Edit tour

Windows Analysis Report
PM114079-990528.exe

Overview

General Information

Sample name:	PM114079-990528.exe
Analysis ID:	1465773
MD5:	9f259b3c899293bc12c9397e010f9e40
SHA1:	af9c1736e4b3fdb69e3e22a70953872257335c89
SHA256:	683b3c223e311088d28b4d7ee52e207d8593836887a359a9cdb3b5535f305aa3
Tags:	exe
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code references suspicious native API functions

AI detected suspicious sample

Machine Learning detection for sample

Self deletion via cmd or bat file

Tries to detect the country of the analysis system (by using the IP)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PM114079-990528.exe (PID: 4292 cmdline: "C:\Users\user\Desktop\PM114079-990528.exe" MD5: 9F259B3C899293BC12C9397E010F9E40)

PM114079-990528.exe (PID: 6604 cmdline: "C:\Users\user\Desktop\PM114079-990528.exe" MD5: 9F259B3C899293BC12C9397E010F9E40)

cmd.exe (PID: 3180 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\PM114079-990528.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 5528 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "rightlut@valleycountysar.org", "Password": "fY,FLoadtsiF", "Host": "valleycountysar.org", "Port": "26"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14843:$a1: get_encryptedPassword 0x14b2f:$a2: get_encryptedUsername 0x1464f:$a3: get_timePasswordChanged 0x1474a:$a4: get_passwordField 0x14859:$a5: set_encryptedPassword 0x15e39:$a7: get_logins 0x15d9c:$a10: KeyLoggerEventArgs 0x15a35:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18024:$x1: $%SMTPDV$ 0x1808a:$x2: $#TheHashHere%& 0x19681:$x3: %FTPDV$ 0x19775:$x4: $%TelegramDv$ 0x15a35:$x5: KeyLoggerEventArgs 0x15d9c:$x5: KeyLoggerEventArgs 0x196a5:$m2: Clipboard Logs ID 0x198c5:$m2: Screenshot Logs ID 0x199d5:$m2: keystroke Logs ID 0x19caf:$m3: SnakePW 0x1989d:$m4: \SnakeKeylogger\
00000000.00000002.1990419094.0000000005B00000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4aa6b:$x1: In$J$ct0r
00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf3053:$a1: get_encryptedPassword 0x113883:$a1: get_encryptedPassword 0x133ea3:$a1: get_encryptedPassword 0xf333f:$a2: get_encryptedUsername 0x113b6f:$a2: get_encryptedUsername 0x13418f:$a2: get_encryptedUsername 0xf2e5f:$a3: get_timePasswordChanged 0x11368f:$a3: get_timePasswordChanged 0x133caf:$a3: get_timePasswordChanged 0xf2f5a:$a4: get_passwordField 0x11378a:$a4: get_passwordField 0x133daa:$a4: get_passwordField 0xf3069:$a5: set_encryptedPassword 0x113899:$a5: set_encryptedPassword 0x133eb9:$a5: set_encryptedPassword 0xf4649:$a7: get_logins 0x114e79:$a7: get_logins 0x135499:$a7: get_logins 0xf45ac:$a10: KeyLoggerEventArgs 0x114ddc:$a10: KeyLoggerEventArgs 0x1353fc:$a10: KeyLoggerEventArgs
00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf6834:$x1: $%SMTPDV$ 0x117064:$x1: $%SMTPDV$ 0x137684:$x1: $%SMTPDV$ 0xf689a:$x2: $#TheHashHere%& 0x1170ca:$x2: $#TheHashHere%& 0x1376ea:$x2: $#TheHashHere%& 0xf7e91:$x3: %FTPDV$ 0x1186c1:$x3: %FTPDV$ 0x138ce1:$x3: %FTPDV$ 0xf7f85:$x4: $%TelegramDv$ 0x1187b5:$x4: $%TelegramDv$ 0x138dd5:$x4: $%TelegramDv$ 0xf4245:$x5: KeyLoggerEventArgs 0xf45ac:$x5: KeyLoggerEventArgs 0x114a75:$x5: KeyLoggerEventArgs 0x114ddc:$x5: KeyLoggerEventArgs 0x135095:$x5: KeyLoggerEventArgs 0x1353fc:$x5: KeyLoggerEventArgs 0xf7eb5:$m2: Clipboard Logs ID 0xf80d5:$m2: Screenshot Logs ID 0xf81e5:$m2: keystroke Logs ID
00000002.00000002.2099374679.0000000002991000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: PM114079-990528.exe PID: 4292	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PM114079-990528.exe PID: 4292	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PM114079-990528.exe PID: 4292	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: PM114079-990528.exe PID: 4292	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4c004:$a1: get_encryptedPassword 0x4c24f:$a2: get_encryptedUsername 0x4be33:$a3: get_timePasswordChanged 0x4bf15:$a4: get_passwordField 0x4c01a:$a5: set_encryptedPassword 0x4ddff:$a7: get_logins 0x4dd80:$a10: KeyLoggerEventArgs 0x4db1c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: PM114079-990528.exe PID: 4292	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4db1c:$x5: KeyLoggerEventArgs 0x4dd80:$x5: KeyLoggerEventArgs 0x4e5ab:$x5: KeyLoggerEventArgs 0x4e8df:$x5: KeyLoggerEventArgs 0x4fe05:$m2: Clipboard Logs ID 0x4fefc:$m2: Screenshot Logs ID 0x4ff52:$m2: keystroke Logs ID 0x50087:$m3: SnakePW 0x4fee8:$m4: \SnakeKeylogger\
Process Memory Space: PM114079-990528.exe PID: 6604	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PM114079-990528.exe PID: 6604	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: PM114079-990528.exe PID: 6604	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb6fd:$a1: get_encryptedPassword 0xb9df:$a2: get_encryptedUsername 0xb513:$a3: get_timePasswordChanged 0xb60e:$a4: get_passwordField 0xb713:$a5: set_encryptedPassword 0xdaff:$a7: get_logins 0xda62:$a10: KeyLoggerEventArgs 0xd6fb:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: PM114079-990528.exe PID: 6604	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xd6fb:$x5: KeyLoggerEventArgs 0xda62:$x5: KeyLoggerEventArgs 0xe350:$x5: KeyLoggerEventArgs 0xe684:$x5: KeyLoggerEventArgs 0xfc32:$m2: Clipboard Logs ID 0xfd29:$m2: Screenshot Logs ID 0xfd7f:$m2: keystroke Logs ID 0xfeb4:$m3: SnakePW 0xfd15:$m4: \SnakeKeylogger\
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PM114079-990528.exe.41c7b70.4.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x48c6b:$x1: In$J$ct0r
0.2.PM114079-990528.exe.5b00000.5.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x48c6b:$x1: In$J$ct0r
0.2.PM114079-990528.exe.4277e40.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PM114079-990528.exe.4277e40.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.PM114079-990528.exe.4277e40.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c43:$a1: get_encryptedPassword 0x12f2f:$a2: get_encryptedUsername 0x12a4f:$a3: get_timePasswordChanged 0x12b4a:$a4: get_passwordField 0x12c59:$a5: set_encryptedPassword 0x14239:$a7: get_logins 0x1419c:$a10: KeyLoggerEventArgs 0x13e35:$a11: KeyLoggerEventArgsEventHandler
0.2.PM114079-990528.exe.4277e40.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a471:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x196a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x19ad6:$a4: \Orbitum\User Data\Default\Login Data 0x1ab15:$a5: \Kometa\User Data\Default\Login Data
0.2.PM114079-990528.exe.4277e40.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137c0:$s1: UnHook 0x137c7:$s2: SetHook 0x137cf:$s3: CallNextHook 0x137dc:$s4: _hook
0.2.PM114079-990528.exe.4277e40.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16424:$x1: $%SMTPDV$ 0x1648a:$x2: $#TheHashHere%& 0x17a81:$x3: %FTPDV$ 0x17b75:$x4: $%TelegramDv$ 0x13e35:$x5: KeyLoggerEventArgs 0x1419c:$x5: KeyLoggerEventArgs 0x17aa5:$m2: Clipboard Logs ID 0x17cc5:$m2: Screenshot Logs ID 0x17dd5:$m2: keystroke Logs ID 0x180af:$m3: SnakePW 0x17c9d:$m4: \SnakeKeylogger\
2.2.PM114079-990528.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.PM114079-990528.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.PM114079-990528.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.PM114079-990528.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a43:$a1: get_encryptedPassword 0x14d2f:$a2: get_encryptedUsername 0x1484f:$a3: get_timePasswordChanged 0x1494a:$a4: get_passwordField 0x14a59:$a5: set_encryptedPassword 0x16039:$a7: get_logins 0x15f9c:$a10: KeyLoggerEventArgs 0x15c35:$a11: KeyLoggerEventArgsEventHandler
2.2.PM114079-990528.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c271:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b4a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b8d6:$a4: \Orbitum\User Data\Default\Login Data 0x1c915:$a5: \Kometa\User Data\Default\Login Data
2.2.PM114079-990528.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155c0:$s1: UnHook 0x155c7:$s2: SetHook 0x155cf:$s3: CallNextHook 0x155dc:$s4: _hook
2.2.PM114079-990528.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18224:$x1: $%SMTPDV$ 0x1828a:$x2: $#TheHashHere%& 0x19881:$x3: %FTPDV$ 0x19975:$x4: $%TelegramDv$ 0x15c35:$x5: KeyLoggerEventArgs 0x15f9c:$x5: KeyLoggerEventArgs 0x198a5:$m2: Clipboard Logs ID 0x19ac5:$m2: Screenshot Logs ID 0x19bd5:$m2: keystroke Logs ID 0x19eaf:$m3: SnakePW 0x19a9d:$m4: \SnakeKeylogger\
0.2.PM114079-990528.exe.4257610.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PM114079-990528.exe.4257610.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.PM114079-990528.exe.4257610.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c43:$a1: get_encryptedPassword 0x12f2f:$a2: get_encryptedUsername 0x12a4f:$a3: get_timePasswordChanged 0x12b4a:$a4: get_passwordField 0x12c59:$a5: set_encryptedPassword 0x14239:$a7: get_logins 0x1419c:$a10: KeyLoggerEventArgs 0x13e35:$a11: KeyLoggerEventArgsEventHandler
0.2.PM114079-990528.exe.4257610.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a471:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x196a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x19ad6:$a4: \Orbitum\User Data\Default\Login Data 0x1ab15:$a5: \Kometa\User Data\Default\Login Data
0.2.PM114079-990528.exe.4257610.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137c0:$s1: UnHook 0x137c7:$s2: SetHook 0x137cf:$s3: CallNextHook 0x137dc:$s4: _hook
0.2.PM114079-990528.exe.4257610.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16424:$x1: $%SMTPDV$ 0x1648a:$x2: $#TheHashHere%& 0x17a81:$x3: %FTPDV$ 0x17b75:$x4: $%TelegramDv$ 0x13e35:$x5: KeyLoggerEventArgs 0x1419c:$x5: KeyLoggerEventArgs 0x17aa5:$m2: Clipboard Logs ID 0x17cc5:$m2: Screenshot Logs ID 0x17dd5:$m2: keystroke Logs ID 0x180af:$m3: SnakePW 0x17c9d:$m4: \SnakeKeylogger\
0.2.PM114079-990528.exe.5b00000.5.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4aa6b:$x1: In$J$ct0r
0.2.PM114079-990528.exe.31c9958.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa2098:$x1: In$J$ct0r 0xa2fd4:$a1: WriteProcessMemory 0xa3060:$a1: WriteProcessMemory 0xa3134:$a4: VirtualAllocEx 0xa3358:$a4: VirtualAllocEx 0xa33d8:$a4: VirtualAllocEx
0.2.PM114079-990528.exe.31c7118.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa48d8:$x1: In$J$ct0r 0xa5814:$a1: WriteProcessMemory 0xa58a0:$a1: WriteProcessMemory 0xa5974:$a4: VirtualAllocEx 0xa5b98:$a4: VirtualAllocEx 0xa5c18:$a4: VirtualAllocEx
0.2.PM114079-990528.exe.4277e40.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PM114079-990528.exe.4277e40.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PM114079-990528.exe.4277e40.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.PM114079-990528.exe.4277e40.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a43:$a1: get_encryptedPassword 0x35063:$a1: get_encryptedPassword 0x14d2f:$a2: get_encryptedUsername 0x3534f:$a2: get_encryptedUsername 0x1484f:$a3: get_timePasswordChanged 0x34e6f:$a3: get_timePasswordChanged 0x1494a:$a4: get_passwordField 0x34f6a:$a4: get_passwordField 0x14a59:$a5: set_encryptedPassword 0x35079:$a5: set_encryptedPassword 0x16039:$a7: get_logins 0x36659:$a7: get_logins 0x15f9c:$a10: KeyLoggerEventArgs 0x365bc:$a10: KeyLoggerEventArgs 0x15c35:$a11: KeyLoggerEventArgsEventHandler 0x36255:$a11: KeyLoggerEventArgsEventHandler
0.2.PM114079-990528.exe.4277e40.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c271:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c891:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b4a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bac3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b8d6:$a4: \Orbitum\User Data\Default\Login Data 0x3bef6:$a4: \Orbitum\User Data\Default\Login Data 0x1c915:$a5: \Kometa\User Data\Default\Login Data 0x3cf35:$a5: \Kometa\User Data\Default\Login Data
0.2.PM114079-990528.exe.4277e40.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155c0:$s1: UnHook 0x35be0:$s1: UnHook 0x155c7:$s2: SetHook 0x35be7:$s2: SetHook 0x155cf:$s3: CallNextHook 0x35bef:$s3: CallNextHook 0x155dc:$s4: _hook 0x35bfc:$s4: _hook
0.2.PM114079-990528.exe.4277e40.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18224:$x1: $%SMTPDV$ 0x38844:$x1: $%SMTPDV$ 0x1828a:$x2: $#TheHashHere%& 0x388aa:$x2: $#TheHashHere%& 0x19881:$x3: %FTPDV$ 0x39ea1:$x3: %FTPDV$ 0x19975:$x4: $%TelegramDv$ 0x39f95:$x4: $%TelegramDv$ 0x15c35:$x5: KeyLoggerEventArgs 0x15f9c:$x5: KeyLoggerEventArgs 0x36255:$x5: KeyLoggerEventArgs 0x365bc:$x5: KeyLoggerEventArgs 0x198a5:$m2: Clipboard Logs ID 0x19ac5:$m2: Screenshot Logs ID 0x19bd5:$m2: keystroke Logs ID 0x39ec5:$m2: Clipboard Logs ID 0x3a0e5:$m2: Screenshot Logs ID 0x3a1f5:$m2: keystroke Logs ID 0x19eaf:$m3: SnakePW 0x3a4cf:$m3: SnakePW 0x19a9d:$m4: \SnakeKeylogger\
0.2.PM114079-990528.exe.4257610.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PM114079-990528.exe.4257610.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PM114079-990528.exe.4257610.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.PM114079-990528.exe.4257610.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a43:$a1: get_encryptedPassword 0x35273:$a1: get_encryptedPassword 0x55893:$a1: get_encryptedPassword 0x14d2f:$a2: get_encryptedUsername 0x3555f:$a2: get_encryptedUsername 0x55b7f:$a2: get_encryptedUsername 0x1484f:$a3: get_timePasswordChanged 0x3507f:$a3: get_timePasswordChanged 0x5569f:$a3: get_timePasswordChanged 0x1494a:$a4: get_passwordField 0x3517a:$a4: get_passwordField 0x5579a:$a4: get_passwordField 0x14a59:$a5: set_encryptedPassword 0x35289:$a5: set_encryptedPassword 0x558a9:$a5: set_encryptedPassword 0x16039:$a7: get_logins 0x36869:$a7: get_logins 0x56e89:$a7: get_logins 0x15f9c:$a10: KeyLoggerEventArgs 0x367cc:$a10: KeyLoggerEventArgs 0x56dec:$a10: KeyLoggerEventArgs
0.2.PM114079-990528.exe.4257610.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c271:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3caa1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d0c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b4a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bcd3:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c2f3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b8d6:$a4: \Orbitum\User Data\Default\Login Data 0x3c106:$a4: \Orbitum\User Data\Default\Login Data 0x5c726:$a4: \Orbitum\User Data\Default\Login Data 0x1c915:$a5: \Kometa\User Data\Default\Login Data 0x3d145:$a5: \Kometa\User Data\Default\Login Data 0x5d765:$a5: \Kometa\User Data\Default\Login Data
0.2.PM114079-990528.exe.4257610.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155c0:$s1: UnHook 0x35df0:$s1: UnHook 0x56410:$s1: UnHook 0x155c7:$s2: SetHook 0x35df7:$s2: SetHook 0x56417:$s2: SetHook 0x155cf:$s3: CallNextHook 0x35dff:$s3: CallNextHook 0x5641f:$s3: CallNextHook 0x155dc:$s4: _hook 0x35e0c:$s4: _hook 0x5642c:$s4: _hook
0.2.PM114079-990528.exe.4257610.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18224:$x1: $%SMTPDV$ 0x38a54:$x1: $%SMTPDV$ 0x59074:$x1: $%SMTPDV$ 0x1828a:$x2: $#TheHashHere%& 0x38aba:$x2: $#TheHashHere%& 0x590da:$x2: $#TheHashHere%& 0x19881:$x3: %FTPDV$ 0x3a0b1:$x3: %FTPDV$ 0x5a6d1:$x3: %FTPDV$ 0x19975:$x4: $%TelegramDv$ 0x3a1a5:$x4: $%TelegramDv$ 0x5a7c5:$x4: $%TelegramDv$ 0x15c35:$x5: KeyLoggerEventArgs 0x15f9c:$x5: KeyLoggerEventArgs 0x36465:$x5: KeyLoggerEventArgs 0x367cc:$x5: KeyLoggerEventArgs 0x56a85:$x5: KeyLoggerEventArgs 0x56dec:$x5: KeyLoggerEventArgs 0x198a5:$m2: Clipboard Logs ID 0x19ac5:$m2: Screenshot Logs ID 0x19bd5:$m2: keystroke Logs ID
0.2.PM114079-990528.exe.41c7b70.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PM114079-990528.exe.41c7b70.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PM114079-990528.exe.41c7b70.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.PM114079-990528.exe.41c7b70.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa44e3:$a1: get_encryptedPassword 0xc4d13:$a1: get_encryptedPassword 0xe5333:$a1: get_encryptedPassword 0xa47cf:$a2: get_encryptedUsername 0xc4fff:$a2: get_encryptedUsername 0xe561f:$a2: get_encryptedUsername 0xa42ef:$a3: get_timePasswordChanged 0xc4b1f:$a3: get_timePasswordChanged 0xe513f:$a3: get_timePasswordChanged 0xa43ea:$a4: get_passwordField 0xc4c1a:$a4: get_passwordField 0xe523a:$a4: get_passwordField 0xa44f9:$a5: set_encryptedPassword 0xc4d29:$a5: set_encryptedPassword 0xe5349:$a5: set_encryptedPassword 0xa5ad9:$a7: get_logins 0xc6309:$a7: get_logins 0xe6929:$a7: get_logins 0xa5a3c:$a10: KeyLoggerEventArgs 0xc626c:$a10: KeyLoggerEventArgs 0xe688c:$a10: KeyLoggerEventArgs
0.2.PM114079-990528.exe.41c7b70.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xa5060:$s1: UnHook 0xc5890:$s1: UnHook 0xe5eb0:$s1: UnHook 0xa5067:$s2: SetHook 0xc5897:$s2: SetHook 0xe5eb7:$s2: SetHook 0xa506f:$s3: CallNextHook 0xc589f:$s3: CallNextHook 0xe5ebf:$s3: CallNextHook 0xa507c:$s4: _hook 0xc58ac:$s4: _hook 0xe5ecc:$s4: _hook
0.2.PM114079-990528.exe.41c7b70.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xa7cc4:$x1: $%SMTPDV$ 0xc84f4:$x1: $%SMTPDV$ 0xe8b14:$x1: $%SMTPDV$ 0xa7d2a:$x2: $#TheHashHere%& 0xc855a:$x2: $#TheHashHere%& 0xe8b7a:$x2: $#TheHashHere%& 0xa9321:$x3: %FTPDV$ 0xc9b51:$x3: %FTPDV$ 0xea171:$x3: %FTPDV$ 0xa9415:$x4: $%TelegramDv$ 0xc9c45:$x4: $%TelegramDv$ 0xea265:$x4: $%TelegramDv$ 0xa56d5:$x5: KeyLoggerEventArgs 0xa5a3c:$x5: KeyLoggerEventArgs 0xc5f05:$x5: KeyLoggerEventArgs 0xc626c:$x5: KeyLoggerEventArgs 0xe6525:$x5: KeyLoggerEventArgs 0xe688c:$x5: KeyLoggerEventArgs 0xa9345:$m2: Clipboard Logs ID 0xa9565:$m2: Screenshot Logs ID 0xa9675:$m2: keystroke Logs ID
0.2.PM114079-990528.exe.41c7b70.4.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4aa6b:$x1: In$J$ct0r
Click to see the 40 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "rightlut@valleycountysar.org", "Password": "fY,FLoadtsiF", "Host": "valleycountysar.org", "Port": "26"}

Multi AV Scanner detection for submitted file

Source: PM114079-990528.exe	ReversingLabs: Detection: 50%
Source: PM114079-990528.exe	Virustotal: Detection: 60%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: PM114079-990528.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: PM114079-990528.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.0

Source: PM114079-990528.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: PM114079-990528.exe, 00000000.00000002.1989660475.0000000003171000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000000.00000002.1990700030.0000000005C80000.00000004.08000000.00040000.00000000.sdmp

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.PM114079-990528.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PM114079-990528.exe.4277e40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PM114079-990528.exe.4257610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PM114079-990528.exe.41c7b70.4.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AF5000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B4B000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B02000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AF5000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B4B000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B02000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A42000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: PM114079-990528.exe, 00000002.00000002.2099374679.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: PM114079-990528.exe, 00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AF5000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B4B000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B02000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: PM114079-990528.exe, 00000002.00000002.2099374679.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PM114079-990528.exe	String found in binary or memory: https://aka.ms/binaryformatter
Source: PM114079-990528.exe	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: PM114079-990528.exe	String found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
Source: PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AF5000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B4B000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B02000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: PM114079-990528.exe, 00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AF5000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B4B000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B02000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PM114079-990528.exe.41c7b70.4.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.PM114079-990528.exe.5b00000.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.PM114079-990528.exe.4277e40.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PM114079-990528.exe.4277e40.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PM114079-990528.exe.4277e40.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PM114079-990528.exe.4277e40.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.PM114079-990528.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.PM114079-990528.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.PM114079-990528.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.PM114079-990528.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PM114079-990528.exe.4257610.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PM114079-990528.exe.4257610.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PM114079-990528.exe.4257610.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PM114079-990528.exe.4257610.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PM114079-990528.exe.5b00000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.PM114079-990528.exe.31c9958.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.PM114079-990528.exe.31c7118.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.PM114079-990528.exe.4277e40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PM114079-990528.exe.4277e40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PM114079-990528.exe.4277e40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PM114079-990528.exe.4277e40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PM114079-990528.exe.4257610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PM114079-990528.exe.4257610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PM114079-990528.exe.4257610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PM114079-990528.exe.4257610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PM114079-990528.exe.41c7b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PM114079-990528.exe.41c7b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PM114079-990528.exe.41c7b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PM114079-990528.exe.41c7b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1990419094.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: PM114079-990528.exe PID: 4292, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PM114079-990528.exe PID: 4292, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: PM114079-990528.exe PID: 6604, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PM114079-990528.exe PID: 6604, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 0_2_015FD3DC	0_2_015FD3DC
Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 2_2_02836108	2_2_02836108
Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 2_2_02836730	2_2_02836730
Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 2_2_0283C751	2_2_0283C751
Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 2_2_0283B4A0	2_2_0283B4A0
Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 2_2_0283C470	2_2_0283C470
Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 2_2_02834AD9	2_2_02834AD9
Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 2_2_0283CA31	2_2_0283CA31
Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 2_2_02839858	2_2_02839858
Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 2_2_0283BEB0	2_2_0283BEB0
Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 2_2_0283B4F3	2_2_0283B4F3
Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 2_2_02833570	2_2_02833570

Source: PM114079-990528.exe, 00000000.00000002.1989660475.0000000003171000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs PM114079-990528.exe
Source: PM114079-990528.exe, 00000000.00000002.1989660475.0000000003171000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs PM114079-990528.exe
Source: PM114079-990528.exe, 00000000.00000002.1989660475.0000000003171000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs PM114079-990528.exe
Source: PM114079-990528.exe, 00000000.00000002.1989660475.0000000003171000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs PM114079-990528.exe
Source: PM114079-990528.exe, 00000000.00000002.1989660475.0000000003171000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $jq,\\StringFileInfo\\000004B0\\OriginalFilename vs PM114079-990528.exe
Source: PM114079-990528.exe, 00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs PM114079-990528.exe
Source: PM114079-990528.exe, 00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs PM114079-990528.exe
Source: PM114079-990528.exe, 00000000.00000002.1988877632.000000000130E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PM114079-990528.exe
Source: PM114079-990528.exe, 00000000.00000002.1990419094.0000000005B00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs PM114079-990528.exe
Source: PM114079-990528.exe, 00000000.00000000.1981146701.0000000000E52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameavtry.exe. vs PM114079-990528.exe
Source: PM114079-990528.exe, 00000000.00000002.1990700030.0000000005C80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs PM114079-990528.exe
Source: PM114079-990528.exe, 00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs PM114079-990528.exe
Source: PM114079-990528.exe	Binary or memory string: OriginalFilenameavtry.exe. vs PM114079-990528.exe

Source: PM114079-990528.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.PM114079-990528.exe.41c7b70.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.PM114079-990528.exe.5b00000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.PM114079-990528.exe.4277e40.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PM114079-990528.exe.4277e40.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PM114079-990528.exe.4277e40.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PM114079-990528.exe.4277e40.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.PM114079-990528.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.PM114079-990528.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.PM114079-990528.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.PM114079-990528.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PM114079-990528.exe.4257610.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PM114079-990528.exe.4257610.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PM114079-990528.exe.4257610.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PM114079-990528.exe.4257610.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PM114079-990528.exe.5b00000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.PM114079-990528.exe.31c9958.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.PM114079-990528.exe.31c7118.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.PM114079-990528.exe.4277e40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PM114079-990528.exe.4277e40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PM114079-990528.exe.4277e40.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PM114079-990528.exe.4277e40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PM114079-990528.exe.4257610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PM114079-990528.exe.4257610.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PM114079-990528.exe.4257610.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PM114079-990528.exe.4257610.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PM114079-990528.exe.41c7b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PM114079-990528.exe.41c7b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PM114079-990528.exe.41c7b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PM114079-990528.exe.41c7b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1990419094.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: PM114079-990528.exe PID: 4292, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PM114079-990528.exe PID: 4292, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: PM114079-990528.exe PID: 6604, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PM114079-990528.exe PID: 6604, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.PM114079-990528.exe.4277e40.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PM114079-990528.exe.4277e40.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PM114079-990528.exe.4277e40.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PM114079-990528.exe.4277e40.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PM114079-990528.exe.41c7b70.4.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PM114079-990528.exe.5b00000.5.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PM114079-990528.exe.4257610.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PM114079-990528.exe.4257610.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PM114079-990528.exe.4257610.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PM114079-990528.exe.4257610.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.PM114079-990528.exe.41c7b70.4.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.PM114079-990528.exe.5b00000.5.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@2/2

Source: C:\Users\user\Desktop\PM114079-990528.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PM114079-990528.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4432:120:WilError_03
Source: C:\Users\user\Desktop\PM114079-990528.exe	Mutant created: NULL

Source: PM114079-990528.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PM114079-990528.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\PM114079-990528.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PM114079-990528.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PM114079-990528.exe	ReversingLabs: Detection: 50%
Source: PM114079-990528.exe	Virustotal: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\PM114079-990528.exe "C:\Users\user\Desktop\PM114079-990528.exe"
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process created: C:\Users\user\Desktop\PM114079-990528.exe "C:\Users\user\Desktop\PM114079-990528.exe"
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\PM114079-990528.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process created: C:\Users\user\Desktop\PM114079-990528.exe "C:\Users\user\Desktop\PM114079-990528.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\PM114079-990528.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\PM114079-990528.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PM114079-990528.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PM114079-990528.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PM114079-990528.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: PM114079-990528.exe

Static PE information: 0x8BED6FE1 [Mon May 23 05:21:37 2044 UTC]

Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 0_2_05D6C5BD push FFFFFF8Bh; iretd	0_2_05D6C5BF
Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 0_2_05D67112 push eax; retf	0_2_05D67119
Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 2_2_02834000 push eax; ret	2_2_0283400A
Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 2_2_02834010 push eax; ret	2_2_0283401A
Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 2_2_02833F90 push eax; ret	2_2_02833F7A
Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 2_2_02833F90 push eax; ret	2_2_02833FFA
Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 2_2_02833F90 push eax; ret	2_2_0283400A
Source: C:\Users\user\Desktop\PM114079-990528.exe	Code function: 2_2_02833F90 push eax; ret	2_2_0283401A

Source: PM114079-990528.exe

Static PE information: section name: .text entropy: 7.357025541157422

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\PM114079-990528.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\PM114079-990528.exe"
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\PM114079-990528.exe"			Jump to behavior

Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PM114079-990528.exe PID: 4292, type: MEMORYSTR

Source: C:\Users\user\Desktop\PM114079-990528.exe	Memory allocated: 15F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Memory allocated: 3170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Memory allocated: 5170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Memory allocated: 2750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Memory allocated: 2750000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 598868	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 598655	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597999	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 596905	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 596575	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 596459	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 595117	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 594469	Jump to behavior

Source: C:\Users\user\Desktop\PM114079-990528.exe	Window / User API: threadDelayed 7582			Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Window / User API: threadDelayed 2271			Jump to behavior

Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 2920	Thread sleep count: 7582 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 2920	Thread sleep count: 2271 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -598868s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -598655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -597999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -597344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -597015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -596905s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -596575s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -596459s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -595117s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe TID: 4028	Thread sleep time: -594469s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 598868	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 598655	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597999	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 596905	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 596575	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 596459	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 595117	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Thread delayed: delay time: 594469	Jump to behavior

Source: PM114079-990528.exe, 00000002.00000002.2098441533.0000000000A87000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PM114079-990528.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PM114079-990528.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PM114079-990528.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: PM114079-990528.exe, EventLogInternal.cs	Reference to suspicious API methods: global::Interop.Kernel32.LoadLibraryExW(text, IntPtr.Zero, 2u)
Source: 0.2.PM114079-990528.exe.31c9958.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.PM114079-990528.exe.31c9958.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Source: C:\Users\user\Desktop\PM114079-990528.exe	Process created: C:\Users\user\Desktop\PM114079-990528.exe "C:\Users\user\Desktop\PM114079-990528.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\PM114079-990528.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\PM114079-990528.exe	Queries volume information: C:\Users\user\Desktop\PM114079-990528.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Queries volume information: C:\Users\user\Desktop\PM114079-990528.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PM114079-990528.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PM114079-990528.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.PM114079-990528.exe.4277e40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PM114079-990528.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PM114079-990528.exe.4257610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PM114079-990528.exe.4277e40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PM114079-990528.exe.4257610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PM114079-990528.exe.41c7b70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2099374679.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PM114079-990528.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PM114079-990528.exe PID: 6604, type: MEMORYSTR

Source: Yara match	File source: 0.2.PM114079-990528.exe.4277e40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PM114079-990528.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PM114079-990528.exe.4257610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PM114079-990528.exe.4277e40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PM114079-990528.exe.4257610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PM114079-990528.exe.41c7b70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PM114079-990528.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PM114079-990528.exe PID: 6604, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.PM114079-990528.exe.4277e40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PM114079-990528.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PM114079-990528.exe.4257610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PM114079-990528.exe.4277e40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PM114079-990528.exe.4257610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PM114079-990528.exe.41c7b70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2099374679.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PM114079-990528.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PM114079-990528.exe PID: 6604, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 File Deletion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PM114079-990528.exe	50%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeKeylogger
PM114079-990528.exe	60%	Virustotal		Browse
PM114079-990528.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
reallyfreegeoip.org	0%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://aka.ms/dotnet-warnings/	0%	Virustotal		Browse
https://aka.ms/serializationformat-binary-obsolete	0%	Virustotal		Browse
http://checkip.dyndns.org/q	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
https://aka.ms/dotnet-warnings/	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	Avira URL Cloud	safe
https://aka.ms/serializationformat-binary-obsolete	0%	Avira URL Cloud	safe
http://reallyfreegeoip.org	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org	0%	Avira URL Cloud	safe
https://aka.ms/binaryformatter	0%	Avira URL Cloud	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/q	0%	Virustotal		Browse
http://checkip.dyndns.com	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	1%	Virustotal		Browse
https://reallyfreegeoip.org/xml/8.46.123.33	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org	0%	Virustotal		Browse
http://checkip.dyndns.com	0%	Virustotal		Browse
https://reallyfreegeoip.org/xml/	0%	Virustotal		Browse
https://aka.ms/binaryformatter	0%	Virustotal		Browse
http://reallyfreegeoip.org	0%	Virustotal		Browse
http://checkip.dyndns.org	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	188.114.96.3	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.com	193.122.6.168	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/dotnet-warnings/	PM114079-990528.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AF5000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B4B000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B02000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	PM114079-990528.exe, 00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/serializationformat-binary-obsolete	PM114079-990528.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://reallyfreegeoip.org	PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AF5000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B4B000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B02000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AF5000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B4B000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B02000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A97000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/binaryformatter	PM114079-990528.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AF5000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B4B000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B02000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A42000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AF5000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B4B000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B02000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PM114079-990528.exe, 00000002.00000002.2099374679.0000000002991000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	PM114079-990528.exe, 00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PM114079-990528.exe, 00000002.00000002.2099374679.0000000002A54000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
188.114.96.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465773
Start date and time:	2024-07-02 03:27:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PM114079-990528.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 64 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target PM114079-990528.exe, PID 6604 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:27:51	API Interceptor	78x Sleep call for process: PM114079-990528.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.6.168	Bank Slip 2.doc	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	JgRVqrgNs4.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	H3fwQALXDX.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Prouduct list Specifictions.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	LAQ-PO088PDF.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	IMG_0071191023.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
188.114.96.3	Vg46FzGtNo.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	000366cm.nyashka.top/phpflowergenerator.php
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/mHgyHEv5/download
	file.exe	Get hash	malicious	FormBook	Browse	www.cavetta.org.mt/yhnb/
	http://johnlewisfr.com	Get hash	malicious	Unknown	Browse	johnlewisfr.com/
	cL7A9wGE3w.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	445798cm.nyashka.top/ProviderEternalLinephpRequestSecurePacketprocessauthwordpress.php
	http://www.youkonew.anakembok.de/	Get hash	malicious	HTMLPhisher	Browse	www.youkonew.anakembok.de/cdn-cgi/challenge-platform/h/g/jsd/r/89b98144d9c843b7
	hnCn8gE6NH.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	yenot.top/providerlowAuthApibigloadprotectflower.php
	288292021 ABB.exe	Get hash	malicious	FormBook	Browse	www.oc7o0.top/2zff/?Hp=4L8xoD0W4Zo4sy87CvwWXXlmZfhaBYNiZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk6zzmBcbZOQR3Nr9VCMayuUBptQdoGcq8y485hKv0f5POEUdLprTAYpXY&5H=CtUlKhgP42a
	eiqj38BeRo.rtf	Get hash	malicious	FormBook	Browse	www.liposuctionclinics2.today/btrd/?OR-TJfQ=g2Awi9g0RhXmDXdNu5BlCrpPGRTrEfCXfESYZTVa1wMirmNXITW5szlP5E4EhRYb22U+Mw==&2dc=kvXd-rKHCF
	Purchase Order -JJ023639-PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/9a4iHwft/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Bank Slip 2.doc	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	MT_80362_72605XLS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	JgRVqrgNs4.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	JgRVqrgNs4.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	H3fwQALXDX.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	oHchwlxMNG.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	zkB0qfWSJk.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	scan copy.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
checkip.dyndns.com	Bank Slip 2.doc	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	MT_80362_72605XLS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	JgRVqrgNs4.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	JgRVqrgNs4.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	H3fwQALXDX.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	oHchwlxMNG.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	zkB0qfWSJk.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	scan copy.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	0wVYV60JHd.elf	Get hash	malicious	Mirai	Browse	129.147.194.27
	h1dNV0rAcX.elf	Get hash	malicious	Mirai	Browse	193.122.239.131
	Bank Slip 2.doc	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	MT_80362_72605XLS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	JgRVqrgNs4.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	JgRVqrgNs4.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	H3fwQALXDX.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	zkB0qfWSJk.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
CLOUDFLARENETUS	https://punchbowl-sc.info/in/&d=DwMFAw	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://proposalbidinvitation.wordpress.com/	Get hash	malicious	Unknown	Browse	104.21.79.87
	https://hamids-worker.hamidyousefi93.workers.dev/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://t4ha7.shop/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://jiedian.dadabing023.workers.dev/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://worker-aliggggg.farnazmonsef1.workers.dev/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://aradcofeenet1.aradcofeenet1.workers.dev/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://mars.773670658.workers.dev/	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://www.youkonew.anakembok.de/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://cloudflare-workers-pages-vless-2gi.pages.dev/	Get hash	malicious	Unknown	Browse	172.66.44.91

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	MT_80362_72605XLS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	bJLd0SUHfj.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	PGjIoaqfQY.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	JgRVqrgNs4.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	x6221haMsm.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	JgRVqrgNs4.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	H3fwQALXDX.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	oHchwlxMNG.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	zkB0qfWSJk.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	YBzCUPEvkm.exe	Get hash	malicious	Unknown	Browse	188.114.96.3

Process:	C:\Users\user\Desktop\PM114079-990528.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.3447002305252
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	PM114079-990528.exe
File size:	493'056 bytes
MD5:	9f259b3c899293bc12c9397e010f9e40
SHA1:	af9c1736e4b3fdb69e3e22a70953872257335c89
SHA256:	683b3c223e311088d28b4d7ee52e207d8593836887a359a9cdb3b5535f305aa3
SHA512:	e12e2ccf1a57b492409c4ce3af237972b11b1b8c126f2b6ad7d56a0b3ef601a226259c5d8706819c95319614a38fa2d2890a62e7f9ce816acf2c445c8529b495
SSDEEP:	6144:ZXuAPKbl6eAs+AYJAmp1sWososBPBY0SQBhhASbOF7HAAPq/XtLMfFUYK8tvFCkt:ZXuBxOKkAVzAAylLMfCYK8tv
TLSH:	A9A4D05213D8475DF6FE2BB4A1712114C3BEFA696635F34D26C4A8AD2E633C08E50B93
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o................0..\|..........~.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x479a7e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x8BED6FE1 [Mon May 23 05:21:37 2044 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x79a24	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7a000	0x58e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x77a84	0x77c00	cfeb02a6a919aec02caed186bed42980	False	0.6104188413361169	data	7.357025541157422	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x7a000	0x58e	0x600	1702ccff915b2c385a113f63e5ba57d7	False	0.4147135416666667	data	4.025204759389211	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7c000	0xc	0x200	4969f1400d697c8f3a8677710fbed2bb	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x7a0a0	0x304	data			0.4365284974093264
RT_MANIFEST	0x7a3a4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 03:27:49.914422035 CEST	49704	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:49.919230938 CEST	80	49704	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:49.919316053 CEST	49704	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:49.919644117 CEST	49704	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:49.925980091 CEST	80	49704	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:50.559614897 CEST	80	49704	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:50.611737013 CEST	49704	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:50.677037954 CEST	49704	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:50.681847095 CEST	80	49704	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:50.863811016 CEST	80	49704	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:50.908698082 CEST	49704	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:51.020060062 CEST	49707	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:51.020163059 CEST	443	49707	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:51.020251989 CEST	49707	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:51.025899887 CEST	49707	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:51.025937080 CEST	443	49707	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:51.536269903 CEST	443	49707	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:51.536396980 CEST	49707	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:51.542629004 CEST	49707	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:51.542665005 CEST	443	49707	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:51.542979956 CEST	443	49707	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:51.590589046 CEST	49707	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:51.636498928 CEST	443	49707	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:52.041821957 CEST	443	49707	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:52.041901112 CEST	443	49707	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:52.041966915 CEST	49707	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:52.055246115 CEST	49707	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:52.058245897 CEST	49704	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:52.067991972 CEST	80	49704	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:52.250788927 CEST	80	49704	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:52.254049063 CEST	49709	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:52.254093885 CEST	443	49709	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:52.254179001 CEST	49709	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:52.254462957 CEST	49709	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:52.254493952 CEST	443	49709	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:52.299272060 CEST	49704	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:52.738600016 CEST	443	49709	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:52.741337061 CEST	49709	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:52.741381884 CEST	443	49709	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:52.916111946 CEST	443	49709	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:52.916335106 CEST	443	49709	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:52.916399002 CEST	49709	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:52.916879892 CEST	49709	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:52.920151949 CEST	49704	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:52.921262980 CEST	49710	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:52.925641060 CEST	80	49704	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:52.925745010 CEST	49704	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:52.926137924 CEST	80	49710	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:52.926274061 CEST	49710	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:52.926274061 CEST	49710	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:52.931319952 CEST	80	49710	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:53.590704918 CEST	80	49710	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:53.595509052 CEST	49711	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:53.595562935 CEST	443	49711	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:53.595633984 CEST	49711	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:53.595926046 CEST	49711	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:53.595938921 CEST	443	49711	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:53.642983913 CEST	49710	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:54.067595959 CEST	443	49711	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:54.069224119 CEST	49711	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:54.069252014 CEST	443	49711	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:54.197406054 CEST	443	49711	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:54.197630882 CEST	443	49711	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:54.197695971 CEST	49711	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:54.197925091 CEST	49711	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:54.200704098 CEST	49710	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:54.201726913 CEST	49713	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:54.206530094 CEST	80	49713	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:54.206614017 CEST	49713	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:54.206741095 CEST	49713	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:54.206782103 CEST	80	49710	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:54.206859112 CEST	49710	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:54.211709976 CEST	80	49713	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:54.842283964 CEST	80	49713	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:54.843671083 CEST	49714	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:54.843694925 CEST	443	49714	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:54.843746901 CEST	49714	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:54.844036102 CEST	49714	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:54.844048977 CEST	443	49714	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:54.892981052 CEST	49713	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:55.322902918 CEST	443	49714	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:55.325546026 CEST	49714	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:55.325572014 CEST	443	49714	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:55.463268042 CEST	443	49714	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:55.463484049 CEST	443	49714	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:55.463888884 CEST	49714	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:55.464185953 CEST	49714	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:55.468314886 CEST	49716	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:55.473182917 CEST	80	49716	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:55.473459005 CEST	49716	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:55.473748922 CEST	49716	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:55.478473902 CEST	80	49716	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:56.128309011 CEST	80	49716	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:56.129518986 CEST	49717	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:56.129559040 CEST	443	49717	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:56.129632950 CEST	49717	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:56.129897118 CEST	49717	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:56.129911900 CEST	443	49717	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:56.174352884 CEST	49716	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:56.599116087 CEST	443	49717	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:56.600723028 CEST	49717	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:56.600758076 CEST	443	49717	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:56.728081942 CEST	443	49717	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:56.728312016 CEST	443	49717	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:56.728377104 CEST	49717	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:56.728847027 CEST	49717	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:56.732175112 CEST	49716	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:56.733138084 CEST	49718	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:56.737278938 CEST	80	49716	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:56.737436056 CEST	49716	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:56.738096952 CEST	80	49718	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:56.738159895 CEST	49718	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:56.738253117 CEST	49718	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:56.743834972 CEST	80	49718	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:57.380131006 CEST	80	49718	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:57.382091999 CEST	49719	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:57.382124901 CEST	443	49719	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:57.382271051 CEST	49719	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:57.382515907 CEST	49719	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:57.382530928 CEST	443	49719	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:57.424269915 CEST	49718	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:57.878529072 CEST	443	49719	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:57.880040884 CEST	49719	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:57.880063057 CEST	443	49719	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:58.015778065 CEST	443	49719	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:58.016011000 CEST	443	49719	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:58.016164064 CEST	49719	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:58.016653061 CEST	49719	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:58.020451069 CEST	49718	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:58.021126986 CEST	49720	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:58.025636911 CEST	80	49718	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:58.025706053 CEST	49718	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:58.025945902 CEST	80	49720	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:58.026021004 CEST	49720	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:58.026151896 CEST	49720	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:58.030884027 CEST	80	49720	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:58.677042007 CEST	80	49720	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:58.678585052 CEST	49721	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:58.678611994 CEST	443	49721	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:58.678675890 CEST	49721	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:58.678966045 CEST	49721	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:58.678980112 CEST	443	49721	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:58.721111059 CEST	49720	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:59.179163933 CEST	443	49721	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:59.180816889 CEST	49721	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:59.180835962 CEST	443	49721	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:59.336762905 CEST	443	49721	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:59.336863995 CEST	443	49721	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:59.336939096 CEST	49721	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:59.337369919 CEST	49721	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:59.340590954 CEST	49720	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:59.341558933 CEST	49722	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:59.346065044 CEST	80	49720	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:59.346124887 CEST	49720	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:59.346354961 CEST	80	49722	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:59.346425056 CEST	49722	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:59.346543074 CEST	49722	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:27:59.351277113 CEST	80	49722	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:59.985934973 CEST	80	49722	193.122.6.168	192.168.2.5
Jul 2, 2024 03:27:59.987814903 CEST	49723	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:59.987838984 CEST	443	49723	188.114.96.3	192.168.2.5
Jul 2, 2024 03:27:59.987919092 CEST	49723	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:59.988204956 CEST	49723	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:27:59.988223076 CEST	443	49723	188.114.96.3	192.168.2.5
Jul 2, 2024 03:28:00.033607006 CEST	49722	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:28:00.471266985 CEST	443	49723	188.114.96.3	192.168.2.5
Jul 2, 2024 03:28:00.473001957 CEST	49723	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:28:00.473020077 CEST	443	49723	188.114.96.3	192.168.2.5
Jul 2, 2024 03:28:00.608782053 CEST	443	49723	188.114.96.3	192.168.2.5
Jul 2, 2024 03:28:00.608891010 CEST	443	49723	188.114.96.3	192.168.2.5
Jul 2, 2024 03:28:00.608942986 CEST	49723	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:28:00.609646082 CEST	49723	443	192.168.2.5	188.114.96.3
Jul 2, 2024 03:28:00.747992992 CEST	49713	80	192.168.2.5	193.122.6.168
Jul 2, 2024 03:28:00.748569012 CEST	49722	80	192.168.2.5	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 03:27:49.897456884 CEST	65247	53	192.168.2.5	1.1.1.1
Jul 2, 2024 03:27:49.904643059 CEST	53	65247	1.1.1.1	192.168.2.5
Jul 2, 2024 03:27:51.012442112 CEST	57045	53	192.168.2.5	1.1.1.1
Jul 2, 2024 03:27:51.019444942 CEST	53	57045	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 03:27:49.897456884 CEST	192.168.2.5	1.1.1.1	0x12a8	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jul 2, 2024 03:27:51.012442112 CEST	192.168.2.5	1.1.1.1	0xc760	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 03:27:49.904643059 CEST	1.1.1.1	192.168.2.5	0x12a8	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 2, 2024 03:27:49.904643059 CEST	1.1.1.1	192.168.2.5	0x12a8	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jul 2, 2024 03:27:49.904643059 CEST	1.1.1.1	192.168.2.5	0x12a8	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jul 2, 2024 03:27:49.904643059 CEST	1.1.1.1	192.168.2.5	0x12a8	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jul 2, 2024 03:27:49.904643059 CEST	1.1.1.1	192.168.2.5	0x12a8	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jul 2, 2024 03:27:49.904643059 CEST	1.1.1.1	192.168.2.5	0x12a8	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jul 2, 2024 03:27:51.019444942 CEST	1.1.1.1	192.168.2.5	0xc760	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 2, 2024 03:27:51.019444942 CEST	1.1.1.1	192.168.2.5	0xc760	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	193.122.6.168	80	6604	C:\Users\user\Desktop\PM114079-990528.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 03:27:49.919644117 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 2, 2024 03:27:50.559614897 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 01:27:50 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c976893c19f43aa5bb51a08ed4942c3e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 2, 2024 03:27:50.677037954 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 2, 2024 03:27:50.863811016 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 01:27:50 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ec892db141b634877d4c1efb275e2294 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 2, 2024 03:27:52.058245897 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 2, 2024 03:27:52.250788927 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 01:27:52 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 73e96364eaa8a1b5dfa25d99f68d3728 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	193.122.6.168	80	6604	C:\Users\user\Desktop\PM114079-990528.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 03:27:52.926274061 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 2, 2024 03:27:53.590704918 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 01:27:53 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b46800dca103de9bec5d9899871eb6fc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49713	193.122.6.168	80	6604	C:\Users\user\Desktop\PM114079-990528.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 03:27:54.206741095 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 2, 2024 03:27:54.842283964 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 01:27:54 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: afe8017681d190a6aa160d9666deddcd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	193.122.6.168	80	6604	C:\Users\user\Desktop\PM114079-990528.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 03:27:55.473748922 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 2, 2024 03:27:56.128309011 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 01:27:56 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c87f5f9007ed908cb02058dbdcebc9f9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49718	193.122.6.168	80	6604	C:\Users\user\Desktop\PM114079-990528.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 03:27:56.738253117 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 2, 2024 03:27:57.380131006 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 01:27:57 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4bbc52541feef824d64695abbfdee7ad Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49720	193.122.6.168	80	6604	C:\Users\user\Desktop\PM114079-990528.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 03:27:58.026151896 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 2, 2024 03:27:58.677042007 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 01:27:58 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: efc75364285020c4e434e0a5fe5393db Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49722	193.122.6.168	80	6604	C:\Users\user\Desktop\PM114079-990528.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 03:27:59.346543074 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 2, 2024 03:27:59.985934973 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 01:27:59 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 64964cd6ccfafda7a08b102282b0a00c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	188.114.96.3	443	6604	C:\Users\user\Desktop\PM114079-990528.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 01:27:51 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-02 01:27:52 UTC	695	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 01:27:51 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: MISS Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tDeyQmbFjDARH4eJbYnWkcqJd%2FBTYwVQmkB1kiGeBw29WNRHmI%2BNoJHnagJyiG2LiME7zmx9IMvDdaoGLHY7NrHWTglvdrTP9EWaDlWf2HkphS6sIXQKXh9ii7SJQ4G0HJSNlI%2BC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89cadb13bff3428b-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 01:27:52 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-02 01:27:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49709	188.114.96.3	443	6604	C:\Users\user\Desktop\PM114079-990528.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 01:27:52 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-02 01:27:52 UTC	702	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 01:27:52 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1 Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ffUfPBhO2A5Tk4tlnH6IqCw6MBu0BS3sjmAWzD1LoUeH2%2Bs4EIYuOjr6a8m26J%2Fg%2F9R0wX62cHPlq4l9j80Zq4nAE6v62wXK38Fsd0jHQuLCHucoqsMuPhQWW5yzl1Ff2i1wNDzD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89cadb1b2ee041d8-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 01:27:52 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-02 01:27:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49711	188.114.96.3	443	6604	C:\Users\user\Desktop\PM114079-990528.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 01:27:54 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-02 01:27:54 UTC	698	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 01:27:54 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3 Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IrtfHs4FSofczfJ7kNHqYpWrJCrfCQJcrSQm%2BhNpGteUBoKSxrRK0akoASRZdfuthoaGIIdGLWBpxjyTmUE9U8hUjpRJrB1FfN0WFgPl2DODvwnaj9CndDNHMjyaJh0YF1iSNigE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89cadb235a5b4307-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 01:27:54 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-02 01:27:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49714	188.114.96.3	443	6604	C:\Users\user\Desktop\PM114079-990528.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 01:27:55 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-02 01:27:55 UTC	704	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 01:27:55 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4 Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HoWni4i6HnK2yiJDXP%2Bg0cgC6teRUhPdAG7%2FbL9kintBWr3SLQGrbFmd5ilfmevnJKxF8te52w9BuBsf4686JBHSiISWALlx%2BA5mHwzRDDAgw39k5sTk30w%2F0UhCraJkbXRG5lKc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89cadb2b4aa57ca5-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 01:27:55 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-02 01:27:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49717	188.114.96.3	443	6604	C:\Users\user\Desktop\PM114079-990528.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 01:27:56 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-02 01:27:56 UTC	700	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 01:27:56 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 5 Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=83EtMlG9av2Rsfg7kK8dDobRJ8Xhv3xQyw8evazlKHIe0DGB8OriC0llGK9E0SUncybBTeigPYbQmJUSpR%2B38k8jI%2Fl972zu316ezeQSfhbTrQsY9Vbw7UNOcDiCuywmorHwQqPc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89cadb332fca424a-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 01:27:56 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-02 01:27:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49719	188.114.96.3	443	6604	C:\Users\user\Desktop\PM114079-990528.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 01:27:57 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-02 01:27:58 UTC	702	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 01:27:57 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 6 Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VWhB9ILWeJVXsrrTH%2BHhu%2B8McqUcOYb9ibjsF8pxpQwo3gZ7giOrZSasbGTFC11z7fobivlF10UkSGM4080Z5EmiwHv%2BKpvLNJ908CudyOgoq0yJEbu3U1A60QeS2xlbcNcDERBg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89cadb3b39ee8c17-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 01:27:58 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-02 01:27:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49721	188.114.96.3	443	6604	C:\Users\user\Desktop\PM114079-990528.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 01:27:59 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-02 01:27:59 UTC	702	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 01:27:59 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 8 Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zxjoi6vbbIuE4DCYFG9YKCuCmir0F47c%2BLCuRx638GotRBhow8sJGJEChhtIbVSUHirVrL83pE4QaYxYxAR%2B9OnO4c0%2FjY9Fmq8Uyr2orBqXOvaExFNbyTOh5BqyxqL4ffL8bqvi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89cadb436ded42c9-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 01:27:59 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-02 01:27:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49723	188.114.96.3	443	6604	C:\Users\user\Desktop\PM114079-990528.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 01:28:00 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-02 01:28:00 UTC	706	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 01:28:00 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 9 Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cHQwW%2BHH9WzicIsHZnUolyy7neHV7hC3zn%2B0OzOmaJf4mfdlMJHzjOdKjqgVsBlw6Igau%2BNgLw66VBmg8yD%2FziLa5cgC71hPOqIXX2yJajUI6tMfJlYE%2FtCPo4eM9DK4ovB2BJ0G"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89cadb4b6cbb431a-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 01:28:00 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-02 01:28:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	21:27:48
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\PM114079-990528.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PM114079-990528.exe"
Imagebase:	0xe50000
File size:	493'056 bytes
MD5 hash:	9F259B3C899293BC12C9397E010F9E40
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.1990419094.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1989791038.0000000004179000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:27:48
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\PM114079-990528.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PM114079-990528.exe"
Imagebase:	0x5a0000
File size:	493'056 bytes
MD5 hash:	9F259B3C899293BC12C9397E010F9E40
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.2097825317.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2099374679.0000000002991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:28:00
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\PM114079-990528.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:28:00
Start date:	01/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:28:00
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0xe20000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	5

Executed Functions

Function 015FA690 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015FA8E6

Memory Dump Source

Source File: 00000000.00000002.1989461133.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_PM114079-990528.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fc093842157194e21bb6e71a6d21f0935d24d969df53898b3e1d5317c0be7bad
Instruction ID: d90640376a2d537a6d5f7aee1abe4483de41787dea97e7ba03b5830ed7b02dae
Opcode Fuzzy Hash: fc093842157194e21bb6e71a6d21f0935d24d969df53898b3e1d5317c0be7bad
Instruction Fuzzy Hash: 9D713770A00B058FDB24DF2AD544B5ABBF5FF88300F10892DD54ADBA50DB75E945CB92

Function 015FCB58 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015FCB26,?,?,?,?,?), ref: 015FCBE7

Memory Dump Source

Source File: 00000000.00000002.1989461133.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_PM114079-990528.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 246d5ab9120b6d9cd9212f5b7c47a1f3cd4f55a03a134fbadafe493daa01357f
Instruction ID: a786e361faa148bd82eddab030fe3fbc41a5a895ee5b11b499de44947ccd84b3
Opcode Fuzzy Hash: 246d5ab9120b6d9cd9212f5b7c47a1f3cd4f55a03a134fbadafe493daa01357f
Instruction Fuzzy Hash: 9721D4B590020D9FDB10CF9AD984ADEBFF5FB48310F14841AE918A7350D379A944DFA1

Function 015FBDE0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015FCB26,?,?,?,?,?), ref: 015FCBE7

Memory Dump Source

Source File: 00000000.00000002.1989461133.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_PM114079-990528.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3fbb0e3ced2db5cb3d3ae5ad72277c4613737e48818ddb2400c672e0fe521d0b
Instruction ID: a357286aed451c21e8dd63cf00a0749f89c5ac491fa20de853b1615d7dcb7f78
Opcode Fuzzy Hash: 3fbb0e3ced2db5cb3d3ae5ad72277c4613737e48818ddb2400c672e0fe521d0b
Instruction Fuzzy Hash: BB21D4B590020D9FDB10CF9AD984AEEBFF9FB48710F14842AE914A7350D378A944DFA4

Function 015FAB00 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015FA961,00000800,00000000,00000000), ref: 015FAB72

Memory Dump Source

Source File: 00000000.00000002.1989461133.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_PM114079-990528.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 37f71681af2c0d0293f40a26d2f162780893a78c4f0302ff032b28e8a4cc4b66
Instruction ID: 3661655c63cf6edb27b188fc885b4b4423f31163f0fd1a70d3dd2e2e8296580e
Opcode Fuzzy Hash: 37f71681af2c0d0293f40a26d2f162780893a78c4f0302ff032b28e8a4cc4b66
Instruction Fuzzy Hash: 5C1112B6C002089FDB10CFAAD444A9EFBF5FB48710F10852ED919A7200C379A545CFA1

Function 015FA118 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015FA961,00000800,00000000,00000000), ref: 015FAB72

Memory Dump Source

Source File: 00000000.00000002.1989461133.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_PM114079-990528.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b9a74223d7cb2f19fed879fd390dc21638e83ad66c12a82a791b39eed8d5eefb
Instruction ID: e019f25ab1f291c6cd0c5d05fe698421a5f939bc87f4a640b08a94a45d1b1220
Opcode Fuzzy Hash: b9a74223d7cb2f19fed879fd390dc21638e83ad66c12a82a791b39eed8d5eefb
Instruction Fuzzy Hash: 581112B6C003088FDB20CF9AD444A9EFBF5FB48310F10882EE619AB210C379A545CFA1

Function 015FA880 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015FA8E6

Memory Dump Source

Source File: 00000000.00000002.1989461133.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_PM114079-990528.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4dd3244994e1dce046630bcf4375b7c944d4b0ae632ba686f309afac7a17ed03
Instruction ID: 025e56002bab061a2cb200bd17cf82586675d50ebcf4ce12472ec7bae5f889f1
Opcode Fuzzy Hash: 4dd3244994e1dce046630bcf4375b7c944d4b0ae632ba686f309afac7a17ed03
Instruction Fuzzy Hash: 0A11DFB5C002498FDB10DF9AD444A9EFBF5EF89310F10842AD519A7250C379A545CFA1

Function 05D6AC20 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05D6AC85

Memory Dump Source

Source File: 00000000.00000002.1990844003.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d60000_PM114079-990528.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 463425c1ebda1806e8bd1a104682d2213a485da00d91f69576bd10116885a74a
Instruction ID: 8b2ec473c606a288a1c8e325a663954dc486a214d15910db7c3c2535b92cd83d
Opcode Fuzzy Hash: 463425c1ebda1806e8bd1a104682d2213a485da00d91f69576bd10116885a74a
Instruction Fuzzy Hash: 8011C2B5800349AFDB10DF9AD945BDEBFF8FB48320F14841AE558A7240C379A544CFA5

Function 05D68BF4 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05D6AC85

Memory Dump Source

Source File: 00000000.00000002.1990844003.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d60000_PM114079-990528.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bf05965900f8f460449d7a8648a0e4408ff271bdcd377879a856fea82fd40308
Instruction ID: 902e62cfb8591456d36ecfe73032cc197b26c2c28e05b8b01a948a3a5c50c068
Opcode Fuzzy Hash: bf05965900f8f460449d7a8648a0e4408ff271bdcd377879a856fea82fd40308
Instruction Fuzzy Hash: 2F11E0B5800349DFCB10DF9AC988BDEBBF8EB58310F14841AE559A7240C379A944CFA5

Function 0159D5B8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1989298291.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_159d000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0e73980b0afbd882dab359e68c841ef327da9aac63f59148ec46038f74e202
Instruction ID: c2e14ebfb2773a7397ece51ae59707fb6a8b2724501a792c081f53b85aecb1dd
Opcode Fuzzy Hash: 4a0e73980b0afbd882dab359e68c841ef327da9aac63f59148ec46038f74e202
Instruction Fuzzy Hash: 9F21E071504204DFDF05DF98D9C0B2ABFB5FB98314F248569E90A0F256C33AD456C6A2

Function 015AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1989339616.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15ad000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d171762910a2d08d46467918e192d3ce9dfcb3fc3f230659de9a959495b54f71
Instruction ID: dfb7dfea9e04d7a112b69939b4ffc5ab49c876c2ca76eac263fda31cab07b7d0
Opcode Fuzzy Hash: d171762910a2d08d46467918e192d3ce9dfcb3fc3f230659de9a959495b54f71
Instruction Fuzzy Hash: 48212271684204DFCB15EF68D980B2ABFB5FB88314F60C96DD90A4F656D33AD407CA61

Function 015AD1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1989339616.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15ad000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a86a758f750f5841eb9f8e067044d7a0e735c2f32c4d407c97580322314fc499
Instruction ID: faf8041426ae1fa118c11454289b6af6d11efe05d12934de06a17e45219e2020
Opcode Fuzzy Hash: a86a758f750f5841eb9f8e067044d7a0e735c2f32c4d407c97580322314fc499
Instruction Fuzzy Hash: BD21D0715842049FDB05EF98D580B2EBBB5FF88324F60C969E9094F656C37AD806CAA1

Function 015AD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1989339616.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15ad000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceecd8e07ad11798059383cb1a2673e04f2b8ed82694cd4cb5d30d0c8fa543a7
Instruction ID: b24a72c8c41f35fc2598f8e0d7493d2e3bd609ee4765121498302c4d3aacf062
Opcode Fuzzy Hash: ceecd8e07ad11798059383cb1a2673e04f2b8ed82694cd4cb5d30d0c8fa543a7
Instruction Fuzzy Hash: 3A21A1755493808FDB03DF24D994719BF71FB46214F28C5EAD8498F6A7C33A980ACB62

Function 0159D5B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1989298291.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_159d000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: cc24119824829ee57b7bb856281fe93285603770ae579220847a0b4d95dac8db
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: A211CD72404240CFCF02CF54D5C4B1ABF71FB84214F2486A9D9090B256C33AD45ACBA2

Function 015AD1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1989339616.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15ad000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 101bbd0783dcc171cedfac81680acb730499c12252c73737b1ae88a713f9987e
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: BD11BB75544280CFDB02DF54D5C4B19BFB2FB88224F24C6A9D8494F656C33AD40ACBA2

Non-executed Functions

Function 015FD3DC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1989461133.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98052ffa299c780d199cd4028f1fca6712004e5ebdbcff4335479309b9ed13cd
Instruction ID: aeac245fa7b80904d03d68d836e5c12cb266a602704edc857284b262613a1759
Opcode Fuzzy Hash: 98052ffa299c780d199cd4028f1fca6712004e5ebdbcff4335479309b9ed13cd
Instruction Fuzzy Hash: 85A16C32A0020A8FCF05DFB8C9445DEBBB2FF85300B15856EEA06AF265DB75E915CB50

Analysis Process: PM114079-990528.exePID: 6604, Parent PID: 4292COMMON

Executed Functions

Function 02836730 Relevance: 6.7, Strings: 5, Instructions: 468COMMON

Download Yara Rule

Strings

(ojq, xrefs: 02836CA5
(ojq, xrefs: 0283697A
,nq, xrefs: 028369F2
,nq, xrefs: 02836A00
(ojq, xrefs: 02836988

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: (ojq$(ojq$(ojq$,nq$,nq
API String ID: 0-954490635
Opcode ID: 2d78e69e7e7506dd91329e04a7f359b9be5caae13290326271197f4c18cf8c95
Instruction ID: b4d93888060562be3cd63dbd424e81b7d724a899411aa6111faab7c4c5a26a90
Opcode Fuzzy Hash: 2d78e69e7e7506dd91329e04a7f359b9be5caae13290326271197f4c18cf8c95
Instruction Fuzzy Hash: C4125E78A00129EFDB16CF6CC984AADBBBAFF48314F158469E405EB261E730D851CF94

Function 0283B4A0 Relevance: 6.5, Strings: 5, Instructions: 224COMMON

Download Yara Rule

Strings

LjMp, xrefs: 0283B6E5
0oMp, xrefs: 0283B562
PHjq, xrefs: 0283B758
PHjq, xrefs: 0283B747
LjMp, xrefs: 0283B6CF

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHjq$PHjq
API String ID: 0-3395041758
Opcode ID: 618189a6811e54c0b1be6ab979193a25e0855a01b584d693b81fc34e6581c799
Instruction ID: 302c261241861ac87583932565d648381af9d81f69fc41d709070e1eba013d45
Opcode Fuzzy Hash: 618189a6811e54c0b1be6ab979193a25e0855a01b584d693b81fc34e6581c799
Instruction Fuzzy Hash: A9A1F6B8E002189FDB15DFA9D984A9DBBB2FF89314F14C06AD409EB366DB349941CF50

Function 0283BEB0 Relevance: 6.5, Strings: 5, Instructions: 211COMMON

Download Yara Rule

Strings

0oMp, xrefs: 0283BF22
LjMp, xrefs: 0283C0A5
LjMp, xrefs: 0283C08F
PHjq, xrefs: 0283C107
PHjq, xrefs: 0283C118

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHjq$PHjq
API String ID: 0-3395041758
Opcode ID: cd1093a055065f640ad48bfddfd6ebdbafce4975f8a19b2ab02fe4dd83320797
Instruction ID: 41a54d0e497e4702eb33f10252375ea33a20bbe5b92a69128e4d4692c2b4cb3a
Opcode Fuzzy Hash: cd1093a055065f640ad48bfddfd6ebdbafce4975f8a19b2ab02fe4dd83320797
Instruction Fuzzy Hash: 1E91F578E002189FDB15DFA9D994A9DBBF2BF88304F14C06AD409EB365DB349945CF50

Function 0283C751 Relevance: 6.4, Strings: 5, Instructions: 193COMMON

Download Yara Rule

Strings

LjMp, xrefs: 0283C92F
PHjq, xrefs: 0283C9A7
LjMp, xrefs: 0283C945
PHjq, xrefs: 0283C9B8
0oMp, xrefs: 0283C7C2

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHjq$PHjq
API String ID: 0-3395041758
Opcode ID: a3f0b37a4c41d425daf734780af15b095d3cf056171844c98781a776d9053513
Instruction ID: 33ce8396c7e01d74682752445258940c467d432794e089ace8c54b0e781fdfbc
Opcode Fuzzy Hash: a3f0b37a4c41d425daf734780af15b095d3cf056171844c98781a776d9053513
Instruction Fuzzy Hash: 6C81D278E012189FDB15DFAAD884A9DBBF2BF88310F14806AD809EB365DB349941CF50

Function 02834AD9 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

PHjq, xrefs: 02834D30
LjMp, xrefs: 02834CCE
0oMp, xrefs: 02834B4A
LjMp, xrefs: 02834CB8
PHjq, xrefs: 02834D41

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHjq$PHjq
API String ID: 0-3395041758
Opcode ID: a69e8a429ddbf199ce63b8729eef59efb2ba511c9e4af30521093cdf6cf28e89
Instruction ID: b39a02de28da766155bc72a7caf69026f1d40e7c5a3e22578a13bc9b450e8a4a
Opcode Fuzzy Hash: a69e8a429ddbf199ce63b8729eef59efb2ba511c9e4af30521093cdf6cf28e89
Instruction Fuzzy Hash: 1681A478E01218DFEB15DFA9D984A9DBBF2BF88300F14C069D819AB365DB349946CF50

Function 0283CA31 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

LjMp, xrefs: 0283CC0F
0oMp, xrefs: 0283CAA2
PHjq, xrefs: 0283CC98
LjMp, xrefs: 0283CC25
PHjq, xrefs: 0283CC87

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHjq$PHjq
API String ID: 0-3395041758
Opcode ID: f8d4ebe2328be4098c0c54a7589078ae7d4cbaab66301435417af9c08f004541
Instruction ID: de6fb7035831203d49815fcc868378b9eebe4358fa3171a8e9367f0e31388d52
Opcode Fuzzy Hash: f8d4ebe2328be4098c0c54a7589078ae7d4cbaab66301435417af9c08f004541
Instruction Fuzzy Hash: 6881C678E01218DFDB15DFA9D984A9DBBF2BF88300F14C06AD809AB365DB349946CF50

Function 0283C470 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

LjMp, xrefs: 0283C64F
LjMp, xrefs: 0283C665
0oMp, xrefs: 0283C4E2
PHjq, xrefs: 0283C6D8
PHjq, xrefs: 0283C6C7

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHjq$PHjq
API String ID: 0-3395041758
Opcode ID: 1a3c0ed7ef33639ae15940a21d8376406f8087b41c80375fc776e07e33729256
Instruction ID: 380d6440995bbfdeb6248a93b90e428ad3f96dd91147322d8d0a1c84cf282583
Opcode Fuzzy Hash: 1a3c0ed7ef33639ae15940a21d8376406f8087b41c80375fc776e07e33729256
Instruction Fuzzy Hash: 2281B278E002189FDB15DFAAD984A9DBBF2BF88310F14D06AD809AB365DB349941CF50

Function 0283B4F3 Relevance: 3.9, Strings: 3, Instructions: 163COMMON

Download Yara Rule

Strings

0oMp, xrefs: 0283B562
PHjq, xrefs: 0283B758
PHjq, xrefs: 0283B747

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: 0oMp$PHjq$PHjq
API String ID: 0-468826151
Opcode ID: 7137183790eaef03cdc1ffb304bf8830d208a6d26392adf1977560f73fcf8703
Instruction ID: 98aed680c832d31a0939fba9772a68d03bdcfea550be191874bd3eac95088767
Opcode Fuzzy Hash: 7137183790eaef03cdc1ffb304bf8830d208a6d26392adf1977560f73fcf8703
Instruction Fuzzy Hash: FA61C5B8E016089FDB15DFAAD984A9DBBF2FF88314F14C06AD409AB365DB345941CF50

Function 02839858 Relevance: 3.4, Strings: 2, Instructions: 859COMMON

Download Yara Rule

Strings

4'jq, xrefs: 0283A273
(ojq, xrefs: 02839C78

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: (ojq$4'jq
API String ID: 0-4148772637
Opcode ID: fb4f11bbabc3748f5e1c58528bf0ae65f8930d275b062805d9448774dac6d3be
Instruction ID: 66ddafc3982e50fa43d4e30c662ee1364461f3b85e6ace777faa4e86e8013fe6
Opcode Fuzzy Hash: fb4f11bbabc3748f5e1c58528bf0ae65f8930d275b062805d9448774dac6d3be
Instruction Fuzzy Hash: B072A479A00209DFCB16CF68C984AAEBBF2FF48304F158559E846DB3A5D770E951CB90

Function 02836108 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

(ojq, xrefs: 02836642
Hnq, xrefs: 0283650E

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: (ojq$Hnq
API String ID: 0-4162186043
Opcode ID: 5e9c0734d4d8c9bec647fff07c2ee0061be16f44a9747e0d5ecc260cf961c8b0
Instruction ID: 9e59c844da8a5ea857e869f115ee6d6c78c5c74475189c4d4f1d3a3342683c82
Opcode Fuzzy Hash: 5e9c0734d4d8c9bec647fff07c2ee0061be16f44a9747e0d5ecc260cf961c8b0
Instruction Fuzzy Hash: 0912C274A00228AFCB15CF69C9547AEBBFABF88304F14856DE409DB395EB349C45CB94

Function 02833570 Relevance: 2.9, Strings: 2, Instructions: 427COMMON

Download Yara Rule

Strings

Xnq, xrefs: 028335AF
$jq, xrefs: 02833596

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: Xnq$$jq
API String ID: 0-65531410
Opcode ID: 692472959945ad432a445546923152bbe1590b3c8123cf065637c93ecba550e1
Instruction ID: 520bb7cca93854e0ef011f9b309883bc805d5047a1616a4bfdc1e37e5874f0b5
Opcode Fuzzy Hash: 692472959945ad432a445546923152bbe1590b3c8123cf065637c93ecba550e1
Instruction Fuzzy Hash: D3F16E78F012599FCF49DFB8D8546AEBBB2BF89310B148569D406EB358DB349C42CB81

Function 02836E58 Relevance: 10.5, Strings: 8, Instructions: 477COMMON

Download Yara Rule

Strings

(ojq, xrefs: 02836E96
(ojq, xrefs: 0283701A
,nq, xrefs: 02837308
(ojq, xrefs: 02836F51
,nq, xrefs: 028372F8
(ojq, xrefs: 02836F7D
(ojq, xrefs: 02837367
(ojq, xrefs: 02837377

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: (ojq$(ojq$(ojq$(ojq$(ojq$(ojq$,nq$,nq
API String ID: 0-912422979
Opcode ID: 53710ac4f7a9ead223e711ec55906e68b0844958a2b81034ad1adf133db7e1ff
Instruction ID: 0da90f69cd33b2a3b0388b386bcf1764c71392f0ec867a8c9eacc6e870801592
Opcode Fuzzy Hash: 53710ac4f7a9ead223e711ec55906e68b0844958a2b81034ad1adf133db7e1ff
Instruction Fuzzy Hash: 36125D79A002499FCB16CF69D984EAEBBF6FF48314F148559E809DB261DB30ED41CB90

Function 028387E9 Relevance: 4.2, Strings: 3, Instructions: 498COMMON

Download Yara Rule

Strings

4'jq, xrefs: 02838811
4'jq, xrefs: 02838837
;jq, xrefs: 02838C2C

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$;jq
API String ID: 0-1429056558
Opcode ID: f6a29b5b08d416c38a928da146a80f92baff6e4ee2465eeb13e524c538e3731a
Instruction ID: 4ec210b177eab89bc660163f690440b130eb18a2d6559280fe142cfccb8701a3
Opcode Fuzzy Hash: f6a29b5b08d416c38a928da146a80f92baff6e4ee2465eeb13e524c538e3731a
Instruction Fuzzy Hash: 18F19E7C3042068FDB169B29C958B7977AAAF85708F1944AAF406CF3B1EF29DC41C791

Function 028377F0 Relevance: 3.2, Strings: 2, Instructions: 704COMMON

Download Yara Rule

Strings

$jq, xrefs: 02838314
$jq, xrefs: 02838337

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: $jq$$jq
API String ID: 0-3720491408
Opcode ID: 750af0018108fbe1f925bf2c0691f943e0643081765a233c6c94c4a868fc367e
Instruction ID: 6154c5430f8b62f3311dbc331cbf48b21264fd84ed71f822b5479b9ad69576ae
Opcode Fuzzy Hash: 750af0018108fbe1f925bf2c0691f943e0643081765a233c6c94c4a868fc367e
Instruction Fuzzy Hash: 91524274A00218CFEB159BA4C964BAEBBB7FF44300F1081AAD50A6B3A5CF345D85DF95

Function 028356A8 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

Hnq, xrefs: 028357C6
Hnq, xrefs: 02835793

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: Hnq$Hnq
API String ID: 0-3075287205
Opcode ID: c2a6a21ecfff9af5a68829aefdb339752609e9da55f64e562803fdb487e5b8e7
Instruction ID: 6bc4928a4d7c796e9dc6635e989c4682aa3df91e9d35fde42f30906d8d950ed1
Opcode Fuzzy Hash: c2a6a21ecfff9af5a68829aefdb339752609e9da55f64e562803fdb487e5b8e7
Instruction Fuzzy Hash: 75B1C2387082549FDB169F78D898B7A7BE2AF88314F544969E84ACB391DF38C851C7D0

Function 02835C08 Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

,nq, xrefs: 02835CE8
,nq, xrefs: 02835CDE

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: ,nq$,nq
API String ID: 0-3932345633
Opcode ID: cc27fcc1c74c509f3fadaedc50e1a9007f4bbf62b6a6c1d2601c425c44226d42
Instruction ID: b358f88a529c343046af27807a46ceadff2db37c88a2d922a7a32eb480b1d4a4
Opcode Fuzzy Hash: cc27fcc1c74c509f3fadaedc50e1a9007f4bbf62b6a6c1d2601c425c44226d42
Instruction Fuzzy Hash: 0681803DA001058FCB16DF69C488AAAB7F2FF8D318B958169D409DB365D739E841CBD0

Function 02833428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xnq, xrefs: 0283345E
Xnq, xrefs: 02833435

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: Xnq$Xnq
API String ID: 0-10259684
Opcode ID: d96ed403f6bf285db392e9efdf7b81a4d90e3fe404f2703b09fa282f096f1457
Instruction ID: 354b129bef0a460f7695b9b9eaa12fe7b949a3c0da7fa912d850e74733c0d46e
Opcode Fuzzy Hash: d96ed403f6bf285db392e9efdf7b81a4d90e3fe404f2703b09fa282f096f1457
Instruction Fuzzy Hash: 4931347EF043288BDF1A4B6A9A9437E65DABBC4224F14847DD81AC7380DF74CC4886D1

Function 02830C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

LRjq, xrefs: 02830E5E

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: LRjq
API String ID: 0-665714880
Opcode ID: 7230d71482ae9928bcf58591f59751a0e2fea5089bae2d0718329cc7736faff2
Instruction ID: 97b4f74bb4852cd084aea4deee311a694ccb6c66a03a208502a53130378b404b
Opcode Fuzzy Hash: 7230d71482ae9928bcf58591f59751a0e2fea5089bae2d0718329cc7736faff2
Instruction Fuzzy Hash: F322FF78D44219DFCB54EF68E985A9DBBB5FF48301F1089AAD449AB318DB306D85CF40

Function 02830CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LRjq, xrefs: 02830E5E

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: LRjq
API String ID: 0-665714880
Opcode ID: 776c77df25ed2c566362dcb40768036a6a212def8c639846a3fb15a3f57d2806
Instruction ID: b728723b764a354e3eb5585e070c946e1d3bd1142951f5bc455c8a6e5bf584e4
Opcode Fuzzy Hash: 776c77df25ed2c566362dcb40768036a6a212def8c639846a3fb15a3f57d2806
Instruction Fuzzy Hash: 1322FE78D44219DFCB54EF68E989A9DBBB5FF48301F1089AAD449AB318DB306D85CF40

Function 0283A650 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

(ojq, xrefs: 0283A7D9

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: (ojq
API String ID: 0-3210286679
Opcode ID: 71e710b9a0196f5131b5c9553d7d7aa39a072fa11c315572172fd2324e621cba
Instruction ID: 03ce003034f25a788258ff6713578f63cf7daa8189d6c798c97d843966923799
Opcode Fuzzy Hash: 71e710b9a0196f5131b5c9553d7d7aa39a072fa11c315572172fd2324e621cba
Instruction Fuzzy Hash: 3541BD39B042089FCB199B69D8586AE7BF6BFC8210F14446DD946E7391DE359C12CBD0

Function 028377E0 Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a95d5abe88ae755ca5087d7254c59f9ee7478dbe0ecdbc26d5faa9c38e8723
Instruction ID: b41aa62ed2de9a97f7930e5b649d6652b0d77f8445cef4d1a1c8485e093eb951
Opcode Fuzzy Hash: 72a95d5abe88ae755ca5087d7254c59f9ee7478dbe0ecdbc26d5faa9c38e8723
Instruction Fuzzy Hash: AC422E74E002188FEB159BA4C964BEEBBB7EF84300F1081AAD50A6B365CF345D85DF95

Function 0283A84F Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2f5a7c3e9aff833fdbf13d943c45a7e729296c4f31da1e55b5fd09f7d1c4b5
Instruction ID: 803b89b343f2ac13cc7dee02c41fd130fa67acb06c5a496467938f8ecb058ada
Opcode Fuzzy Hash: 0c2f5a7c3e9aff833fdbf13d943c45a7e729296c4f31da1e55b5fd09f7d1c4b5
Instruction Fuzzy Hash: 02F12E79A002158FCB0ACF6DD588AADBBF6FF88314B1A8459E455EB361C735EC41CB90

Function 02837438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fbdf581ff68859a16c350f1bad00a5589ca2c7c8747652c8da00076a85c4e2c
Instruction ID: fd3aad6228b8f999f588aa5d7953480bfc303c808ff90f08722e4fa93422b7af
Opcode Fuzzy Hash: 5fbdf581ff68859a16c350f1bad00a5589ca2c7c8747652c8da00076a85c4e2c
Instruction Fuzzy Hash: A2710A79704205CFDB1ADF28C498A69BBE6AF49214F1544A9E506CB3B1EB70DC41CBD0

Function 0283CEC7 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711cd750741c6956a4427b57b8a28f558c9b14f5fccf9c19032f758bf28f5479
Instruction ID: 21f872ebc01836b290a121770cc4f62b631a2e14e62cae1c8707483dd7e36adc
Opcode Fuzzy Hash: 711cd750741c6956a4427b57b8a28f558c9b14f5fccf9c19032f758bf28f5479
Instruction Fuzzy Hash: 8951D234AA92538FD3043F21A9AC47E7BA0FB1F35B3987D09E02F91445CB3064A5CA60

Function 0283CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c304c6ab5169a9912905c88c511b544a0eaa0e3b369a0889ce754bbd1443e8
Instruction ID: 4c940b3a5aa371694311921557a3d51e2524ff8ea8bf21e133c6a03203b07743
Opcode Fuzzy Hash: b1c304c6ab5169a9912905c88c511b544a0eaa0e3b369a0889ce754bbd1443e8
Instruction Fuzzy Hash: B251A230AAA3538FD3043F21A9AC53E7BA4FB1F35B7987D09E02F91455CB7064A5CA60

Function 0283CD10 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c264a9f4439e05288728958381004072accdd6ee2140c38028f0f4a5086dce2
Instruction ID: 5a5665a8a4d63fe449408258ec9ea1a4a415e41266eaaffd67e677c5a69fca33
Opcode Fuzzy Hash: 2c264a9f4439e05288728958381004072accdd6ee2140c38028f0f4a5086dce2
Instruction Fuzzy Hash: 8451A474E012189FDB48DFA9D9949DDBBF2FF89300F248169E809AB364DB31A845CF50

Function 02833908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6e6b2558b5a33777bf2688d8436d195785845ef339404a31dc2ecf250ecd33
Instruction ID: 6fa9fbf358ca7e55f0ead6bcac9d00b839b114fd8908f1405513c75d853a03e1
Opcode Fuzzy Hash: ea6e6b2558b5a33777bf2688d8436d195785845ef339404a31dc2ecf250ecd33
Instruction Fuzzy Hash: EB518478E01208DFCB49DFA9D59499DBBB2FF8D310B20946AE805AB364DB319945CF50

Function 02839A63 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6fa2685125a47ea43c15d6b77e6ec4eddd5e01df1a5d3d528a3a8aa54de5f18
Instruction ID: e42bd8b519d603c1d5010e31cff1ee6d2515accb153100dae48c039f0107a650
Opcode Fuzzy Hash: c6fa2685125a47ea43c15d6b77e6ec4eddd5e01df1a5d3d528a3a8aa54de5f18
Instruction Fuzzy Hash: 0541C239A04259DFCF12CFA8C844ADEBFB2BF49314F048565E855EB2A5D3B0D921CB90

Function 02834DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45aa7786a856c7c0da406ea47500f954772e59c17b6a2ba2e8838abc1755d123
Instruction ID: b79069d0a6d338670c2b2c446e548e38aa6425ee567879416929ee421ae149ab
Opcode Fuzzy Hash: 45aa7786a856c7c0da406ea47500f954772e59c17b6a2ba2e8838abc1755d123
Instruction Fuzzy Hash: B1314A39608249AFCB069FA4D858AAF7BE6EF48214F104469F9198B250CB35DC65DBE0

Function 028376D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5afdc674838294a17fb0418e19aeb02089d65b6da24c03a5c28579bf9075f61
Instruction ID: e31f1a0de86c08e7ee43e1dc3182f980c63c1d15901c0f26ea8675e029b2bbea
Opcode Fuzzy Hash: a5afdc674838294a17fb0418e19aeb02089d65b6da24c03a5c28579bf9075f61
Instruction Fuzzy Hash: 3321A17C3082054BEB1617298994BBEB6D79FC8619B18447DD90ACB7A4EF39CC42D7D0

Function 028376E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3874a7ce165e4438ac592af9295c27f7ea002d3a7c30215f6de02a8a46de43f3
Instruction ID: e6fd990050d76f97b56dcc424a2ca763444416686ef46fa2f0d844e0b6a026de
Opcode Fuzzy Hash: 3874a7ce165e4438ac592af9295c27f7ea002d3a7c30215f6de02a8a46de43f3
Instruction Fuzzy Hash: C6218E7C3082054BEB1616298998BBEB69B9FC4758F14407DD50ACB7A8EF79CC82D7D0

Function 02835A63 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf7eed1bfff2e2d4995052d738df2f6dc5061b3353d60282b805a10869c5da2
Instruction ID: 395a746504f21dcc8ce0a2ab20f63f861289847ee8cf9f1c9801022d2cbd4773
Opcode Fuzzy Hash: caf7eed1bfff2e2d4995052d738df2f6dc5061b3353d60282b805a10869c5da2
Instruction Fuzzy Hash: 8C21D0397056118FC7269A68C4A857FBBA3EF88764B0445A9E806DB354CF38DC16CBD0

Function 02832060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad0b0a568c89fc83d96dccc4c553eb0e599eae80464d7f1f99c22ca1becb5a25
Instruction ID: f64d85c675bd9776f9129f94587f289c54f964aa6cc3062b7bc9698aaef6e16a
Opcode Fuzzy Hash: ad0b0a568c89fc83d96dccc4c553eb0e599eae80464d7f1f99c22ca1becb5a25
Instruction Fuzzy Hash: 9A21E239A00209AFCF15DF34C950AAE77B5EB8C260B10C42ADC09CB258DB31EE45CBD1

Function 026BD404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2098920913.00000000026BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26bd000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23c6655474df0101aec98e630cd7650fd992a207f8ef0d0fd7b63a41177438c
Instruction ID: bac033de878807548d2b559bc2773c18feb387ab3296ed55a19ad76e611421e4
Opcode Fuzzy Hash: c23c6655474df0101aec98e630cd7650fd992a207f8ef0d0fd7b63a41177438c
Instruction Fuzzy Hash: 0A21FF71500244EFDB1ADF14D9C0B66BF65FF88324F24C569E9090E256C33AE49ACBA2

Function 0283D123 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb93ef94c8851c35bc894f0dfcf3128ee4a25851813d9c89d3dae4f377a0f6f
Instruction ID: 12643ead4624019f6a54b2fe245cf5d0bdf21ed52299ae1aa39c9ce9aacffd26
Opcode Fuzzy Hash: ceb93ef94c8851c35bc894f0dfcf3128ee4a25851813d9c89d3dae4f377a0f6f
Instruction Fuzzy Hash: 4421F435C112198ECB01EFA8D8446ECFBB4BF4A305F509629E805B7254EB306A9ACB80

Function 0283D218 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1d3326ff7322ce6e2c29afa93b3f58b1f62279725dc0624f6277d3ded94b66
Instruction ID: 9e99d621f26a3b90bf2d92cc82c24f890c5cb2b2aa411456ff5a32e773af264a
Opcode Fuzzy Hash: 5a1d3326ff7322ce6e2c29afa93b3f58b1f62279725dc0624f6277d3ded94b66
Instruction Fuzzy Hash: 80211434D05208DFCB09DBB4D851AEDB7B2BF8A304F10A429D80577364DB39A846CA65

Function 0283215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb33002c317f97c5de49e88afb57de18a67ca13348e8a6356c9f7286190c84a9
Instruction ID: 304c622875b6378f0b275d349dd036ee2e3dcf3b748c95148e8529b7dd3a02b6
Opcode Fuzzy Hash: fb33002c317f97c5de49e88afb57de18a67ca13348e8a6356c9f7286190c84a9
Instruction Fuzzy Hash: 42117836E0435D9FCF029BB8AC008DEFB71FF89220B248756E525B7195EA316906C790

Function 02834DBB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce00cf0a9e94612e326e5f0c005f0a0ef1efba6df86da17abc99f849093d29f7
Instruction ID: 06b7aa2257b3144fd8be02fb250e40966810ee80ab5aaff036af4e72f71d8cff
Opcode Fuzzy Hash: ce00cf0a9e94612e326e5f0c005f0a0ef1efba6df86da17abc99f849093d29f7
Instruction Fuzzy Hash: D72184756482459FDB169FA4D458BAB3BE2EF44324F104469E809CB351CB38CCA5CBE4

Function 02831F08 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2416db2c8706d41e678e7bfcc7f586db40d2bf81e1162e1131ac6d22ca66a880
Instruction ID: bc1a93cf4812a57b3ff44edbd3f76ade91b98e1044b5d7b43df899fa0d7331b9
Opcode Fuzzy Hash: 2416db2c8706d41e678e7bfcc7f586db40d2bf81e1162e1131ac6d22ca66a880
Instruction Fuzzy Hash: 08214878C092098FCB02EFB8D9984EDBFF0BF49300F14456AC455B7218EB315A58CBA1

Function 0283D228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750e9da82c4ba91849ae31bfeea9900e5a4b9be2a6b2c0d8eee6ca2e935cf4f1
Instruction ID: 09f2a042288f91ecae663742f204869821dc5d7035cacb853b1241bf42c58bf2
Opcode Fuzzy Hash: 750e9da82c4ba91849ae31bfeea9900e5a4b9be2a6b2c0d8eee6ca2e935cf4f1
Instruction Fuzzy Hash: F6210634E052089FDB09DBB4D850AEDB7B2BB8A300F106429D40577354DB3AA945CE65

Function 02835A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0fd95d1895400da76307f46125c696b1809ba2949cec24cc3bc0d0b525c142
Instruction ID: 7d8280540d94f43666f781d31c725313416e28bea283e5ff0aa7275bb9ef80c6
Opcode Fuzzy Hash: 3a0fd95d1895400da76307f46125c696b1809ba2949cec24cc3bc0d0b525c142
Instruction Fuzzy Hash: DE11C2397056118BC7165A29C49853EB7A6EF886657554568E80ADB350CF38DC1287D0

Function 026BD3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2098920913.00000000026BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26bd000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 92faa6d128edcfbba9b9a09fd9ee3a3e0e1da791b1551e5fef0ca05bba9823df
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 0711AF76504280DFCB16CF10D5C4B56BF71FB88324F24C5A9D9490F656C33AE45ACBA2

Function 02831F61 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b99b635b080910278083eca16f67285d03d7fa8744adfbd00f5d1fcfa404e2
Instruction ID: bf76afc3424382cd601a45a0e053283daa9b5e64a37b19634eb732cce891fe7d
Opcode Fuzzy Hash: 76b99b635b080910278083eca16f67285d03d7fa8744adfbd00f5d1fcfa404e2
Instruction Fuzzy Hash: 0021E274C0520A8FCB41EFA8D8555EDBFF1BF09300F10456AD809B3215EB305A59CBA1

Function 02835607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c7728a1be66d8a5fe6c45d5fed8d48dc82a19394db2f6d45a495d881332666
Instruction ID: dbf648e7c22d8430f55542076d9f5a4dcdfa0be0ddd8fd501b2bb254398a6acb
Opcode Fuzzy Hash: 39c7728a1be66d8a5fe6c45d5fed8d48dc82a19394db2f6d45a495d881332666
Instruction Fuzzy Hash: 2B01F5B6B041146FCB028E649814AFF3BE7DFC8351B18806EF909D7280DE398C129BA0

Function 02832010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5636facd3d3e1860e0b897447309f6abf600ebef5a446ab124fc0734378cbfe5
Instruction ID: f1326a5347ba0a9374eedf2fd1a4bfbd708db7a6ad6c67425efad14f20cbe25f
Opcode Fuzzy Hash: 5636facd3d3e1860e0b897447309f6abf600ebef5a446ab124fc0734378cbfe5
Instruction Fuzzy Hash: 78E0D831E283A75ECB13A7789C540EEBF719DD7214B1945BBD4D0AB052DB30191BC791

Function 02832020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d07b102ce70790a19b30fe71f5767be20975517f87733ce16f57658465f2018
Instruction ID: abe0d539bdd350f02f572a56405242d6caece130a91899ba2cdc6af8340b7287
Opcode Fuzzy Hash: 2d07b102ce70790a19b30fe71f5767be20975517f87733ce16f57658465f2018
Instruction Fuzzy Hash: DFD05B31D2022B57CB01E7A5DC044EFF738EED6261B544666D51437154FB702659C6E1

Function 02838258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 9531850ad9193f39c1cb96893e03508b110770278129a4eb2fbaed1b1ec9b1e7
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: ABC0123B24C1282AA626208E7C40AA3AB8CD2C12B8A290137F91CE3200A8429C8041E8

Function 0283A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a4ee4c30ade3c2156e0fa5644c4232b2e76cc3f1d7ae8c7ab74ae51916c3bb
Instruction ID: 1f657961116a8960b380578152358713cc0f0c71ee0ca6c4b18f416d0e208ffe
Opcode Fuzzy Hash: e8a4ee4c30ade3c2156e0fa5644c4232b2e76cc3f1d7ae8c7ab74ae51916c3bb
Instruction Fuzzy Hash: 7DD0677BB410189FCB049F98E8448DDBBB6FB9C221B048526E915A3261C6319921DB90

Function 02835EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d59c8caf0f7a4bd46ab10a8dcbe9a89af173a40717437c34be6b5a9d379f9bc
Instruction ID: 0287daf552699e5e53aeacc6bec0414d4c86df35acfe058f86fa8d7c86e45d71
Opcode Fuzzy Hash: 5d59c8caf0f7a4bd46ab10a8dcbe9a89af173a40717437c34be6b5a9d379f9bc
Instruction Fuzzy Hash: 6DE0CD7055C3810FC713F778A59549C3F3A5D41208B0441A9A4404E11AEE79484EC754

Function 02835EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32fe9094c7b7b0413d125dd9e0a7f35a9e821b956264a034ec64d73c2e41b43
Instruction ID: 9cd26efc823d358fe8019e0b744f546c983b818e2d869164a3ad9cb8225dabf1
Opcode Fuzzy Hash: f32fe9094c7b7b0413d125dd9e0a7f35a9e821b956264a034ec64d73c2e41b43
Instruction Fuzzy Hash: 8DC012306683094BC606FBB9FB44959375FAEC0304F404565B0090D22DEF7C589C87A4

Non-executed Functions

Function 02836088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;jq, xrefs: 028360BA
\;jq, xrefs: 028360C6
\;jq, xrefs: 0283609E
\;jq, xrefs: 02836094

Memory Dump Source

Source File: 00000002.00000002.2099169937.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_PM114079-990528.jbxd

Similarity

API ID:
String ID: \;jq$\;jq$\;jq$\;jq
API String ID: 0-138087212
Opcode ID: 4992c0b631f8ac58511efec01d80da479913115977217abbd1c7ea3e44002392
Instruction ID: 19c1dc86898f40ff4b9c8812025b22664821965a8e2b1c84073507f81f99e84e
Opcode Fuzzy Hash: 4992c0b631f8ac58511efec01d80da479913115977217abbd1c7ea3e44002392
Instruction Fuzzy Hash: F201B13D700028AF8B218E2CC461A2677EFAF88664315417AE506EB3B4EFB1DC41C7D8

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PM114079-990528.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PM114079-990528.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
PM114079-990528.exe

Function 015FA690 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 015FCB58 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 015FBDE0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 015FAB00 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Function 015FA118 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 015FA880 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 05D6AC20 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Function 05D68BF4 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre