Edit tour

Windows Analysis Report
H3fwQALXDX.exe

Overview

General Information

Sample name:	H3fwQALXDX.exe renamed because original name is a hash value
Original sample name:	ce8d8f5b2708fb0a26ac9ce32c303779179ff58297279c834fd8220b77154680.exe
Analysis ID:	1465391
MD5:	27af175b8006ce6c2376748b21748412
SHA1:	ec6b0f34dbe9294a82dcc379b3de2b744f5d65ea
SHA256:	ce8d8f5b2708fb0a26ac9ce32c303779179ff58297279c834fd8220b77154680
Tags:	exe
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

H3fwQALXDX.exe (PID: 4540 cmdline: "C:\Users\user\Desktop\H3fwQALXDX.exe" MD5: 27AF175B8006CE6C2376748B21748412)

RegAsm.exe (PID: 5076 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 2688 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 2524 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "county@valleycountysar.org", "Password": "iU0Ta!$K8L51", "Host": "valleycountysar.org", "Port": "26"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14848:$a1: get_encryptedPassword 0x14b34:$a2: get_encryptedUsername 0x14654:$a3: get_timePasswordChanged 0x1474f:$a4: get_passwordField 0x1485e:$a5: set_encryptedPassword 0x15e43:$a7: get_logins 0x15da6:$a10: KeyLoggerEventArgs 0x15a3f:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18120:$x1: $%SMTPDV$ 0x18186:$x2: $#TheHashHere%& 0x197d7:$x3: %FTPDV$ 0x198cb:$x4: $%TelegramDv$ 0x15a3f:$x5: KeyLoggerEventArgs 0x15da6:$x5: KeyLoggerEventArgs 0x197fb:$m2: Clipboard Logs ID 0x19a1b:$m2: Screenshot Logs ID 0x19b2b:$m2: keystroke Logs ID 0x19e05:$m3: SnakePW 0x199f3:$m4: \SnakeKeylogger\
00000002.00000002.2210106692.00000000032FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2210106692.0000000003141000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd62a8:$a1: get_encryptedPassword 0xf6cd8:$a1: get_encryptedPassword 0x117918:$a1: get_encryptedPassword 0xd6594:$a2: get_encryptedUsername 0xf6fc4:$a2: get_encryptedUsername 0x117c04:$a2: get_encryptedUsername 0xd60b4:$a3: get_timePasswordChanged 0xf6ae4:$a3: get_timePasswordChanged 0x117724:$a3: get_timePasswordChanged 0xd61af:$a4: get_passwordField 0xf6bdf:$a4: get_passwordField 0x11781f:$a4: get_passwordField 0xd62be:$a5: set_encryptedPassword 0xf6cee:$a5: set_encryptedPassword 0x11792e:$a5: set_encryptedPassword 0xd78a3:$a7: get_logins 0xf82d3:$a7: get_logins 0x118f13:$a7: get_logins 0xd7806:$a10: KeyLoggerEventArgs 0xf8236:$a10: KeyLoggerEventArgs 0x118e76:$a10: KeyLoggerEventArgs
00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xd9b80:$x1: $%SMTPDV$ 0xfa5b0:$x1: $%SMTPDV$ 0x11b1f0:$x1: $%SMTPDV$ 0xd9be6:$x2: $#TheHashHere%& 0xfa616:$x2: $#TheHashHere%& 0x11b256:$x2: $#TheHashHere%& 0xdb237:$x3: %FTPDV$ 0xfbc67:$x3: %FTPDV$ 0x11c8a7:$x3: %FTPDV$ 0xdb32b:$x4: $%TelegramDv$ 0xfbd5b:$x4: $%TelegramDv$ 0x11c99b:$x4: $%TelegramDv$ 0xd749f:$x5: KeyLoggerEventArgs 0xd7806:$x5: KeyLoggerEventArgs 0xf7ecf:$x5: KeyLoggerEventArgs 0xf8236:$x5: KeyLoggerEventArgs 0x118b0f:$x5: KeyLoggerEventArgs 0x118e76:$x5: KeyLoggerEventArgs 0xdb25b:$m2: Clipboard Logs ID 0xdb47b:$m2: Screenshot Logs ID 0xdb58b:$m2: keystroke Logs ID
Process Memory Space: H3fwQALXDX.exe PID: 4540	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: H3fwQALXDX.exe PID: 4540	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: H3fwQALXDX.exe PID: 4540	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: H3fwQALXDX.exe PID: 4540	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4359b:$a1: get_encryptedPassword 0x437a4:$a2: get_encryptedUsername 0x433d7:$a3: get_timePasswordChanged 0x434b9:$a4: get_passwordField 0x435b1:$a5: set_encryptedPassword 0x452de:$a7: get_logins 0x4525f:$a10: KeyLoggerEventArgs 0x44fe3:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: H3fwQALXDX.exe PID: 4540	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x44fe3:$x5: KeyLoggerEventArgs 0x4525f:$x5: KeyLoggerEventArgs 0x457e1:$x5: KeyLoggerEventArgs 0x45b15:$x5: KeyLoggerEventArgs 0x4734b:$m2: Clipboard Logs ID 0x47442:$m2: Screenshot Logs ID 0x47498:$m2: keystroke Logs ID 0x475cd:$m3: SnakePW 0x4742e:$m4: \SnakeKeylogger\
Process Memory Space: RegAsm.exe PID: 5076	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5076	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegAsm.exe PID: 5076	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1e030:$a1: get_encryptedPassword 0x1e312:$a2: get_encryptedUsername 0x1de46:$a3: get_timePasswordChanged 0x1df41:$a4: get_passwordField 0x1e046:$a5: set_encryptedPassword 0x20430:$a7: get_logins 0x20393:$a10: KeyLoggerEventArgs 0x2002c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegAsm.exe PID: 5076	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2002c:$x5: KeyLoggerEventArgs 0x20393:$x5: KeyLoggerEventArgs 0x20950:$x5: KeyLoggerEventArgs 0x20c84:$x5: KeyLoggerEventArgs 0x22596:$m2: Clipboard Logs ID 0x2268d:$m2: Screenshot Logs ID 0x226e3:$m2: keystroke Logs ID 0x22818:$m3: SnakePW 0x22679:$m4: \SnakeKeylogger\
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegAsm.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a48:$a1: get_encryptedPassword 0x14d34:$a2: get_encryptedUsername 0x14854:$a3: get_timePasswordChanged 0x1494f:$a4: get_passwordField 0x14a5e:$a5: set_encryptedPassword 0x16043:$a7: get_logins 0x15fa6:$a10: KeyLoggerEventArgs 0x15c3f:$a11: KeyLoggerEventArgsEventHandler
2.2.RegAsm.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3d5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b607:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba3a:$a4: \Orbitum\User Data\Default\Login Data 0x1ca79:$a5: \Kometa\User Data\Default\Login Data
2.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155db:$s1: UnHook 0x155e2:$s2: SetHook 0x155ea:$s3: CallNextHook 0x155f7:$s4: _hook
2.2.RegAsm.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18320:$x1: $%SMTPDV$ 0x18386:$x2: $#TheHashHere%& 0x199d7:$x3: %FTPDV$ 0x19acb:$x4: $%TelegramDv$ 0x15c3f:$x5: KeyLoggerEventArgs 0x15fa6:$x5: KeyLoggerEventArgs 0x199fb:$m2: Clipboard Logs ID 0x19c1b:$m2: Screenshot Logs ID 0x19d2b:$m2: keystroke Logs ID 0x1a005:$m3: SnakePW 0x19bf3:$m4: \SnakeKeylogger\
0.2.H3fwQALXDX.exe.38da860.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.H3fwQALXDX.exe.38da860.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.H3fwQALXDX.exe.38da860.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c48:$a1: get_encryptedPassword 0x12f34:$a2: get_encryptedUsername 0x12a54:$a3: get_timePasswordChanged 0x12b4f:$a4: get_passwordField 0x12c5e:$a5: set_encryptedPassword 0x14243:$a7: get_logins 0x141a6:$a10: KeyLoggerEventArgs 0x13e3f:$a11: KeyLoggerEventArgsEventHandler
0.2.H3fwQALXDX.exe.38da860.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5d5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19807:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c3a:$a4: \Orbitum\User Data\Default\Login Data 0x1ac79:$a5: \Kometa\User Data\Default\Login Data
0.2.H3fwQALXDX.exe.38da860.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137db:$s1: UnHook 0x137e2:$s2: SetHook 0x137ea:$s3: CallNextHook 0x137f7:$s4: _hook
0.2.H3fwQALXDX.exe.38da860.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16520:$x1: $%SMTPDV$ 0x16586:$x2: $#TheHashHere%& 0x17bd7:$x3: %FTPDV$ 0x17ccb:$x4: $%TelegramDv$ 0x13e3f:$x5: KeyLoggerEventArgs 0x141a6:$x5: KeyLoggerEventArgs 0x17bfb:$m2: Clipboard Logs ID 0x17e1b:$m2: Screenshot Logs ID 0x17f2b:$m2: keystroke Logs ID 0x18205:$m3: SnakePW 0x17df3:$m4: \SnakeKeylogger\
0.2.H3fwQALXDX.exe.38da860.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.H3fwQALXDX.exe.38da860.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.H3fwQALXDX.exe.38da860.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.H3fwQALXDX.exe.38da860.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a48:$a1: get_encryptedPassword 0x35478:$a1: get_encryptedPassword 0x560b8:$a1: get_encryptedPassword 0x14d34:$a2: get_encryptedUsername 0x35764:$a2: get_encryptedUsername 0x563a4:$a2: get_encryptedUsername 0x14854:$a3: get_timePasswordChanged 0x35284:$a3: get_timePasswordChanged 0x55ec4:$a3: get_timePasswordChanged 0x1494f:$a4: get_passwordField 0x3537f:$a4: get_passwordField 0x55fbf:$a4: get_passwordField 0x14a5e:$a5: set_encryptedPassword 0x3548e:$a5: set_encryptedPassword 0x560ce:$a5: set_encryptedPassword 0x16043:$a7: get_logins 0x36a73:$a7: get_logins 0x576b3:$a7: get_logins 0x15fa6:$a10: KeyLoggerEventArgs 0x369d6:$a10: KeyLoggerEventArgs 0x57616:$a10: KeyLoggerEventArgs
0.2.H3fwQALXDX.exe.38da860.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3d5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce05:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5da45:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b607:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c037:$a3: \Google\Chrome\User Data\Default\Login Data 0x5cc77:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba3a:$a4: \Orbitum\User Data\Default\Login Data 0x3c46a:$a4: \Orbitum\User Data\Default\Login Data 0x5d0aa:$a4: \Orbitum\User Data\Default\Login Data 0x1ca79:$a5: \Kometa\User Data\Default\Login Data 0x3d4a9:$a5: \Kometa\User Data\Default\Login Data 0x5e0e9:$a5: \Kometa\User Data\Default\Login Data
0.2.H3fwQALXDX.exe.38da860.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155db:$s1: UnHook 0x3600b:$s1: UnHook 0x56c4b:$s1: UnHook 0x155e2:$s2: SetHook 0x36012:$s2: SetHook 0x56c52:$s2: SetHook 0x155ea:$s3: CallNextHook 0x3601a:$s3: CallNextHook 0x56c5a:$s3: CallNextHook 0x155f7:$s4: _hook 0x36027:$s4: _hook 0x56c67:$s4: _hook
0.2.H3fwQALXDX.exe.38da860.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18320:$x1: $%SMTPDV$ 0x38d50:$x1: $%SMTPDV$ 0x59990:$x1: $%SMTPDV$ 0x18386:$x2: $#TheHashHere%& 0x38db6:$x2: $#TheHashHere%& 0x599f6:$x2: $#TheHashHere%& 0x199d7:$x3: %FTPDV$ 0x3a407:$x3: %FTPDV$ 0x5b047:$x3: %FTPDV$ 0x19acb:$x4: $%TelegramDv$ 0x3a4fb:$x4: $%TelegramDv$ 0x5b13b:$x4: $%TelegramDv$ 0x15c3f:$x5: KeyLoggerEventArgs 0x15fa6:$x5: KeyLoggerEventArgs 0x3666f:$x5: KeyLoggerEventArgs 0x369d6:$x5: KeyLoggerEventArgs 0x572af:$x5: KeyLoggerEventArgs 0x57616:$x5: KeyLoggerEventArgs 0x199fb:$m2: Clipboard Logs ID 0x19c1b:$m2: Screenshot Logs ID 0x19d2b:$m2: keystroke Logs ID
0.2.H3fwQALXDX.exe.3848db0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.H3fwQALXDX.exe.3848db0.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.H3fwQALXDX.exe.3848db0.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.H3fwQALXDX.exe.3848db0.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa64f8:$a1: get_encryptedPassword 0xc6f28:$a1: get_encryptedPassword 0xe7b68:$a1: get_encryptedPassword 0xa67e4:$a2: get_encryptedUsername 0xc7214:$a2: get_encryptedUsername 0xe7e54:$a2: get_encryptedUsername 0xa6304:$a3: get_timePasswordChanged 0xc6d34:$a3: get_timePasswordChanged 0xe7974:$a3: get_timePasswordChanged 0xa63ff:$a4: get_passwordField 0xc6e2f:$a4: get_passwordField 0xe7a6f:$a4: get_passwordField 0xa650e:$a5: set_encryptedPassword 0xc6f3e:$a5: set_encryptedPassword 0xe7b7e:$a5: set_encryptedPassword 0xa7af3:$a7: get_logins 0xc8523:$a7: get_logins 0xe9163:$a7: get_logins 0xa7a56:$a10: KeyLoggerEventArgs 0xc8486:$a10: KeyLoggerEventArgs 0xe90c6:$a10: KeyLoggerEventArgs
0.2.H3fwQALXDX.exe.3848db0.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xa708b:$s1: UnHook 0xc7abb:$s1: UnHook 0xe86fb:$s1: UnHook 0xa7092:$s2: SetHook 0xc7ac2:$s2: SetHook 0xe8702:$s2: SetHook 0xa709a:$s3: CallNextHook 0xc7aca:$s3: CallNextHook 0xe870a:$s3: CallNextHook 0xa70a7:$s4: _hook 0xc7ad7:$s4: _hook 0xe8717:$s4: _hook
0.2.H3fwQALXDX.exe.3848db0.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xa9dd0:$x1: $%SMTPDV$ 0xca800:$x1: $%SMTPDV$ 0xeb440:$x1: $%SMTPDV$ 0xa9e36:$x2: $#TheHashHere%& 0xca866:$x2: $#TheHashHere%& 0xeb4a6:$x2: $#TheHashHere%& 0xab487:$x3: %FTPDV$ 0xcbeb7:$x3: %FTPDV$ 0xecaf7:$x3: %FTPDV$ 0xab57b:$x4: $%TelegramDv$ 0xcbfab:$x4: $%TelegramDv$ 0xecbeb:$x4: $%TelegramDv$ 0xa76ef:$x5: KeyLoggerEventArgs 0xa7a56:$x5: KeyLoggerEventArgs 0xc811f:$x5: KeyLoggerEventArgs 0xc8486:$x5: KeyLoggerEventArgs 0xe8d5f:$x5: KeyLoggerEventArgs 0xe90c6:$x5: KeyLoggerEventArgs 0xab4ab:$m2: Clipboard Logs ID 0xab6cb:$m2: Screenshot Logs ID 0xab7db:$m2: keystroke Logs ID
0.2.H3fwQALXDX.exe.3819180.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.H3fwQALXDX.exe.3819180.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.H3fwQALXDX.exe.3819180.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.H3fwQALXDX.exe.3819180.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd6128:$a1: get_encryptedPassword 0xf6b58:$a1: get_encryptedPassword 0x117798:$a1: get_encryptedPassword 0xd6414:$a2: get_encryptedUsername 0xf6e44:$a2: get_encryptedUsername 0x117a84:$a2: get_encryptedUsername 0xd5f34:$a3: get_timePasswordChanged 0xf6964:$a3: get_timePasswordChanged 0x1175a4:$a3: get_timePasswordChanged 0xd602f:$a4: get_passwordField 0xf6a5f:$a4: get_passwordField 0x11769f:$a4: get_passwordField 0xd613e:$a5: set_encryptedPassword 0xf6b6e:$a5: set_encryptedPassword 0x1177ae:$a5: set_encryptedPassword 0xd7723:$a7: get_logins 0xf8153:$a7: get_logins 0x118d93:$a7: get_logins 0xd7686:$a10: KeyLoggerEventArgs 0xf80b6:$a10: KeyLoggerEventArgs 0x118cf6:$a10: KeyLoggerEventArgs
0.2.H3fwQALXDX.exe.3819180.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xd6cbb:$s1: UnHook 0xf76eb:$s1: UnHook 0x11832b:$s1: UnHook 0xd6cc2:$s2: SetHook 0xf76f2:$s2: SetHook 0x118332:$s2: SetHook 0xd6cca:$s3: CallNextHook 0xf76fa:$s3: CallNextHook 0x11833a:$s3: CallNextHook 0xd6cd7:$s4: _hook 0xf7707:$s4: _hook 0x118347:$s4: _hook
0.2.H3fwQALXDX.exe.3819180.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xd9a00:$x1: $%SMTPDV$ 0xfa430:$x1: $%SMTPDV$ 0x11b070:$x1: $%SMTPDV$ 0xd9a66:$x2: $#TheHashHere%& 0xfa496:$x2: $#TheHashHere%& 0x11b0d6:$x2: $#TheHashHere%& 0xdb0b7:$x3: %FTPDV$ 0xfbae7:$x3: %FTPDV$ 0x11c727:$x3: %FTPDV$ 0xdb1ab:$x4: $%TelegramDv$ 0xfbbdb:$x4: $%TelegramDv$ 0x11c81b:$x4: $%TelegramDv$ 0xd731f:$x5: KeyLoggerEventArgs 0xd7686:$x5: KeyLoggerEventArgs 0xf7d4f:$x5: KeyLoggerEventArgs 0xf80b6:$x5: KeyLoggerEventArgs 0x11898f:$x5: KeyLoggerEventArgs 0x118cf6:$x5: KeyLoggerEventArgs 0xdb0db:$m2: Clipboard Logs ID 0xdb2fb:$m2: Screenshot Logs ID 0xdb40b:$m2: keystroke Logs ID
Click to see the 27 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: H3fwQALXDX.exe

