d75bb82d2f4cbf8d709cf1d9655a9
Instruction ID: 51ef830a839e963099877ee2ba273f925eb35120887e163812f8103e2658c2d9
Opcode Fuzzy Hash: 2798ead126d51a4955ba5a4b54c2d054749d75bb82d2f4cbf8d709cf1d9655a9
Instruction Fuzzy Hash: 7E814AB0D0961D8FEB95EB68C855BADB7B2FF58300F5041B9D00DA7292DB386985CF41

Function 00007FFB4B5809A0 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d44345a33cc0d333db346ae9fe430a824ed6ac75e4b85a4fa43e9446c9b3883
Instruction ID: 0fb1ddccf0d3dcd5aad45c352c53605746c5133e7434eda4f141fc0f2dcdbbbe
Opcode Fuzzy Hash: 8d44345a33cc0d333db346ae9fe430a824ed6ac75e4b85a4fa43e9446c9b3883
Instruction Fuzzy Hash: 2171A974A08A1D8FDF94EF68D895BACB7F1FF69301F5041AAE44DE7251DA34A881CB40

Function 00007FFB4B58AF50 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e47edc67ccac1a7be8d272e6f6a356c30026a5cce602940ee7a223a56a4d1c5
Instruction ID: 0cad185390f4b949986ef3b774c76370660aa146cb3d40bfac77518332c486ea
Opcode Fuzzy Hash: 0e47edc67ccac1a7be8d272e6f6a356c30026a5cce602940ee7a223a56a4d1c5
Instruction Fuzzy Hash: 138172B0C0D65E8BEF66EF24C961BE9B7B4EF14300F0042B9D52D971A2DE356A56CB40

Function 00007FFB4B582049 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94db297dc635dca83878fa704339c21dc9f3c64ecef92d69638543063ba7719e
Instruction ID: a27fac668a483ffc3b3264bf96a864856b5c2d23072a98a324adce17910e8dd8
Opcode Fuzzy Hash: 94db297dc635dca83878fa704339c21dc9f3c64ecef92d69638543063ba7719e
Instruction Fuzzy Hash: 4D61A4B0A08A1C9FDF95EF68C499A9DBBF1FB59305F5000A9D00DD7262DB35A881CF40

Function 00007FFB4B58F397 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4fde782fd8c1a3d52c9126f866c1b2f7d78bd532e401ed39f5006e81e767e11
Instruction ID: c14ca796d4e2b6bd8f554340e9e1fa1b7b1339e275492b6c4cbe23255128551b
Opcode Fuzzy Hash: b4fde782fd8c1a3d52c9126f866c1b2f7d78bd532e401ed39f5006e81e767e11
Instruction Fuzzy Hash: D941F371A0860E8BDF18EF68D4606FDB3B0FF58311F10867AD41DD3196CA39AA55CB50

Function 00007FFB4B580B0D Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e8bba341fb2514a1ac067c574607cda3291f96f1a9309c6a6b4a448eeaf553
Instruction ID: 64dcf15afc634b55e0e8edfbfe09c08c30659e37dd75d5f3c1109710064ce4a7
Opcode Fuzzy Hash: 16e8bba341fb2514a1ac067c574607cda3291f96f1a9309c6a6b4a448eeaf553
Instruction Fuzzy Hash: 75316DA291C64D8FE751BB7CD8611ECBBA1EF85214F0841BAC289D71E3DD24280787B0

Function 00007FFB4B580B30 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a3f250b50947c7edb70f72dd781a14b0bc0636f1779ed24ae7a0bddd812806
Instruction ID: 373ca45b1bc9811060af38fabfb288f2359ef42f06d53997994b9642196f91b8
Opcode Fuzzy Hash: 42a3f250b50947c7edb70f72dd781a14b0bc0636f1779ed24ae7a0bddd812806
Instruction Fuzzy Hash: 7A310AA2A1DA4D8FEB91BB78D8612ECF7A1EF84215F0841B5D199D71E3DD2428078770

Function 00007FFB4B580B38 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45488a3e2b5e8da1c9e93c017d96262a98c6ac126ad62532ca61ea16e48cba1d
Instruction ID: bc1d1aeea85720b1407df7eab9dd07171ba3bb807b2c9c595afebca805d621e3
Opcode Fuzzy Hash: 45488a3e2b5e8da1c9e93c017d96262a98c6ac126ad62532ca61ea16e48cba1d
Instruction Fuzzy Hash: 4F31F7A2A1DA4D4BEB91BA78D8652ECF7A1EF84211F0840B5D199D71E3DD2428078770

Function 00007FFB4B580B40 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de80c316a33522b330d765d9a2d8db9cfe1af7086b3574b8f6dbfe1e91ee66da
Instruction ID: 8ea7de1bcf6baa68e8f1e9771f035be31a6e1a028180677bfe1e05c5510c3ae6
Opcode Fuzzy Hash: de80c316a33522b330d765d9a2d8db9cfe1af7086b3574b8f6dbfe1e91ee66da
Instruction Fuzzy Hash: 4A3104A2A1DA4D4BEB91BA38D8652ECB7A1EF84210F0840B5D19AD71E3DD2428078B70

Function 00007FFB4B580B48 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a978ed233577f7ff2e641bf446c9dd0c05aa6cfeeb680ead772ec4c9d655827c
Instruction ID: e1b23fad9802a9fa77b238ae6b61a4f7a817dbdca1721d7f113e9a4b8381fbfd
Opcode Fuzzy Hash: a978ed233577f7ff2e641bf446c9dd0c05aa6cfeeb680ead772ec4c9d655827c
Instruction Fuzzy Hash: 8121F6A291D64D4FEB91BA38D8652ECB7A1EF84200F0441B5D15AD71E3DD2428478771

Function 00007FFB4B580B50 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34188542c774d233f00ea0fc05253f324bee6b55bf1962f454ea58980e3bb5e1
Instruction ID: ed6edd3435d3d735b43abd21459c4dfad76cd10c17743d345089d29c5a1b095d
Opcode Fuzzy Hash: 34188542c774d233f00ea0fc05253f324bee6b55bf1962f454ea58980e3bb5e1
Instruction Fuzzy Hash: 262106A191D68D8FEB91BB78D8652ECBBB1FF88300F0841B5D15AD31E3DD2828468771

Function 00007FFB4B58B10F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e4589457e5efda3542e458d37ca50084f1aabff26f4d818fe51b66f8ed4ec6
Instruction ID: 641464e387d95b7a32fdc22c94d9a759cd28363d315199cfdf26412588fccabd
Opcode Fuzzy Hash: 36e4589457e5efda3542e458d37ca50084f1aabff26f4d818fe51b66f8ed4ec6
Instruction Fuzzy Hash: F12117B0C1861E8FEB56EF65C850BEDB7B5BF44300F1081A8D519A7295CB386A96CF40

Function 00007FFB4B58B0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd939694f27d1a49b53e088615863bde632759f3da04f49f9bb294301a1576ae
Instruction ID: 24952b76cab44ea2f6fec0b09758361a4cbeb51cfb7a15afdfab1a110490e30c
Opcode Fuzzy Hash: cd939694f27d1a49b53e088615863bde632759f3da04f49f9bb294301a1576ae
Instruction Fuzzy Hash: 320140B0D1861A8BEF9AEF68C950BEDF7B5FF44304F1041A8D529D31A1CB356A568B40

Function 00007FFB4B58B0FC Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f578b79954711b2ad5fe1751619368380aacf45b04b072ebd8b67f5c94812da5
Instruction ID: ecd6b44f5b8226ba841ad2da4270235b52e1a7bfa2697298ded97bb8557f046d
Opcode Fuzzy Hash: f578b79954711b2ad5fe1751619368380aacf45b04b072ebd8b67f5c94812da5
Instruction Fuzzy Hash: 11015AB0C086198FDB9ADF68C550BADF7B5FF48304F1041A8D519932A0DB346A528B40

Function 00007FFB4B58B106 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c37f84b92cfc8e497172e0fc44b37dfec958329697675704224915f3636df070
Instruction ID: 65d3bd8f3a594d013dbf4e0e4235dd417e54b0997fecc3613b89786e56474c1f
Opcode Fuzzy Hash: c37f84b92cfc8e497172e0fc44b37dfec958329697675704224915f3636df070
Instruction Fuzzy Hash: 85F03CB0C1860A8BEF9AEF68C551BEDB7B5FF04300F1041A8D519972A1CB356A568B40

Function 00007FFB4B58D9C7 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1900525bc8512e26b2529cccdddce5326a68b538151f8b4ee0e529cb1a2fb464
Instruction ID: a3a762ac40dd248240222577566eb0f1fd895ad64951d7254e90586d6b308968
Opcode Fuzzy Hash: 1900525bc8512e26b2529cccdddce5326a68b538151f8b4ee0e529cb1a2fb464
Instruction Fuzzy Hash: 36F01DB1C081168BEB58EE24C9656F8B2B0EF51310F1441BEC12E972F2DE342A9A9E50

Function 00007FFB4B58DA4B Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22501b95bbfdc41d302a5143dbb54daf81f723779cf292bf9bd414278f51a002
Instruction ID: c9bf438de5b5202caa9c400a2330d3f5925ee779f8ac983a9388c5ec31890436
Opcode Fuzzy Hash: 22501b95bbfdc41d302a5143dbb54daf81f723779cf292bf9bd414278f51a002
Instruction Fuzzy Hash: 00E0C0B1C0851A8BEB59EE64C8A56E8B2B0EF10301F1041FED51ED61E2EE342A96DE50

Non-executed Functions

Function 00007FFB4B5881EF Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0007263344e26a2a1d205a9929674f27e8b38e1c76ab07048e5a07004803cc1
Instruction ID: 9d794e9f8b552fe85bd868b7a7e8a68891b61dc72903e8ccb6231741efaf17be
Opcode Fuzzy Hash: f0007263344e26a2a1d205a9929674f27e8b38e1c76ab07048e5a07004803cc1
Instruction Fuzzy Hash: E052E870D0852D8FDBA9EF64C894BE9B7B1FF58305F5041A9D41EA7292CB35AA81CF10

Function 00007FFB4B58046D Relevance: 5.2, Strings: 4, Instructions: 204COMMON

Download Yara Rule

Strings

haGK, xrefs: 00007FFB4B580481
eGK, xrefs: 00007FFB4B5804D1
@fGK, xrefs: 00007FFB4B580511
heGK, xrefs: 00007FFB4B5804E1

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID: eGK$@fGK$haGK$heGK
API String ID: 0-701379645
Opcode ID: 8cbc0d5283e2498cfbe21aef4b8a6857c213dcb2988448afaa1e274bd95927cd
Instruction ID: 67ec8e4a4a2aef7344028068338817d2cb4a2b976c8d7029161eaabe82c98476
Opcode Fuzzy Hash: 8cbc0d5283e2498cfbe21aef4b8a6857c213dcb2988448afaa1e274bd95927cd
Instruction Fuzzy Hash: DA51D6C360E6D25BE35636BCFD261E8AF81DF8266471C81F7E1DC860A7A864580782E1

Function 00007FFB4B5814BA Relevance: 5.1, Strings: 4, Instructions: 127COMMON

Download Yara Rule

Strings

xJGK, xrefs: 00007FFB4B581550
xJGK, xrefs: 00007FFB4B5815A8
PXK, xrefs: 00007FFB4B58152D
xJGK, xrefs: 00007FFB4B581586

Memory Dump Source

Source File: 00000002.00000002.3852217469.00007FFB4B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b580000_scan copy.jbxd

Similarity

API ID:
String ID: PXK$xJGK$xJGK$xJGK
API String ID: 0-1274581284
Opcode ID: 1eded18e33d5eca960b1ed5ba7249115adb8598c7632395a6d07c01098469eeb
Instruction ID: 0b8cdcb0715639579a623b1534df2f95e8e52118b5ce62d0ce1d4ae38979a06b
Opcode Fuzzy Hash: 1eded18e33d5eca960b1ed5ba7249115adb8598c7632395a6d07c01098469eeb
Instruction Fuzzy Hash: B441AEB1D0CA4D8FEB56BF78C4656E8BBA1FF49300F0441B9D51AD3192CE3818558BA1

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report scan copy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\scan copy.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
scan copy.exe