Avira: detected

Found malware configuration

Source: 00000002.00000002.2210106692.0000000003141000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "county@valleycountysar.org", "Password": "iU0Ta!$K8L51", "Host": "valleycountysar.org", "Port": "26"}

Multi AV Scanner detection for submitted file

Source: H3fwQALXDX.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: H3fwQALXDX.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: H3fwQALXDX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49714 version: TLS 1.0

Source: H3fwQALXDX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\AtllasRunp\AtllasRunp\obj\Debug\Bienvenida.pdb source: H3fwQALXDX.exe, 00000000.00000002.2099876260.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, H3fwQALXDX.exe, 00000000.00000002.2100894195.0000000005180000.00000004.08000000.00040000.00000000.sdmp

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H3fwQALXDX.exe.38da860.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H3fwQALXDX.exe.3848db0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H3fwQALXDX.exe.3819180.2.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49714 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegAsm.exe, 00000002.00000002.2210106692.00000000032A8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.0000000003208000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032FF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.000000000329B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegAsm.exe, 00000002.00000002.2210106692.00000000031F5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032A8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.0000000003208000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032FF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.000000000329B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.0000000003246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegAsm.exe, 00000002.00000002.2210106692.0000000003141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: H3fwQALXDX.exe, 00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegAsm.exe, 00000002.00000002.2210106692.00000000032A8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032FF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.000000000329B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegAsm.exe, 00000002.00000002.2210106692.0000000003141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000002.00000002.2210106692.00000000032A8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.0000000003208000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032FF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.000000000329B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.0000000003246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: H3fwQALXDX.exe, 00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.0000000003208000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegAsm.exe, 00000002.00000002.2210106692.0000000003246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: RegAsm.exe, 00000002.00000002.2210106692.00000000032A8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032FF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.000000000329B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.0000000003246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: H3fwQALXDX.exe, 00000000.00000002.2100700285.0000000004E40000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_f84bd3d2-0

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.H3fwQALXDX.exe.38da860.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.H3fwQALXDX.exe.38da860.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.H3fwQALXDX.exe.38da860.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.H3fwQALXDX.exe.38da860.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.H3fwQALXDX.exe.38da860.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.H3fwQALXDX.exe.38da860.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.H3fwQALXDX.exe.38da860.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.H3fwQALXDX.exe.38da860.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.H3fwQALXDX.exe.3848db0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.H3fwQALXDX.exe.3848db0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.H3fwQALXDX.exe.3848db0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.H3fwQALXDX.exe.3819180.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.H3fwQALXDX.exe.3819180.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.H3fwQALXDX.exe.3819180.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: H3fwQALXDX.exe PID: 4540, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: H3fwQALXDX.exe PID: 4540, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegAsm.exe PID: 5076, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 5076, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01766108	2_2_01766108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0176C192	2_2_0176C192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0176C470	2_2_0176C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0176B4F2	2_2_0176B4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0176C752	2_2_0176C752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01766730	2_2_01766730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01769858	2_2_01769858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0176BBD6	2_2_0176BBD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0176CA32	2_2_0176CA32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01764AD9	2_2_01764AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0176BEB7	2_2_0176BEB7

Source: H3fwQALXDX.exe, 00000000.00000000.2093393333.0000000000558000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMergin.exe. vs H3fwQALXDX.exe
Source: H3fwQALXDX.exe, 00000000.00000002.2099876260.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBienvenida.exe6 vs H3fwQALXDX.exe
Source: H3fwQALXDX.exe, 00000000.00000002.2099876260.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs H3fwQALXDX.exe
Source: H3fwQALXDX.exe, 00000000.00000002.2100700285.0000000004E40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSoftwareGame.dll: vs H3fwQALXDX.exe
Source: H3fwQALXDX.exe, 00000000.00000002.2098813484.00000000008F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs H3fwQALXDX.exe
Source: H3fwQALXDX.exe, 00000000.00000002.2098840835.000000000095E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs H3fwQALXDX.exe
Source: H3fwQALXDX.exe, 00000000.00000002.2100894195.0000000005180000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBienvenida.exe6 vs H3fwQALXDX.exe
Source: H3fwQALXDX.exe, 00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSoftwareGame.dll: vs H3fwQALXDX.exe
Source: H3fwQALXDX.exe, 00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs H3fwQALXDX.exe
Source: H3fwQALXDX.exe	Binary or memory string: OriginalFilenameMergin.exe. vs H3fwQALXDX.exe

Source: H3fwQALXDX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.H3fwQALXDX.exe.38da860.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.H3fwQALXDX.exe.38da860.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.H3fwQALXDX.exe.38da860.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.H3fwQALXDX.exe.38da860.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.H3fwQALXDX.exe.38da860.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.H3fwQALXDX.exe.38da860.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.H3fwQALXDX.exe.38da860.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.H3fwQALXDX.exe.38da860.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.H3fwQALXDX.exe.3848db0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.H3fwQALXDX.exe.3848db0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.H3fwQALXDX.exe.3848db0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.H3fwQALXDX.exe.3819180.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.H3fwQALXDX.exe.3819180.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.H3fwQALXDX.exe.3819180.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: H3fwQALXDX.exe PID: 4540, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: H3fwQALXDX.exe PID: 4540, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegAsm.exe PID: 5076, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegAsm.exe PID: 5076, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: H3fwQALXDX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.H3fwQALXDX.exe.3819180.2.raw.unpack, Level.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.H3fwQALXDX.exe.38da860.3.raw.unpack, -c--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.H3fwQALXDX.exe.38da860.3.raw.unpack, -c--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.H3fwQALXDX.exe.38da860.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.H3fwQALXDX.exe.38da860.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.H3fwQALXDX.exe.3848db0.4.raw.unpack, Level.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.H3fwQALXDX.exe.4e40000.5.raw.unpack, Level.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/2@2/2

Source: C:\Users\user\Desktop\H3fwQALXDX.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\H3fwQALXDX.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4852:120:WilError_03

Source: H3fwQALXDX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: H3fwQALXDX.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\H3fwQALXDX.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: H3fwQALXDX.exe

ReversingLabs: Detection: 73%

Source: unknown	Process created: C:\Users\user\Desktop\H3fwQALXDX.exe "C:\Users\user\Desktop\H3fwQALXDX.exe"
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\H3fwQALXDX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\H3fwQALXDX.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: H3fwQALXDX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: H3fwQALXDX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: H3fwQALXDX.exe, TransferProgress.cs

.Net Code: LoadAndDecryptAssembly System.Reflection.Assembly.Load(byte[])

Source: H3fwQALXDX.exe

Static PE information: 0xAB25B554 [Mon Dec 27 12:13:08 2060 UTC]

Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Code function: 0_2_0266C6E3 push 14418B02h; ret	0_2_0266C6F3
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Code function: 0_2_0266B1C0 push 24418B02h; ret	0_2_0266B1D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_017624B9 push 8BFFFFFFh; retf	2_2_017624BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_017629F5 push es; retf	2_2_017629F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01762A66 push es; retf	2_2_01762A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01762A15 push es; retf	2_2_01762A17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01762A81 push es; retf	2_2_01762A88

Source: H3fwQALXDX.exe

Static PE information: section name: .text entropy: 7.940541610243708

Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: H3fwQALXDX.exe PID: 4540, type: MEMORYSTR

Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Memory allocated: 2630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Memory allocated: 27E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Memory allocated: 47E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 1740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 5140000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599440	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599143	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597371	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597030	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596811	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596373	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596044	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595389	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594515	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 7966			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1888			Jump to behavior

Source: C:\Users\user\Desktop\H3fwQALXDX.exe TID: 2800	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1492	Thread sleep count: 7966 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1492	Thread sleep count: 1888 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -599440s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -599143s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -598249s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -597921s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -597371s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -597249s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -597030s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -596811s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -596373s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -596044s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -595499s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -595389s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -595280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -595171s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -594843s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -594624s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -594515s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599440	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599143	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597371	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597030	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596811	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596373	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596044	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595389	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594515	Jump to behavior

Source: RegAsm.exe, 00000002.00000002.2209639384.000000000151F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrue"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\H3fwQALXDX.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Queries volume information: C:\Users\user\Desktop\H3fwQALXDX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3fwQALXDX.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\H3fwQALXDX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H3fwQALXDX.exe.38da860.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H3fwQALXDX.exe.38da860.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H3fwQALXDX.exe.3848db0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H3fwQALXDX.exe.3819180.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2210106692.00000000032FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2210106692.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: H3fwQALXDX.exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5076, type: MEMORYSTR

Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H3fwQALXDX.exe.38da860.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H3fwQALXDX.exe.38da860.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H3fwQALXDX.exe.3848db0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H3fwQALXDX.exe.3819180.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: H3fwQALXDX.exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5076, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H3fwQALXDX.exe.38da860.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H3fwQALXDX.exe.38da860.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H3fwQALXDX.exe.3848db0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H3fwQALXDX.exe.3819180.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2210106692.00000000032FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2210106692.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: H3fwQALXDX.exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5076, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	11 Input Capture	1 Security Software Discovery	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
H3fwQALXDX.exe	74%	ReversingLabs	ByteCode-MSIL.Spyware.Snakekeylogger
H3fwQALXDX.exe	100%	Avira	HEUR/AGEN.1308654
H3fwQALXDX.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/q	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	Avira URL Cloud	safe
http://reallyfreegeoip.org	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	unknown
checkip.dyndns.com	193.122.6.168	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	RegAsm.exe, 00000002.00000002.2210106692.00000000032A8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.0000000003208000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032FF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.000000000329B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.0000000003246000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	RegAsm.exe, 00000002.00000002.2210106692.00000000031F5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032A8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.0000000003208000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032FF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.000000000329B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.0000000003246000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	RegAsm.exe, 00000002.00000002.2210106692.00000000032A8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.0000000003208000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032FF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.000000000329B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	RegAsm.exe, 00000002.00000002.2210106692.00000000032A8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032FF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.000000000329B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.0000000003246000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000002.00000002.2210106692.0000000003141000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	H3fwQALXDX.exe, 00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.org	RegAsm.exe, 00000002.00000002.2210106692.00000000032A8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032FF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.000000000329B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.0000000003220000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	H3fwQALXDX.exe, 00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2210106692.0000000003208000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465391
Start date and time:	2024-07-01 15:58:39 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	H3fwQALXDX.exe renamed because original name is a hash value
Original Sample Name:	ce8d8f5b2708fb0a26ac9ce32c303779179ff58297279c834fd8220b77154680.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/2@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 54 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegAsm.exe, PID 5076 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: H3fwQALXDX.exe

Simulations

Behavior and APIs

Time	Type	Description
09:59:29	API Interceptor	81x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	file.exe	Get hash	malicious	FormBook	Browse	www.cavetta.org.mt/yhnb/
	6Z4Q4bREii.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	000366cm.nyashka.top/phpflowergenerator.php
	DHL Arrival Notice.exe	Get hash	malicious	FormBook	Browse	www.coinwab.com/efdt/
	arrival notice_pdf.exe	Get hash	malicious	FormBook	Browse	www.evoolihubs.shop/fwdd/?CbPtaF=K/pqHoAOWNF4P+w91QXSNI32+N7yog1OarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTes4MJP5Wyr3Pze4srZjnfJQNxaR/LCxeJK4=&NV=CzkTp6UpmNmd
	BbaXbvOA7D.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	228282cm.nyashka.top/ExternalimagevmRequestlongpollsqldbLocal.php
	j05KsN2280.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	640740cm.nyashka.top/providerEternalGameWindowstest.php
	QUOTATION_JUNQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/L69kvhYI/download
	Techno_PO LV12406-00311.xla.xlsx	Get hash	malicious	Unknown	Browse	qr-in.com/cpGHnqq
	QUOTATION_JUNQTRA031244#U0652PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/Txmfx0A2/download
	RITS Ref 3379-06.exe	Get hash	malicious	FormBook	Browse	www.ad14.fun/az6h/
193.122.6.168	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Prouduct list Specifictions.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	LAQ-PO088PDF.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	IMG_0071191023.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	new purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win64.PWSX-gen.18963.11831.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z26SZO98764590000000980.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	oHchwlxMNG.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	zkB0qfWSJk.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	scan copy.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
checkip.dyndns.com	oHchwlxMNG.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	zkB0qfWSJk.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	scan copy.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	zkB0qfWSJk.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	IMG_2007_520073.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
CLOUDFLARENETUS	8w5wHh755H.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	gB49zgUhr8.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	AdhP1WMUi5.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://webmail1.stormsedge.net/owa/service.svc/s/GetFileAttachment?id=AQMkAGMwMmFiOTE0LWQ5NzktNGE0Zi1iMGM1LTk0MmMzOTFkOWFiZQBGAAADlc4kQ%2BohlEKrqrljxlKVCAcAdJc2TJHT4kmUv1nAYVqHPQAAAgENAAAAdJc2TJHT4kmUv1nAYVqHPQAIOoZlWwAAAAESABAAXD0T7tDHs0qNRd1q6RSkXg%3D%3D&X-OWA-CANARY=sGBeAWNDQUKlLbLOAT0gQCqn7N7UmdwIRGBfhrj-axh_Ij0BMl3fKgjckXCzGSCTl-2kH-3ilbs.	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	1.1.1.1
	Quotation List Pdf.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	http://trk-synovetra.com	Get hash	malicious	Unknown	Browse	104.22.73.81
	eI5vNtHF8L.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.145.174
	https://cts.vresp.com/c/?WaveCompliance/d919e57ba7/b5e5b2a536/185933d903/utm_source=abhi&utm_medium=hr&utm_campaign=email	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDQsm46O9kFlvnKqoGzIfloR1aubx-2BpaPkan085g1TWlqnKRafnst79cIl3u2RFk9aJO-2FVgEoVIaVfBClhSO76RqtEvuPV3-2Bpf-2FiE4PjnhlC2TtfLcH36qKmmJtOX1Ms3xA-3D-3DqrXL_CZFXUwGIHfHDnFkuwdEqd9ldwBL5R3mfX0imfBkwnA-2FEGZpbvh9SlDt7nr-2B4bsbfIdYM7miNaz9xWMHiZbIadDcFK5YXvN30mdgI7SgdCK0Ml3RqCBUjKTsLaC14pIU2XWWPlPEdeKQo2BRTcWgUO1OG21LYE2gUb8ddgQnAAl00gc8qN6JeqW7jC7gDYfWpr8CbgAWGyvzbORhQL2N-2FMQ-3D-3D	Get hash	malicious	Unknown	Browse	188.114.96.3
	2024 Lusail Fence-WITH STICKER-2-003.exe	Get hash	malicious	FormBook	Browse	23.227.38.74

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	oHchwlxMNG.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	zkB0qfWSJk.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	YBzCUPEvkm.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	YBzCUPEvkm.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	scan copy.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3

Process:	C:\Users\user\Desktop\H3fwQALXDX.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhIE4Kx1qE4qXKIE4oKNzKoZAE4Kze0E4j:MxHKlYHKh3oIHKx1qHitHo6hAHKze0Hj
MD5:	1B6869C1B7FFE2691B415D60A088004E
SHA1:	D65C5293683E856ADA02D8F34B1B2CE07EAE707B
SHA-256:	BEE51687135C913F56858329E75BE03DE454DA5669891450A221567029FE9F06
SHA-512:	996C59693C3A5604CA7519A8E5CA1E77D0213E04FA77671623DA6452A9E42C13BBFE577F4EEA21DEE48D08B36E3F65432D6C943A1FE9F60336B8709ED21A6D2B
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.918620080272236
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	H3fwQALXDX.exe
File size:	218'112 bytes
MD5:	27af175b8006ce6c2376748b21748412
SHA1:	ec6b0f34dbe9294a82dcc379b3de2b744f5d65ea
SHA256:	ce8d8f5b2708fb0a26ac9ce32c303779179ff58297279c834fd8220b77154680
SHA512:	fa9692944fadd680c07bcfb6627f561f809e97142b41d98605c2d4034abf576ec87becd47eb4ad385d7c6d180a5d6264fe979446f4c152e4eb1fedd6e6fd69d4
SSDEEP:	3072:lhgaMehpuSXYIdP/1pnVLjIvwHyV9YOsUw2hIE3JoN8EheTgc33FgO:FBLrXzn1pnV/gse9yvbE5ovh3
TLSH:	2B240288E35EC157E8EE07BB839E10206D3BA6910C375F35174AC913DA35798E632BD9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T.%...............0..J..........>h... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x43683e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xAB25B554 [Mon Dec 27 12:13:08 2060 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x367ec	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x34844	0x34a00	d963ab9262e8ce881c785af693e4362d	False	0.8574033179928741	data	7.940541610243708	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x596	0x600	ff1de87c47fb30800120f0a066ceb5b9	False	0.4134114583333333	data	4.033944889526022	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3a000	0xc	0x200	43781ac483fea49d3d8f0471aae8deb0	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x380a0	0x30c	data			0.4269230769230769
RT_MANIFEST	0x383ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 15:59:28.428782940 CEST	49711	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:28.436764002 CEST	80	49711	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:28.436827898 CEST	49711	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:28.437071085 CEST	49711	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:28.442065954 CEST	80	49711	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:29.077855110 CEST	80	49711	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:29.081465960 CEST	49711	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:29.086309910 CEST	80	49711	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:29.368563890 CEST	80	49711	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:29.415499926 CEST	49711	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:29.431873083 CEST	49714	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:29.431916952 CEST	443	49714	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:29.432029009 CEST	49714	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:29.436450958 CEST	49714	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:29.436461926 CEST	443	49714	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:30.095360994 CEST	443	49714	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:30.095438957 CEST	49714	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:30.101488113 CEST	49714	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:30.101517916 CEST	443	49714	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:30.101869106 CEST	443	49714	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:30.149859905 CEST	49714	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:30.164733887 CEST	49714	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:30.208512068 CEST	443	49714	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:30.275038004 CEST	443	49714	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:30.275125027 CEST	443	49714	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:30.275196075 CEST	49714	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:30.281110048 CEST	49714	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:30.285293102 CEST	49711	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:30.290144920 CEST	80	49711	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:30.480931997 CEST	80	49711	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:30.484133959 CEST	49715	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:30.484193087 CEST	443	49715	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:30.484287024 CEST	49715	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:30.484569073 CEST	49715	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:30.484585047 CEST	443	49715	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:30.524940968 CEST	49711	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:30.963815928 CEST	443	49715	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:30.966073990 CEST	49715	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:30.966125011 CEST	443	49715	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:31.119654894 CEST	443	49715	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:31.119744062 CEST	443	49715	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:31.119793892 CEST	49715	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:31.120718956 CEST	49715	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:31.126554012 CEST	49711	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:31.128303051 CEST	49717	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:31.131740093 CEST	80	49711	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:31.131792068 CEST	49711	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:31.133433104 CEST	80	49717	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:31.133498907 CEST	49717	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:31.133589029 CEST	49717	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:31.138386011 CEST	80	49717	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:31.788968086 CEST	80	49717	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:31.790285110 CEST	49718	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:31.790344954 CEST	443	49718	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:31.790436029 CEST	49718	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:31.790698051 CEST	49718	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:31.790713072 CEST	443	49718	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:31.837399960 CEST	49717	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:32.384293079 CEST	443	49718	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:32.385960102 CEST	49718	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:32.386013031 CEST	443	49718	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:32.518182993 CEST	443	49718	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:32.518285036 CEST	443	49718	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:32.518347025 CEST	49718	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:32.518937111 CEST	49718	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:32.522082090 CEST	49717	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:32.523370028 CEST	49719	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:32.527621984 CEST	80	49717	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:32.527757883 CEST	49717	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:32.528162956 CEST	80	49719	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:32.528244972 CEST	49719	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:32.528347015 CEST	49719	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:32.533055067 CEST	80	49719	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:33.163810015 CEST	80	49719	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:33.165446043 CEST	49721	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:33.165512085 CEST	443	49721	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:33.165577888 CEST	49721	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:33.165913105 CEST	49721	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:33.165935993 CEST	443	49721	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:33.212354898 CEST	49719	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:33.642827988 CEST	443	49721	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:33.644987106 CEST	49721	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:33.645030975 CEST	443	49721	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:33.795629025 CEST	443	49721	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:33.795721054 CEST	443	49721	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:33.795790911 CEST	49721	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:33.796277046 CEST	49721	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:33.800832987 CEST	49723	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:33.805705070 CEST	80	49723	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:33.806029081 CEST	49723	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:33.806482077 CEST	49723	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:33.811263084 CEST	80	49723	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:34.454514027 CEST	80	49723	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:34.455868006 CEST	49725	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:34.455919981 CEST	443	49725	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:34.456146002 CEST	49725	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:34.456401110 CEST	49725	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:34.456414938 CEST	443	49725	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:34.509231091 CEST	49723	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:34.933615923 CEST	443	49725	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:34.935604095 CEST	49725	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:34.935640097 CEST	443	49725	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:35.063219070 CEST	443	49725	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:35.063311100 CEST	443	49725	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:35.063497066 CEST	49725	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:35.063790083 CEST	49725	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:35.067507029 CEST	49723	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:35.068831921 CEST	49726	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:35.072630882 CEST	80	49723	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:35.072690964 CEST	49723	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:35.073595047 CEST	80	49726	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:35.073693991 CEST	49726	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:35.073796034 CEST	49726	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:35.078551054 CEST	80	49726	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:35.714473963 CEST	80	49726	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:35.715965033 CEST	49727	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:35.716068029 CEST	443	49727	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:35.716162920 CEST	49727	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:35.716423035 CEST	49727	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:35.716464996 CEST	443	49727	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:35.759298086 CEST	49726	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:36.196979046 CEST	443	49727	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:36.198856115 CEST	49727	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:36.198906898 CEST	443	49727	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:36.349278927 CEST	443	49727	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:36.349400043 CEST	443	49727	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:36.349673986 CEST	49727	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:36.349987984 CEST	49727	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:36.353317022 CEST	49726	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:36.354693890 CEST	49728	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:36.358829021 CEST	80	49726	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:36.358921051 CEST	49726	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:36.360953093 CEST	80	49728	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:36.361037970 CEST	49728	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:36.361140966 CEST	49728	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:36.365926981 CEST	80	49728	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:37.009665966 CEST	80	49728	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:37.010984898 CEST	49729	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:37.011034966 CEST	443	49729	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:37.011110067 CEST	49729	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:37.011354923 CEST	49729	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:37.011368990 CEST	443	49729	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:37.056149960 CEST	49728	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:37.501404047 CEST	443	49729	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:37.503232002 CEST	49729	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:37.503263950 CEST	443	49729	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:37.655432940 CEST	443	49729	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:37.655540943 CEST	443	49729	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:37.655621052 CEST	49729	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:37.656060934 CEST	49729	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:37.659298897 CEST	49728	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:37.660460949 CEST	49730	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:37.664619923 CEST	80	49728	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:37.664699078 CEST	49728	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:37.665689945 CEST	80	49730	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:37.665767908 CEST	49730	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:37.665852070 CEST	49730	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:37.670567036 CEST	80	49730	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:38.320993900 CEST	80	49730	193.122.6.168	192.168.2.6
Jul 1, 2024 15:59:38.322487116 CEST	49731	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:38.322532892 CEST	443	49731	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:38.322619915 CEST	49731	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:38.322869062 CEST	49731	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:38.322884083 CEST	443	49731	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:38.368638039 CEST	49730	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:38.966286898 CEST	443	49731	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:38.967951059 CEST	49731	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:38.967991114 CEST	443	49731	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:39.124233961 CEST	443	49731	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:39.124325991 CEST	443	49731	188.114.97.3	192.168.2.6
Jul 1, 2024 15:59:39.124443054 CEST	49731	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:39.124970913 CEST	49731	443	192.168.2.6	188.114.97.3
Jul 1, 2024 15:59:39.296971083 CEST	49719	80	192.168.2.6	193.122.6.168
Jul 1, 2024 15:59:39.297399044 CEST	49730	80	192.168.2.6	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 15:59:28.386197090 CEST	56615	53	192.168.2.6	1.1.1.1
Jul 1, 2024 15:59:28.413419962 CEST	53	56615	1.1.1.1	192.168.2.6
Jul 1, 2024 15:59:29.410247087 CEST	65188	53	192.168.2.6	1.1.1.1
Jul 1, 2024 15:59:29.431157112 CEST	53	65188	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 1, 2024 15:59:28.386197090 CEST	192.168.2.6	1.1.1.1	0x855a	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:59:29.410247087 CEST	192.168.2.6	1.1.1.1	0xb046	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 1, 2024 15:59:28.413419962 CEST	1.1.1.1	192.168.2.6	0x855a	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 1, 2024 15:59:28.413419962 CEST	1.1.1.1	192.168.2.6	0x855a	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:59:28.413419962 CEST	1.1.1.1	192.168.2.6	0x855a	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:59:28.413419962 CEST	1.1.1.1	192.168.2.6	0x855a	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:59:28.413419962 CEST	1.1.1.1	192.168.2.6	0x855a	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:59:28.413419962 CEST	1.1.1.1	192.168.2.6	0x855a	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:59:29.431157112 CEST	1.1.1.1	192.168.2.6	0xb046	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:59:29.431157112 CEST	1.1.1.1	192.168.2.6	0xb046	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49711	193.122.6.168	80	5076	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:59:28.437071085 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 1, 2024 15:59:29.077855110 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:59:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fef76a508243b5ccc7c03fdf98b98da8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 1, 2024 15:59:29.081465960 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 1, 2024 15:59:29.368563890 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:59:29 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a5355a169542b84baed683fdad1e01eb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 1, 2024 15:59:30.285293102 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 1, 2024 15:59:30.480931997 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:59:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 69e3896359a7d5c87ecc01272a8ad910 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49717	193.122.6.168	80	5076	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:59:31.133589029 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 1, 2024 15:59:31.788968086 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:59:31 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 52a2d2e89ad62cc5ec6a16727c511369 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49719	193.122.6.168	80	5076	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:59:32.528347015 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 1, 2024 15:59:33.163810015 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:59:33 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a6a372081db4bd76f2dab2c8078bbb41 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49723	193.122.6.168	80	5076	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:59:33.806482077 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 1, 2024 15:59:34.454514027 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:59:34 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4f5ef19d684936dc6085474b715fcd6a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49726	193.122.6.168	80	5076	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:59:35.073796034 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 1, 2024 15:59:35.714473963 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:59:35 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2f6edf57042eea887802a2519cce6944 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49728	193.122.6.168	80	5076	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:59:36.361140966 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 1, 2024 15:59:37.009665966 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:59:36 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3563133683bd59749aaf44eaee6bb6f1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49730	193.122.6.168	80	5076	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:59:37.665852070 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 1, 2024 15:59:38.320993900 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:59:38 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f5ac9b31ea968b9f54c6992168f2349f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49714	188.114.97.3	443	5076	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:59:30 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-01 13:59:30 UTC	708	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:59:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 84934 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7uiYG0HdpDKKMBlLUGztcPD6FHtEqMdhSvVEtKuS58hYkFOjsg5K7zjBamOlJnfJsH33ejUtD2%2FRJaoTlBPC7wSlLr0ga%2BmSYqbvZ%2BT%2BzpBtgP7jVq79oyTMZHDYYLOZVOX8vglF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c6eabdda0c0f89-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 13:59:30 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 13:59:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49715	188.114.97.3	443	5076	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:59:30 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-01 13:59:31 UTC	714	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:59:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 84935 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=An2vvXqjpTnbRXAB3dpFym7gXw2qFsjbJCQDcQJWA5xry7kB%2FOX4oTwnagwyP2vj7%2BskX36CW5v%2BGbu%2BNANtah%2BZZEgyZlOqn4w1uqXM%2FN7HYoOY4oVTsUIxBb47%2FY0FD2LAPaut"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c6eac31b0d8c6f-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 13:59:31 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 13:59:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49718	188.114.97.3	443	5076	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:59:32 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-01 13:59:32 UTC	708	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:59:32 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 84936 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jpbk6TQC3YnCYOBJA4l%2Bpn5IMNNWZAzI7Q2YfFGa9HjXMyXYbC8D5YH5nkOjGHRxH8BRRoFh%2F3uSF%2FstkGhDoCiJgtZLn8yjB2e4l3jg6aCT0kmN7N7ZRLrm5jN%2FFXlMj9iCHKHT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c6eacbda0e8c11-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 13:59:32 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 13:59:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49721	188.114.97.3	443	5076	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:59:33 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-01 13:59:33 UTC	710	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:59:33 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 84937 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ctjHkrVyWJ1MQLGwsZR1MRbqcSsjS7gsLyljJ5n%2BcdINWREDWRsyfZg7n%2FsEEssIHTD3RMhyHS8rjR2zwQf5wtFiPRi79opP55zDCOoV4Akz%2FyRE5qsHF5%2Frx%2BnzSPo6uvNzlBcK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c6ead3d8274233-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 13:59:33 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 13:59:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49725	188.114.97.3	443	5076	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:59:34 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-01 13:59:35 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:59:35 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 84939 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GnylYtL3ngOB4tY9HEC1%2B3HslqFyLOhdsH0RI7nd0tB2UdJwB9CoPy5Uuj63iBp5mgPLEbZ60iWMNt53vezgLgqCDHe3tZtdyNfRZBmWoHQChmvV0rXy7EzKu%2FWer7%2Bno9NNRbHp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c6eadbcd80159f-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 13:59:35 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 13:59:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49727	188.114.97.3	443	5076	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:59:36 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-01 13:59:36 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:59:36 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 84940 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e%2BL8Prp6mV1DvnmblEQb%2BkRcQgrLP0NsEpRJO4%2B19TAauzp6hJq23uv2kLQexIm8PFW71IKHlEx2xREpHnr8o19ivQuoj0cFNviACGbNwSjByGE1Afwgp58dzp9A1kygBtW2LhoY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c6eae3caef8cbd-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 13:59:36 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 13:59:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49729	188.114.97.3	443	5076	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:59:37 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-01 13:59:37 UTC	712	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:59:37 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 84941 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=clIQ3sgXBzuxDEeffKkTlv%2FyAQwwdS2X91vbC%2F13t7ziEoy6kC9T63XIQMTLnvHIZ1%2Fi%2FFMcrmOc332rnbD%2BZPdtv5FeIkUtOHDip8syQggB08GSdCmghz3sZIAM0jtBAFYVXdA%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c6eaebe90015bb-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 13:59:37 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 13:59:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49731	188.114.97.3	443	5076	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:59:38 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-01 13:59:39 UTC	702	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:59:39 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 84943 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=li9AxbenVWnpWl5dQp3qssiubQGkRQfdXdlwKS0j7R8Zq8H4Tej70NSOBsJR26hM5pkwGLY1RnErRNs%2F6wDTjVAKcMVfdJRRYrH0RRZ58OaHFpnOL9WfjLcJBEOp60NxSB2j2lSb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c6eaf51f59196c-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 13:59:39 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 13:59:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:59:26
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\H3fwQALXDX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\H3fwQALXDX.exe"
Imagebase:	0x520000
File size:	218'112 bytes
MD5 hash:	27AF175B8006CE6C2376748B21748412
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2100014086.0000000003819000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:59:26
Start date:	01/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xe20000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.2208937849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2210106692.00000000032FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2210106692.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:59:38
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:59:38
Start date:	01/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:59:38
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x950000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	24
Total number of Limit Nodes:	0

Executed Functions

Function 0266C160 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0266C3C6

Strings

Lf, xrefs: 0266C2FE
Lf, xrefs: 0266C323

Memory Dump Source

Source File: 00000000.00000002.2099727355.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_H3fwQALXDX.jbxd

Similarity

API ID: HandleModule
String ID: Lf$Lf
API String ID: 4139908857-2878823118
Opcode ID: 934c6ffaa1d0762c8612f08be36684da210baf99c1bbe7f6dbdfd6d93efb3a42
Instruction ID: 190ba0969543e63bdb97f00d35a39273777f40412633ef8122a56a54c5ae9ea3
Opcode Fuzzy Hash: 934c6ffaa1d0762c8612f08be36684da210baf99c1bbe7f6dbdfd6d93efb3a42
Instruction Fuzzy Hash: 3E813370A00B059FD724DFAAD48976ABBF1BF88704F00892ED48AD7B40DB75E845CB94

Function 0266C148 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0266E326,?,?,?,?,?), ref: 0266E7EF

Memory Dump Source

Source File: 00000000.00000002.2099727355.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_H3fwQALXDX.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1c647e04f2c7f79a310b147688daf913d8c8dc8c390ba184c2777966efb0e902
Instruction ID: b957c025393b1c5352c2b2559da2c06bfd9d123482decd4c0cf53885b9e7f37c
Opcode Fuzzy Hash: 1c647e04f2c7f79a310b147688daf913d8c8dc8c390ba184c2777966efb0e902
Instruction Fuzzy Hash: 9821E3B5900349DFDB10CFAAD984AEEBFF4EB48324F14801AE914A3310D379A954CFA4

Function 0266C5E0 Relevance: 1.6, APIs: 1, Instructions: 57
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0266C441,00000800,00000000,00000000), ref: 0266C652

Memory Dump Source

Source File: 00000000.00000002.2099727355.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_H3fwQALXDX.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4de7b46ce2251bad11d67914728ec75b90beba7ada60f9ffc2e5bbcf2eba4774
Instruction ID: a9059c4aacde7cfb43a8fc0f3ffd77c9e235e0d5606242ebc7ca1ed0d408a043
Opcode Fuzzy Hash: 4de7b46ce2251bad11d67914728ec75b90beba7ada60f9ffc2e5bbcf2eba4774
Instruction Fuzzy Hash: 751126B6D007499FDB10CFAAC448AEEFBF4FB48324F20842AD559A7200C375A545CFA5

Function 0266BD7C Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0266C441,00000800,00000000,00000000), ref: 0266C652

Memory Dump Source

Source File: 00000000.00000002.2099727355.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_H3fwQALXDX.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f1ac042dcb718dc106004d222237bf2b6a6ea05e5bda6408b80e0753b1fa0fea
Instruction ID: 39d6a5708bf6874fdf42a7760cdb7cfe8f745888319a514f67ad613f337c55b5
Opcode Fuzzy Hash: f1ac042dcb718dc106004d222237bf2b6a6ea05e5bda6408b80e0753b1fa0fea
Instruction Fuzzy Hash: 641114B69007498FDB10CF9AC448AEEFBF4EB58314F10842AE559A7300C3B5A545CFA5

Function 0266C360 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0266C3C6

Memory Dump Source

Source File: 00000000.00000002.2099727355.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_H3fwQALXDX.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9c6a537e51a5e24dca658a6f43ab67a861f9ea50f3bae6d166c4ecbcbe7b8f0f
Instruction ID: e9514af52ec651ef1868db0f037045d747eb00c6405bd0aec189f94bf423088b
Opcode Fuzzy Hash: 9c6a537e51a5e24dca658a6f43ab67a861f9ea50f3bae6d166c4ecbcbe7b8f0f
Instruction Fuzzy Hash: 2C110FB6C007498FCB10DF9AD548A9EFBF4AB88224F14841AD468B7210C3B9A545CFA5

Function 00E3D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2099387768.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3d000_H3fwQALXDX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c78468f6058f476d907c3d7033a0517c183cc324c5908bb97fbde4e9ee0cf1b
Instruction ID: 8cad7128028c92427882756508ea6de7f42e61db9741fb670de1488c5dbe9813
Opcode Fuzzy Hash: 5c78468f6058f476d907c3d7033a0517c183cc324c5908bb97fbde4e9ee0cf1b
Instruction Fuzzy Hash: 7A210375508200DFCB18DF14E9C8B26BF66FB84B18F20C56DD90A5B292C376D806CE61

Function 00E3D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2099387768.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3d000_H3fwQALXDX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f85c1d69eca8dc7da488f945b037894536d50678c9fb5c08338269facc8f82
Instruction ID: 946848b7b9c65de7b5da757431ef3159c7f6693d5223091f12100161ef6d9177
Opcode Fuzzy Hash: b4f85c1d69eca8dc7da488f945b037894536d50678c9fb5c08338269facc8f82
Instruction Fuzzy Hash: 532141755093808FC716CF24D994715BF71AB46614F28C5DAD8498B6A7C33A980ACB62

Analysis Process: RegAsm.exePID: 5076, Parent PID: 4540COMMON

Executed Functions

Function 01769858 Relevance: .9, Instructions: 860COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f25dd5af21e17d0f67989cc4def47c8edbab4b2ad01fd16d2c9e03e69800843
Instruction ID: e88d27ff60f748d6b9377ef0c917cb86f290944ff40d4b9c56cbe398fc3a31fa
Opcode Fuzzy Hash: 5f25dd5af21e17d0f67989cc4def47c8edbab4b2ad01fd16d2c9e03e69800843
Instruction Fuzzy Hash: 98729131A00209DFCF15CF68C984AAEFBF6FF89354F158559E906AB2A2D730E941CB50

Function 01766108 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13bc862b707ee0e651213cc04eb2e0ca9e51821f0ee4f57914d79a5abb3c7eba
Instruction ID: 29c2a144b333a632d4b70a23a737e0ec49c634a211679834398bc254753d77a3
Opcode Fuzzy Hash: 13bc862b707ee0e651213cc04eb2e0ca9e51821f0ee4f57914d79a5abb3c7eba
Instruction Fuzzy Hash: 7D12BD70A002198FDB15DFA9C844BAEBBFAFF88310F548569E905DB395DB349D41CB90

Function 01766730 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31f25dc885c5c290d8b95801009d89decc9b1956a09c44eb2b22f2bc7ab053a
Instruction ID: f92f05d34cfacd83a18df8ede00765b844ddd56c07f071c095824484d66fa521
Opcode Fuzzy Hash: f31f25dc885c5c290d8b95801009d89decc9b1956a09c44eb2b22f2bc7ab053a
Instruction Fuzzy Hash: 01027E70A00209DFDB15CF69C984AAEFBBAFF89350F548469F905AB265D730ED41CB50

Function 0176C470 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b7a3e276492eac28bd09a2d769ce682e15a1516f04a9f6b663e823f6c49899d
Instruction ID: e0ec138e58a98913d3b98b09b304888535ec9f080623a1b943c92e45e2483d03
Opcode Fuzzy Hash: 7b7a3e276492eac28bd09a2d769ce682e15a1516f04a9f6b663e823f6c49899d
Instruction Fuzzy Hash: D9910874E00208CFDB15CFAAD884A9DFBF2BF89310F149169D859AB365DB709981CF10

Function 0176B4F2 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 032ba8989a126ff2586c4fecd62010b9ab463faa5f1af58d69b4cc2a24e5dd67
Instruction ID: f4b42e570d3b5f3520a10cc2452f17f1f456a8240ac512ee3dd4299363e23e58
Opcode Fuzzy Hash: 032ba8989a126ff2586c4fecd62010b9ab463faa5f1af58d69b4cc2a24e5dd67
Instruction Fuzzy Hash: BD81B274E00218CFDB14DFAAD994A9DFBF2BF89310F148169E809AB365DB349981CF10

Function 0176C752 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd32a732a7f1421026382d1184e76635681c012268aed2cc765b9d967258915d
Instruction ID: 3a5654fabd1577a07a42f335a1a7950921f5502e2f11b6a7611ce460776fbf42
Opcode Fuzzy Hash: cd32a732a7f1421026382d1184e76635681c012268aed2cc765b9d967258915d
Instruction Fuzzy Hash: D381C374E00218CFDB15DFAAD894A9DFBF2BF89310F148169E849AB265DB749981CF10

Function 01764AD9 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25899d74a6fe8089f3d1ac29a12982f7410978ae57a62c2806c58b1c3fcb333
Instruction ID: 75bb4e1b779d633b218164a49a7ec7033ce1a4c13be62075f4abb5bbe7d9dbf3
Opcode Fuzzy Hash: f25899d74a6fe8089f3d1ac29a12982f7410978ae57a62c2806c58b1c3fcb333
Instruction Fuzzy Hash: 1781B474E00218DFDB54CFAAD884A9DFBF2BF89310F149169E819AB365DB745981CF10

Function 0176C192 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192b41a818fffd511eef52e43aab6619ea5a16144b63d85850ae6a97800c862b
Instruction ID: c37b1676a25123560be269075a313098d4ad496838371995fa064c10931f0a9b
Opcode Fuzzy Hash: 192b41a818fffd511eef52e43aab6619ea5a16144b63d85850ae6a97800c862b
Instruction Fuzzy Hash: 8F81C274E00218CFDB15DFAAD884A9DFBF2BF89310F148169E849AB365DB749981CF11

Function 0176CA32 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7b7f6a7b8857ab190d63abc87945077c4e76b0a4a5244d9cfb7299052df803
Instruction ID: 23ab73883923e6431b08f206161185292a2c47bfc25eb4a5fcac3556de54201f
Opcode Fuzzy Hash: 6d7b7f6a7b8857ab190d63abc87945077c4e76b0a4a5244d9cfb7299052df803
Instruction Fuzzy Hash: EF81C374E00218CFDB15DFAAD984A9DFBF2BF88310F148169E849AB365DB349981CF10

Function 0176BEB7 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17419a7b827bdbfa5776ae721a56d4c10e812e11e5984ab42dc4ad3fbbb991e
Instruction ID: 17a5e4dbe9273fefb57aa673172f738b427823c147349552e3ab510037e27ca8
Opcode Fuzzy Hash: a17419a7b827bdbfa5776ae721a56d4c10e812e11e5984ab42dc4ad3fbbb991e
Instruction Fuzzy Hash: 4881B374E00218CFDB15DFAAD884A9DFBF2BF89300F149169E849AB365DB749981CF10

Function 0176BBD6 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0e9c948f735a785ee27bf49538c6fb8a3298598fe912b1870789759c264067
Instruction ID: aa39be01a4052bf856c0ace3566c42f0e572edf012e40fc9f4be4f85fa1a417b
Opcode Fuzzy Hash: 4e0e9c948f735a785ee27bf49538c6fb8a3298598fe912b1870789759c264067
Instruction Fuzzy Hash: 3E81B274E00258CFDB14DFAAD884A9DFBF2BF89300F149169E909AB365DB749981CF11

Function 017677F0 Relevance: .7, Instructions: 702COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f177003d7c062747f32e321c2339e3972b54141b7e311185f62326e8baaee5
Instruction ID: a251cf1d13c87d7ccd008b468427ef2867226a8b6d1ecf073ca93000c3834013
Opcode Fuzzy Hash: c2f177003d7c062747f32e321c2339e3972b54141b7e311185f62326e8baaee5
Instruction Fuzzy Hash: AD521E34A00219CFEB15DBE5C860B9EBB76FB94300F1081AAD61A6B3A5CF349D85DF51

Function 01766E58 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 752454cb58dc7c3ea3b090e0f6bb2e3b4680aaad8e5f307eecde4de6bc1da16c
Instruction ID: 562ca53f1ce71e8d34a29273f5d9df358549879384bbd4782feae813864e2d33
Opcode Fuzzy Hash: 752454cb58dc7c3ea3b090e0f6bb2e3b4680aaad8e5f307eecde4de6bc1da16c
Instruction Fuzzy Hash: 19124930A00249DFDB19DF69C884A9EFBF6FF89358F148599E9099B261DB30ED41CB50

Function 01763214 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9979c9b944e146c70d3633179af47e8d4211ddc229afdeea6f608a69f31337cc
Instruction ID: 37210bb3b16e8e53ba0b52d677389719881754f18e9abd4b96d29623f902ea84
Opcode Fuzzy Hash: 9979c9b944e146c70d3633179af47e8d4211ddc229afdeea6f608a69f31337cc
Instruction Fuzzy Hash: 39D1EB7BDC8B520DCB278DBF895C03EEE767715310B18CA5F98ADE3A4AD561E904C242

Function 0176A818 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f131ab26a46ea9eac5e65848189400dcdcebd272894dc9f0bf7a714d527a0ca2
Instruction ID: f6b1ef44fd91a0abb5246a5be001963af05f31576da52491d2faa36d8645a2dd
Opcode Fuzzy Hash: f131ab26a46ea9eac5e65848189400dcdcebd272894dc9f0bf7a714d527a0ca2
Instruction Fuzzy Hash: 29F11C75A00215CFCB05CF6DC9849ADFBFABF89350B1A8459E919AB362CB71EC41CB50

Function 01760C8F Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe54b6a88f03fa257c25ddc705f33d54cdd8eee35d3c799d46c65def45e581c
Instruction ID: e40fcef0e99ef6c438dcd9080f60faf1ea45ce2fafba7fc15731e3a524fd5af6
Opcode Fuzzy Hash: 9fe54b6a88f03fa257c25ddc705f33d54cdd8eee35d3c799d46c65def45e581c
Instruction Fuzzy Hash: 17220B78A0021ACFCB54DF65E994A9DBBB2FF88341F1085A9D819AB324DB346DC5CF40

Function 01760CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cba599d2f2deb39cf94c0667f88e75b59b931d1c931460280dd840a18cd7560
Instruction ID: d1bdf629f34fbb6a9d3603d1ed6f8c1aa1651b37ff1f9ab4f6c06df16f5475e9
Opcode Fuzzy Hash: 4cba599d2f2deb39cf94c0667f88e75b59b931d1c931460280dd840a18cd7560
Instruction Fuzzy Hash: 86220B78A0021ACFCB54DF65E994A9DBBB2FF88341F1085A9D919AB314DB746EC1CF40

Function 017687E9 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41159103bb4649b69e46964cffa059b1f09c3c359ef3bbb9ba7bf66bd1d18df
Instruction ID: fdf00e808df9aa266a53105a78aa42842c53136da25cf91d6849d01a8b854b60
Opcode Fuzzy Hash: f41159103bb4649b69e46964cffa059b1f09c3c359ef3bbb9ba7bf66bd1d18df
Instruction Fuzzy Hash: 63B152707543018FEB169B2CC954B3DBB9EEF85640F1804A6EA06DF3A1EA65CC41C753

Function 017656A8 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82b4e85ee09f36c449f11dfe970f4e5668f834f96ceaba18f7f673f35b4d967
Instruction ID: 46dada8d6f550260bf8f458f7f93f46c00eb90f0a02f2030c8baf9dc5a7c69aa
Opcode Fuzzy Hash: c82b4e85ee09f36c449f11dfe970f4e5668f834f96ceaba18f7f673f35b4d967
Instruction Fuzzy Hash: 3BB1CE30704215CFDB169F78D854B2EBBEAAF88390F148969E906CB391DB78DC41E790

Function 01765C08 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af7f1b03ad0b4ac433df200567c6c29d80b7501a5f714b6b9eb6b55977427f66
Instruction ID: 7620fe38622cfd7bd5fd5e57c91751a959cd2dae23bf9afb48222decb4f57d73
Opcode Fuzzy Hash: af7f1b03ad0b4ac433df200567c6c29d80b7501a5f714b6b9eb6b55977427f66
Instruction Fuzzy Hash: F781A235B00106DFDB14CF6DC88896AFBBAFF89290B1485A9D905DB3A5DB31EC42DB50

Function 01767438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9ce2e9bafc0869dc9c02d971d794f093b4c4c5c2f81f1df445df7f9fb0b334
Instruction ID: 2a5a60789cb89da581bba3311e5f114c1e701d4efb826514ec8491b5305af1da
Opcode Fuzzy Hash: 4d9ce2e9bafc0869dc9c02d971d794f093b4c4c5c2f81f1df445df7f9fb0b334
Instruction Fuzzy Hash: E9711A34700245CFDB19DF2CC898A69BBE9AF49798F1540A9E902CB3B2DB74DC41CB91

Function 0176CEC7 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e619b76d5b31fc24f8b4ee926357d3a101c789da39088e53ea8d8dfedd5f24b5
Instruction ID: 6b81ddbcb0801dc69881ea7c58164f0dc1b8bd209b8218f43682c039867c6e1d
Opcode Fuzzy Hash: e619b76d5b31fc24f8b4ee926357d3a101c789da39088e53ea8d8dfedd5f24b5
Instruction Fuzzy Hash: DB51C3708A130ACFCB262F20A6AC16ABB79FF5F3977416D44E01E8D825CBB154A5CF10

Function 0176CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76be9c9348fe4b12eac00af2dadd4b88b0f2e62cca66327e02e4b8baf674ea4
Instruction ID: b9f1fbf9ceb028cac00c2fa373e489b615d313a1e3498341be61b073eb334654
Opcode Fuzzy Hash: c76be9c9348fe4b12eac00af2dadd4b88b0f2e62cca66327e02e4b8baf674ea4
Instruction Fuzzy Hash: 2A5195708A130BCFCB262F20A6AC17ABB69FF5F3977406D14E11E8D8158BB154A5CF10

Function 017638F0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4246491fd0037dfe7badb0aa3d24bd91218ad39e875a84f4e5190368285dc2f8
Instruction ID: 2d717aead44389505d688c23fdc59ca4d7369410ee445db4ce1f4837f1279533
Opcode Fuzzy Hash: 4246491fd0037dfe7badb0aa3d24bd91218ad39e875a84f4e5190368285dc2f8
Instruction Fuzzy Hash: 2F51C778E01248CFCB08DFA9D59499DBBB6FF8D311B249069E805AB324D7359D82CF50

Function 0176CD10 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c13c59b91adaba1fdabae9a54b3d1f20ee83f6132f663a06c7047385411583fe
Instruction ID: d6bf1734efd0d448d47290eb826efe9a5f9f0f703b33f3dc99bd67b1adb70c76
Opcode Fuzzy Hash: c13c59b91adaba1fdabae9a54b3d1f20ee83f6132f663a06c7047385411583fe
Instruction Fuzzy Hash: 08518374E01208DFDB54DFAAD9849DDBBF2BF89310F24816AE809AB364DB309945CF50

Function 01763908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be23501afaaaaf75831f0117e877eb30f846476181e611af3aaf1827a5c3d369
Instruction ID: abdae17391ec4726188f9f8b41c9974bb15cc31e0c0ddc972cd207a21b1303b4
Opcode Fuzzy Hash: be23501afaaaaf75831f0117e877eb30f846476181e611af3aaf1827a5c3d369
Instruction Fuzzy Hash: 07519678E01248CFCB08DFA9D59499DBBB6FF8D311B609069E805AB324DB359D41CF50

Function 01769A63 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dee3d82ea94342ec9e86e3b256de892c3270edeeed427d5728c26ab4c0254a5
Instruction ID: 4c1cdffd11d275afae594b03e8ba6ed84282529d0083c30ccbc2464b822120e4
Opcode Fuzzy Hash: 8dee3d82ea94342ec9e86e3b256de892c3270edeeed427d5728c26ab4c0254a5
Instruction Fuzzy Hash: 5051A031A04249DFCF12CFA8C844A9DFFB6AF49358F048596EE159F296D331E910CBA0

Function 0176A650 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac3e53e79afb5487d7cb7fdfa325844c2bbdbd031241b5ce7e04855d9fa8bc1
Instruction ID: f657b4e5e28ecf07f6e32271dbbc0bc909b1ff37985a57d053c881395797c7e7
Opcode Fuzzy Hash: 3ac3e53e79afb5487d7cb7fdfa325844c2bbdbd031241b5ce7e04855d9fa8bc1
Instruction Fuzzy Hash: C84109357042489FCB069B79D8546AEBFF6BFCD660F1844A9D906EB395CE349C01CBA0

Function 01764DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46fbb6044c085be9fdbc06036fdfdb1f263a60e10b6200d2e729ed24208aeb41
Instruction ID: 71d03fe55c44cf57d8c6c5b7a97b1a83b837147dcc8d3bdff9ccb8fe3803d0c8
Opcode Fuzzy Hash: 46fbb6044c085be9fdbc06036fdfdb1f263a60e10b6200d2e729ed24208aeb41
Instruction Fuzzy Hash: FC31737564410AEFCF069F69E854AAFBFA6FB98250F004429FD168B254CB35CD61CBA0

Function 017676D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdec86a73e1e17f1e967f1dd5f315c5618466891d0aff8b981c7c4642947b4c
Instruction ID: a5f4e02823e75ff39cd3cc170c32356736690e71539c4c8ddec7ee84091d2781
Opcode Fuzzy Hash: ffdec86a73e1e17f1e967f1dd5f315c5618466891d0aff8b981c7c4642947b4c
Instruction Fuzzy Hash: 9721F9343042414BDB1A173D889493DBB9B6FC869C71840B5DE05CBB5AEE18CC41D3C1

Function 0176A809 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a505e9e2ed3c58bcec1de1d084d052efb0276315510cab020f190b82e42bf2
Instruction ID: dded433e76b31e2feefb982836acd92948f165cb4bbf854f590e30cd9b7f685a
Opcode Fuzzy Hash: f8a505e9e2ed3c58bcec1de1d084d052efb0276315510cab020f190b82e42bf2
Instruction Fuzzy Hash: 9131A870A002058FCB05CF6DC8849AEFFB7BF89350B158559D955AB3A6C7309C02CB90

Function 017676E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60fcecc2d32427109b4eab077c44f0e591f95ace0c7f175df8334c4494e025ed
Instruction ID: 45f6029a4cd2b929763ccc94212fbe4f2b706566088e2df3a6d7dade4c80d8f2
Opcode Fuzzy Hash: 60fcecc2d32427109b4eab077c44f0e591f95ace0c7f175df8334c4494e025ed
Instruction Fuzzy Hash: 6F21C83430420547EB1A163D8894A7EB69FAFC879CF144079DE06CB799EE69CC82D7C0

Function 01762060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2d8cd2c92d0b8bf180dae9ac09092899d8ea9dba045cf0846bf1a83f2a9d33
Instruction ID: 83c0138f0c0951c420697ae332d584a66c60cf9a370f0a79b933fe955eea1948
Opcode Fuzzy Hash: 7c2d8cd2c92d0b8bf180dae9ac09092899d8ea9dba045cf0846bf1a83f2a9d33
Instruction Fuzzy Hash: 7521B235A00159AFCB54DB24D8409AEB7BAEBDD350F50C059EC099B341DB35EE82CBD1

Function 0176D11B Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b48ffdbd2b2c3dc213900d068e2e64e84cebe0aa14b78fbc1e69d31221cec09
Instruction ID: cac8535c918d7bf1a184ffe936ef5716eb9b1a89e71edade0edb93bdbd73d872
Opcode Fuzzy Hash: 5b48ffdbd2b2c3dc213900d068e2e64e84cebe0aa14b78fbc1e69d31221cec09
Instruction Fuzzy Hash: DC211331D11219CECB10EFE8E8046ECFBB4FF4A301F519629E94477214EB706A9ACB80

Function 01765A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af50b209b2dc87faacb8f68cd37a11b1c5e91cf92ec0fd0bb49ef28e1fd7ca8
Instruction ID: 1e6191dc464b7acf02e6d5faea1825a9f1a3c96bfed394f1133e3a1764bbc71c
Opcode Fuzzy Hash: 6af50b209b2dc87faacb8f68cd37a11b1c5e91cf92ec0fd0bb49ef28e1fd7ca8
Instruction Fuzzy Hash: 6D21C0357016128BDB269A29D49492FFBABFFC86A170445A9ED06CB394CF30DC028BC0

Function 0176215C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 758a98328b2075379eeff67e85802968eba5229addb30937d15a12dad9161111
Instruction ID: 8c83bbe1fc8fe0dd7fa75d86292bfa763135a85e901ac307eb22db505424c52e
Opcode Fuzzy Hash: 758a98328b2075379eeff67e85802968eba5229addb30937d15a12dad9161111
Instruction Fuzzy Hash: 1B119E35E093899FCB029BF89C104DEFB35FFCA310B258796D622B7191EA312846C791

Function 0176D218 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc8ffc59a28bf4836a80d80a9a2159e41c37bf7e829053e5957e7c52da4aa6e
Instruction ID: 74501d2c7af4ae0da7ae85a41b2fd27d067ea55e9bd483b6d037b1fb2df627d0
Opcode Fuzzy Hash: 5fc8ffc59a28bf4836a80d80a9a2159e41c37bf7e829053e5957e7c52da4aa6e
Instruction Fuzzy Hash: 3D212374A012498FDB08DFB0E850AEDBBB2FB8A300F105469C4117B264DB399986CF24

Function 0176D228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48f7882f761583a9bd33cad5bd6be0e8a4bea952051a4342c8eb1c1d7028975
Instruction ID: b0d480d9c41c75db0ee720b463f4414c32017274c41ef56c13fbe8d0d913fc0e
Opcode Fuzzy Hash: d48f7882f761583a9bd33cad5bd6be0e8a4bea952051a4342c8eb1c1d7028975
Instruction Fuzzy Hash: 6B210374A012498BDB08DFB5E850AEEB7B6FB8A305F105469C811773A4CB399D81CF68

Function 01761F61 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dcb67976bbea42d0350492b3fb51d1fbf07efdbc2ef8126bd20595fec3d876c
Instruction ID: 69f9cf4abb0c95b4e25a78e5098a2f06623c58223255440153222028e782056a
Opcode Fuzzy Hash: 1dcb67976bbea42d0350492b3fb51d1fbf07efdbc2ef8126bd20595fec3d876c
Instruction Fuzzy Hash: 2121AD74C0120A8FCB41EFA9D8445EDBBB1FF4A340F10566AD905B7221EB345A95CBA1

Function 01761F08 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4071239c56850a69b49a883fc5de45abccc27cb4a4585d218e8984cc6feb92f
Instruction ID: 15c93a6ff7af1e11c9ec0c5eebcfdef290d43a8a73d85a85ca9fd38f65c6acef
Opcode Fuzzy Hash: d4071239c56850a69b49a883fc5de45abccc27cb4a4585d218e8984cc6feb92f
Instruction Fuzzy Hash: 8F213474C05249CFCB11EFA8C4884EDFFB0BF4A340F1445AAD805BB260EB305A84CBA2

Function 01765607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa16058ca97bae809f1a9a8d9d29b4dd1066fbf1c5e7707166e9b693b8c6e03
Instruction ID: 5523767060b684236f1dca8ee07ca91ea650f5035d5bdc11508ff3487628d32b
Opcode Fuzzy Hash: 0aa16058ca97bae809f1a9a8d9d29b4dd1066fbf1c5e7707166e9b693b8c6e03
Instruction Fuzzy Hash: CE01F9717041055FDF078E5998106AF7FEBDFD97A1B1880AAF905DB254CA31CC11D760

Function 01762010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ce2f33e137d1478aa3e28424d9c42323389b7c786d3ed3c26e89a55686651e
Instruction ID: 851a5984dd3635ff5ead540dd743de0583a2ebca1959a9937c0397d614357c95
Opcode Fuzzy Hash: 95ce2f33e137d1478aa3e28424d9c42323389b7c786d3ed3c26e89a55686651e
Instruction Fuzzy Hash: DCE02234C2139B5BCB029BA0E8100EEFB34FE87210B2421D3DA212B002E770254ACBB0

Function 01762020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd91c9b48a02ac705872d7821dba4f0581a29ce56b934a80bd8758dd51c2681
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: 7fd91c9b48a02ac705872d7821dba4f0581a29ce56b934a80bd8758dd51c2681
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 01768258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: a0d63a13605ba922a45f832f593bb3b164ea77e1c7829523a4fe2ff83d93ce22
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 59C0123320C2282AA725108F7C40AA7AB8CC2C12B4A250277FA1CA3200A8429C8001AA

Function 0176A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11e08750d316b094e4bff75866109b240ab5edb9bfaea6f7d73e2345610dde2
Instruction ID: 724ee46d751d38c3086b0ca7e944568e518b26e5b5c50603e4b999be283a23c2
Opcode Fuzzy Hash: e11e08750d316b094e4bff75866109b240ab5edb9bfaea6f7d73e2345610dde2
Instruction Fuzzy Hash: ADD0173BB00008DFCF048F88E8408DDF7B6FB8C221B008026E911A7220C6319821CB50

Function 01765EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007e6d95f0d9e2e673b8f00ef3a781b98875607cc92b1dd7b728db438297fe68
Instruction ID: 0cf32c51aa3f0ef395755bc9ad51e49b124c3fea8d64a51da24518483854a9ef
Opcode Fuzzy Hash: 007e6d95f0d9e2e673b8f00ef3a781b98875607cc92b1dd7b728db438297fe68
Instruction Fuzzy Hash: CBD02B345083874BC307E735E9044043F35F9C1304F4418DDE40599456EFBC1C8647A1

Function 01765EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2209784098.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271258a06869c960d5d94fd1fbdea8bdf7e49dbaf79fe2fbdf818658c0924ed8
Instruction ID: e5f73730fb4cfe3a3863f78b62d3f32ec2aa2ede523b9c638aaec8eccc82fc61
Opcode Fuzzy Hash: 271258a06869c960d5d94fd1fbdea8bdf7e49dbaf79fe2fbdf818658c0924ed8
Instruction Fuzzy Hash: 4EC0123450030B87D50AE776F9449153B7AF6D0300F405959A10909559DFFC5C854694

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report H3fwQALXDX.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\H3fwQALXDX.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
H3fwQALXDX.exe

Function 0266C160 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 203
COMMON

Function 0266C148 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0266C5E0 Relevance: 1.6, APIs: 1, Instructions: 57
libraryCOMMON

Function 0266BD7C Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 0266C360 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON