Edit tour

Windows Analysis Report
Details.exe

Overview

General Information

Sample name:	Details.exe
Analysis ID:	1465790
MD5:	a8a7ded2a82dc5650d018a55944ed7f6
SHA1:	78ea0f8f73c8533b21900e20242df96ec1c56ce0
SHA256:	cdb27cbc1e485ca7b7c3f4f2eb90015befdf7991cb5742814ccf0c18bea2af11
Tags:	exeSnakeKeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code references suspicious native API functions

AI detected suspicious sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Self deletion via cmd or bat file

Tries to detect the country of the analysis system (by using the IP)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Details.exe (PID: 6464 cmdline: "C:\Users\user\Desktop\Details.exe" MD5: A8A7DED2A82DC5650D018A55944ED7F6)

Details.exe (PID: 2276 cmdline: "C:\Users\user\Desktop\Details.exe" MD5: A8A7DED2A82DC5650D018A55944ED7F6)

cmd.exe (PID: 6276 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Details.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 3536 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "rightlut@valleycountysar.org", "Password": "fY,FLoadtsiF", "Host": "valleycountysar.org", "Port": "26"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14843:$a1: get_encryptedPassword 0x14b2f:$a2: get_encryptedUsername 0x1464f:$a3: get_timePasswordChanged 0x1474a:$a4: get_passwordField 0x14859:$a5: set_encryptedPassword 0x15e39:$a7: get_logins 0x15d9c:$a10: KeyLoggerEventArgs 0x15a35:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18024:$x1: $%SMTPDV$ 0x1808a:$x2: $#TheHashHere%& 0x19681:$x3: %FTPDV$ 0x19775:$x4: $%TelegramDv$ 0x15a35:$x5: KeyLoggerEventArgs 0x15d9c:$x5: KeyLoggerEventArgs 0x196a5:$m2: Clipboard Logs ID 0x198c5:$m2: Screenshot Logs ID 0x199d5:$m2: keystroke Logs ID 0x19caf:$m3: SnakePW 0x1989d:$m4: \SnakeKeylogger\
00000000.00000002.2086952660.0000000005290000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4aa6b:$x1: In$J$ct0r
00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf3053:$a1: get_encryptedPassword 0x113883:$a1: get_encryptedPassword 0x133ea3:$a1: get_encryptedPassword 0xf333f:$a2: get_encryptedUsername 0x113b6f:$a2: get_encryptedUsername 0x13418f:$a2: get_encryptedUsername 0xf2e5f:$a3: get_timePasswordChanged 0x11368f:$a3: get_timePasswordChanged 0x133caf:$a3: get_timePasswordChanged 0xf2f5a:$a4: get_passwordField 0x11378a:$a4: get_passwordField 0x133daa:$a4: get_passwordField 0xf3069:$a5: set_encryptedPassword 0x113899:$a5: set_encryptedPassword 0x133eb9:$a5: set_encryptedPassword 0xf4649:$a7: get_logins 0x114e79:$a7: get_logins 0x135499:$a7: get_logins 0xf45ac:$a10: KeyLoggerEventArgs 0x114ddc:$a10: KeyLoggerEventArgs 0x1353fc:$a10: KeyLoggerEventArgs
00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf6834:$x1: $%SMTPDV$ 0x117064:$x1: $%SMTPDV$ 0x137684:$x1: $%SMTPDV$ 0xf689a:$x2: $#TheHashHere%& 0x1170ca:$x2: $#TheHashHere%& 0x1376ea:$x2: $#TheHashHere%& 0xf7e91:$x3: %FTPDV$ 0x1186c1:$x3: %FTPDV$ 0x138ce1:$x3: %FTPDV$ 0xf7f85:$x4: $%TelegramDv$ 0x1187b5:$x4: $%TelegramDv$ 0x138dd5:$x4: $%TelegramDv$ 0xf4245:$x5: KeyLoggerEventArgs 0xf45ac:$x5: KeyLoggerEventArgs 0x114a75:$x5: KeyLoggerEventArgs 0x114ddc:$x5: KeyLoggerEventArgs 0x135095:$x5: KeyLoggerEventArgs 0x1353fc:$x5: KeyLoggerEventArgs 0xf7eb5:$m2: Clipboard Logs ID 0xf80d5:$m2: Screenshot Logs ID 0xf81e5:$m2: keystroke Logs ID
00000002.00000002.2294920659.0000000002751000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Details.exe PID: 6464	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Details.exe PID: 6464	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Details.exe PID: 6464	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Details.exe PID: 6464	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4d84d:$a1: get_encryptedPassword 0x4da98:$a2: get_encryptedUsername 0x4d67c:$a3: get_timePasswordChanged 0x4d75e:$a4: get_passwordField 0x4d863:$a5: set_encryptedPassword 0x4f648:$a7: get_logins 0x4f5c9:$a10: KeyLoggerEventArgs 0x4f365:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Details.exe PID: 6464	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4f365:$x5: KeyLoggerEventArgs 0x4f5c9:$x5: KeyLoggerEventArgs 0x4fdf4:$x5: KeyLoggerEventArgs 0x50128:$x5: KeyLoggerEventArgs 0x5164e:$m2: Clipboard Logs ID 0x51745:$m2: Screenshot Logs ID 0x5179b:$m2: keystroke Logs ID 0x518d0:$m3: SnakePW 0x51731:$m4: \SnakeKeylogger\
Process Memory Space: Details.exe PID: 2276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Details.exe PID: 2276	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Details.exe PID: 2276	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1329:$a1: get_encryptedPassword 0x160b:$a2: get_encryptedUsername 0x113f:$a3: get_timePasswordChanged 0x123a:$a4: get_passwordField 0x133f:$a5: set_encryptedPassword 0x372b:$a7: get_logins 0x368e:$a10: KeyLoggerEventArgs 0x3327:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Details.exe PID: 2276	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3327:$x5: KeyLoggerEventArgs 0x368e:$x5: KeyLoggerEventArgs 0x3f7c:$x5: KeyLoggerEventArgs 0x42b0:$x5: KeyLoggerEventArgs 0x585e:$m2: Clipboard Logs ID 0x5955:$m2: Screenshot Logs ID 0x59ab:$m2: keystroke Logs ID 0x5ae0:$m3: SnakePW 0x5941:$m4: \SnakeKeylogger\
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Details.exe.5290000.6.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4aa6b:$x1: In$J$ct0r
2.2.Details.exe.700000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.Details.exe.700000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.Details.exe.700000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.Details.exe.700000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a43:$a1: get_encryptedPassword 0x14d2f:$a2: get_encryptedUsername 0x1484f:$a3: get_timePasswordChanged 0x1494a:$a4: get_passwordField 0x14a59:$a5: set_encryptedPassword 0x16039:$a7: get_logins 0x15f9c:$a10: KeyLoggerEventArgs 0x15c35:$a11: KeyLoggerEventArgsEventHandler
2.2.Details.exe.700000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c271:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b4a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b8d6:$a4: \Orbitum\User Data\Default\Login Data 0x1c915:$a5: \Kometa\User Data\Default\Login Data
2.2.Details.exe.700000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155c0:$s1: UnHook 0x155c7:$s2: SetHook 0x155cf:$s3: CallNextHook 0x155dc:$s4: _hook
2.2.Details.exe.700000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18224:$x1: $%SMTPDV$ 0x1828a:$x2: $#TheHashHere%& 0x19881:$x3: %FTPDV$ 0x19975:$x4: $%TelegramDv$ 0x15c35:$x5: KeyLoggerEventArgs 0x15f9c:$x5: KeyLoggerEventArgs 0x198a5:$m2: Clipboard Logs ID 0x19ac5:$m2: Screenshot Logs ID 0x19bd5:$m2: keystroke Logs ID 0x19eaf:$m3: SnakePW 0x19a9d:$m4: \SnakeKeylogger\
0.2.Details.exe.3c77e40.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Details.exe.3c77e40.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Details.exe.3c77e40.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c43:$a1: get_encryptedPassword 0x12f2f:$a2: get_encryptedUsername 0x12a4f:$a3: get_timePasswordChanged 0x12b4a:$a4: get_passwordField 0x12c59:$a5: set_encryptedPassword 0x14239:$a7: get_logins 0x1419c:$a10: KeyLoggerEventArgs 0x13e35:$a11: KeyLoggerEventArgsEventHandler
0.2.Details.exe.3c77e40.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a471:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x196a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x19ad6:$a4: \Orbitum\User Data\Default\Login Data 0x1ab15:$a5: \Kometa\User Data\Default\Login Data
0.2.Details.exe.3c77e40.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137c0:$s1: UnHook 0x137c7:$s2: SetHook 0x137cf:$s3: CallNextHook 0x137dc:$s4: _hook
0.2.Details.exe.3c77e40.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16424:$x1: $%SMTPDV$ 0x1648a:$x2: $#TheHashHere%& 0x17a81:$x3: %FTPDV$ 0x17b75:$x4: $%TelegramDv$ 0x13e35:$x5: KeyLoggerEventArgs 0x1419c:$x5: KeyLoggerEventArgs 0x17aa5:$m2: Clipboard Logs ID 0x17cc5:$m2: Screenshot Logs ID 0x17dd5:$m2: keystroke Logs ID 0x180af:$m3: SnakePW 0x17c9d:$m4: \SnakeKeylogger\
0.2.Details.exe.5290000.6.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x48c6b:$x1: In$J$ct0r
0.2.Details.exe.3bc7b70.3.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x48c6b:$x1: In$J$ct0r
0.2.Details.exe.3c57610.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Details.exe.3c57610.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Details.exe.3c57610.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c43:$a1: get_encryptedPassword 0x12f2f:$a2: get_encryptedUsername 0x12a4f:$a3: get_timePasswordChanged 0x12b4a:$a4: get_passwordField 0x12c59:$a5: set_encryptedPassword 0x14239:$a7: get_logins 0x1419c:$a10: KeyLoggerEventArgs 0x13e35:$a11: KeyLoggerEventArgsEventHandler
0.2.Details.exe.2bc98cc.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa2098:$x1: In$J$ct0r 0xa2fa4:$a1: WriteProcessMemory 0xa3030:$a1: WriteProcessMemory 0xa3104:$a4: VirtualAllocEx 0xa3328:$a4: VirtualAllocEx 0xa33a8:$a4: VirtualAllocEx
0.2.Details.exe.3c57610.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a471:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x196a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x19ad6:$a4: \Orbitum\User Data\Default\Login Data 0x1ab15:$a5: \Kometa\User Data\Default\Login Data
0.2.Details.exe.3c57610.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137c0:$s1: UnHook 0x137c7:$s2: SetHook 0x137cf:$s3: CallNextHook 0x137dc:$s4: _hook
0.2.Details.exe.3c57610.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16424:$x1: $%SMTPDV$ 0x1648a:$x2: $#TheHashHere%& 0x17a81:$x3: %FTPDV$ 0x17b75:$x4: $%TelegramDv$ 0x13e35:$x5: KeyLoggerEventArgs 0x1419c:$x5: KeyLoggerEventArgs 0x17aa5:$m2: Clipboard Logs ID 0x17cc5:$m2: Screenshot Logs ID 0x17dd5:$m2: keystroke Logs ID 0x180af:$m3: SnakePW 0x17c9d:$m4: \SnakeKeylogger\
0.2.Details.exe.2bc708c.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa48d8:$x1: In$J$ct0r 0xa57e4:$a1: WriteProcessMemory 0xa5870:$a1: WriteProcessMemory 0xa5944:$a4: VirtualAllocEx 0xa5b68:$a4: VirtualAllocEx 0xa5be8:$a4: VirtualAllocEx
0.2.Details.exe.3c77e40.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Details.exe.3c77e40.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Details.exe.3c77e40.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Details.exe.3c77e40.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a43:$a1: get_encryptedPassword 0x35063:$a1: get_encryptedPassword 0x14d2f:$a2: get_encryptedUsername 0x3534f:$a2: get_encryptedUsername 0x1484f:$a3: get_timePasswordChanged 0x34e6f:$a3: get_timePasswordChanged 0x1494a:$a4: get_passwordField 0x34f6a:$a4: get_passwordField 0x14a59:$a5: set_encryptedPassword 0x35079:$a5: set_encryptedPassword 0x16039:$a7: get_logins 0x36659:$a7: get_logins 0x15f9c:$a10: KeyLoggerEventArgs 0x365bc:$a10: KeyLoggerEventArgs 0x15c35:$a11: KeyLoggerEventArgsEventHandler 0x36255:$a11: KeyLoggerEventArgsEventHandler
0.2.Details.exe.3c77e40.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c271:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c891:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b4a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bac3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b8d6:$a4: \Orbitum\User Data\Default\Login Data 0x3bef6:$a4: \Orbitum\User Data\Default\Login Data 0x1c915:$a5: \Kometa\User Data\Default\Login Data 0x3cf35:$a5: \Kometa\User Data\Default\Login Data
0.2.Details.exe.3c77e40.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155c0:$s1: UnHook 0x35be0:$s1: UnHook 0x155c7:$s2: SetHook 0x35be7:$s2: SetHook 0x155cf:$s3: CallNextHook 0x35bef:$s3: CallNextHook 0x155dc:$s4: _hook 0x35bfc:$s4: _hook
0.2.Details.exe.3c77e40.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18224:$x1: $%SMTPDV$ 0x38844:$x1: $%SMTPDV$ 0x1828a:$x2: $#TheHashHere%& 0x388aa:$x2: $#TheHashHere%& 0x19881:$x3: %FTPDV$ 0x39ea1:$x3: %FTPDV$ 0x19975:$x4: $%TelegramDv$ 0x39f95:$x4: $%TelegramDv$ 0x15c35:$x5: KeyLoggerEventArgs 0x15f9c:$x5: KeyLoggerEventArgs 0x36255:$x5: KeyLoggerEventArgs 0x365bc:$x5: KeyLoggerEventArgs 0x198a5:$m2: Clipboard Logs ID 0x19ac5:$m2: Screenshot Logs ID 0x19bd5:$m2: keystroke Logs ID 0x39ec5:$m2: Clipboard Logs ID 0x3a0e5:$m2: Screenshot Logs ID 0x3a1f5:$m2: keystroke Logs ID 0x19eaf:$m3: SnakePW 0x3a4cf:$m3: SnakePW 0x19a9d:$m4: \SnakeKeylogger\
0.2.Details.exe.3c57610.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Details.exe.3c57610.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Details.exe.3c57610.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Details.exe.3c57610.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a43:$a1: get_encryptedPassword 0x35273:$a1: get_encryptedPassword 0x55893:$a1: get_encryptedPassword 0x14d2f:$a2: get_encryptedUsername 0x3555f:$a2: get_encryptedUsername 0x55b7f:$a2: get_encryptedUsername 0x1484f:$a3: get_timePasswordChanged 0x3507f:$a3: get_timePasswordChanged 0x5569f:$a3: get_timePasswordChanged 0x1494a:$a4: get_passwordField 0x3517a:$a4: get_passwordField 0x5579a:$a4: get_passwordField 0x14a59:$a5: set_encryptedPassword 0x35289:$a5: set_encryptedPassword 0x558a9:$a5: set_encryptedPassword 0x16039:$a7: get_logins 0x36869:$a7: get_logins 0x56e89:$a7: get_logins 0x15f9c:$a10: KeyLoggerEventArgs 0x367cc:$a10: KeyLoggerEventArgs 0x56dec:$a10: KeyLoggerEventArgs
0.2.Details.exe.3c57610.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c271:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3caa1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d0c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b4a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bcd3:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c2f3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b8d6:$a4: \Orbitum\User Data\Default\Login Data 0x3c106:$a4: \Orbitum\User Data\Default\Login Data 0x5c726:$a4: \Orbitum\User Data\Default\Login Data 0x1c915:$a5: \Kometa\User Data\Default\Login Data 0x3d145:$a5: \Kometa\User Data\Default\Login Data 0x5d765:$a5: \Kometa\User Data\Default\Login Data
0.2.Details.exe.3c57610.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155c0:$s1: UnHook 0x35df0:$s1: UnHook 0x56410:$s1: UnHook 0x155c7:$s2: SetHook 0x35df7:$s2: SetHook 0x56417:$s2: SetHook 0x155cf:$s3: CallNextHook 0x35dff:$s3: CallNextHook 0x5641f:$s3: CallNextHook 0x155dc:$s4: _hook 0x35e0c:$s4: _hook 0x5642c:$s4: _hook
0.2.Details.exe.3c57610.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18224:$x1: $%SMTPDV$ 0x38a54:$x1: $%SMTPDV$ 0x59074:$x1: $%SMTPDV$ 0x1828a:$x2: $#TheHashHere%& 0x38aba:$x2: $#TheHashHere%& 0x590da:$x2: $#TheHashHere%& 0x19881:$x3: %FTPDV$ 0x3a0b1:$x3: %FTPDV$ 0x5a6d1:$x3: %FTPDV$ 0x19975:$x4: $%TelegramDv$ 0x3a1a5:$x4: $%TelegramDv$ 0x5a7c5:$x4: $%TelegramDv$ 0x15c35:$x5: KeyLoggerEventArgs 0x15f9c:$x5: KeyLoggerEventArgs 0x36465:$x5: KeyLoggerEventArgs 0x367cc:$x5: KeyLoggerEventArgs 0x56a85:$x5: KeyLoggerEventArgs 0x56dec:$x5: KeyLoggerEventArgs 0x198a5:$m2: Clipboard Logs ID 0x19ac5:$m2: Screenshot Logs ID 0x19bd5:$m2: keystroke Logs ID
0.2.Details.exe.3bc7b70.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Details.exe.3bc7b70.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Details.exe.3bc7b70.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Details.exe.3bc7b70.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa44e3:$a1: get_encryptedPassword 0xc4d13:$a1: get_encryptedPassword 0xe5333:$a1: get_encryptedPassword 0xa47cf:$a2: get_encryptedUsername 0xc4fff:$a2: get_encryptedUsername 0xe561f:$a2: get_encryptedUsername 0xa42ef:$a3: get_timePasswordChanged 0xc4b1f:$a3: get_timePasswordChanged 0xe513f:$a3: get_timePasswordChanged 0xa43ea:$a4: get_passwordField 0xc4c1a:$a4: get_passwordField 0xe523a:$a4: get_passwordField 0xa44f9:$a5: set_encryptedPassword 0xc4d29:$a5: set_encryptedPassword 0xe5349:$a5: set_encryptedPassword 0xa5ad9:$a7: get_logins 0xc6309:$a7: get_logins 0xe6929:$a7: get_logins 0xa5a3c:$a10: KeyLoggerEventArgs 0xc626c:$a10: KeyLoggerEventArgs 0xe688c:$a10: KeyLoggerEventArgs
0.2.Details.exe.3bc7b70.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xa5060:$s1: UnHook 0xc5890:$s1: UnHook 0xe5eb0:$s1: UnHook 0xa5067:$s2: SetHook 0xc5897:$s2: SetHook 0xe5eb7:$s2: SetHook 0xa506f:$s3: CallNextHook 0xc589f:$s3: CallNextHook 0xe5ebf:$s3: CallNextHook 0xa507c:$s4: _hook 0xc58ac:$s4: _hook 0xe5ecc:$s4: _hook
0.2.Details.exe.3bc7b70.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xa7cc4:$x1: $%SMTPDV$ 0xc84f4:$x1: $%SMTPDV$ 0xe8b14:$x1: $%SMTPDV$ 0xa7d2a:$x2: $#TheHashHere%& 0xc855a:$x2: $#TheHashHere%& 0xe8b7a:$x2: $#TheHashHere%& 0xa9321:$x3: %FTPDV$ 0xc9b51:$x3: %FTPDV$ 0xea171:$x3: %FTPDV$ 0xa9415:$x4: $%TelegramDv$ 0xc9c45:$x4: $%TelegramDv$ 0xea265:$x4: $%TelegramDv$ 0xa56d5:$x5: KeyLoggerEventArgs 0xa5a3c:$x5: KeyLoggerEventArgs 0xc5f05:$x5: KeyLoggerEventArgs 0xc626c:$x5: KeyLoggerEventArgs 0xe6525:$x5: KeyLoggerEventArgs 0xe688c:$x5: KeyLoggerEventArgs 0xa9345:$m2: Clipboard Logs ID 0xa9565:$m2: Screenshot Logs ID 0xa9675:$m2: keystroke Logs ID
0.2.Details.exe.3bc7b70.3.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4aa6b:$x1: In$J$ct0r
Click to see the 40 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "rightlut@valleycountysar.org", "Password": "fY,FLoadtsiF", "Host": "valleycountysar.org", "Port": "26"}

Multi AV Scanner detection for submitted file

Source: Details.exe	ReversingLabs: Detection: 50%
Source: Details.exe	Virustotal: Detection: 57%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Details.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Details.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.0

Source: Details.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: Details.exe, 00000000.00000002.2086884615.0000000005230000.00000004.08000000.00040000.00000000.sdmp, Details.exe, 00000000.00000002.2085485300.0000000002B71000.00000004.00000800.00020000.00000000.sdmp

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.Details.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Details.exe.3c77e40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Details.exe.3c57610.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Details.exe.3bc7b70.3.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Details.exe, 00000002.00000002.2294920659.00000000028C3000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028A8000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.0000000002815000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028B5000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Details.exe, 00000002.00000002.2294920659.0000000002809000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.0000000002858000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028C3000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028A8000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.0000000002815000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028B5000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Details.exe, 00000002.00000002.2294920659.0000000002751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Details.exe, 00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Details.exe, 00000002.00000002.2294920659.000000000282D000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028C3000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028A8000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028B5000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Details.exe, 00000002.00000002.2294920659.0000000002751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Details.exe	String found in binary or memory: https://aka.ms/binaryformatter
Source: Details.exe	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: Details.exe	String found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
Source: Details.exe, 00000002.00000002.2294920659.0000000002858000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028C3000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028A8000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.0000000002815000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028B5000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Details.exe, 00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.0000000002815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Details.exe, 00000002.00000002.2294920659.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: Details.exe, 00000002.00000002.2294920659.0000000002858000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028C3000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028A8000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028B5000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63021
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 63021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Details.exe.5290000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 2.2.Details.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.Details.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.Details.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.Details.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Details.exe.3c77e40.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Details.exe.3c77e40.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Details.exe.3c77e40.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Details.exe.3c77e40.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Details.exe.5290000.6.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Details.exe.3bc7b70.3.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Details.exe.3c57610.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Details.exe.2bc98cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Details.exe.3c57610.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Details.exe.3c57610.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Details.exe.3c57610.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Details.exe.2bc708c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Details.exe.3c77e40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Details.exe.3c77e40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Details.exe.3c77e40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Details.exe.3c77e40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Details.exe.3c57610.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Details.exe.3c57610.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Details.exe.3c57610.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Details.exe.3c57610.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Details.exe.3bc7b70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Details.exe.3bc7b70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Details.exe.3bc7b70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Details.exe.3bc7b70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2086952660.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Details.exe PID: 6464, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Details.exe PID: 6464, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Details.exe PID: 2276, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Details.exe PID: 2276, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\Details.exe	Code function: 0_2_0119D3DC	0_2_0119D3DC
Source: C:\Users\user\Desktop\Details.exe	Code function: 0_2_050AA698	0_2_050AA698
Source: C:\Users\user\Desktop\Details.exe	Code function: 0_2_050AB8A8	0_2_050AB8A8
Source: C:\Users\user\Desktop\Details.exe	Code function: 0_2_050A0006	0_2_050A0006
Source: C:\Users\user\Desktop\Details.exe	Code function: 0_2_050A0040	0_2_050A0040
Source: C:\Users\user\Desktop\Details.exe	Code function: 0_2_050AB898	0_2_050AB898
Source: C:\Users\user\Desktop\Details.exe	Code function: 0_2_05CC0007	0_2_05CC0007
Source: C:\Users\user\Desktop\Details.exe	Code function: 0_2_05CC0040	0_2_05CC0040
Source: C:\Users\user\Desktop\Details.exe	Code function: 2_2_02696108	2_2_02696108
Source: C:\Users\user\Desktop\Details.exe	Code function: 2_2_0269C193	2_2_0269C193
Source: C:\Users\user\Desktop\Details.exe	Code function: 2_2_0269C753	2_2_0269C753
Source: C:\Users\user\Desktop\Details.exe	Code function: 2_2_02696730	2_2_02696730
Source: C:\Users\user\Desktop\Details.exe	Code function: 2_2_0269C470	2_2_0269C470
Source: C:\Users\user\Desktop\Details.exe	Code function: 2_2_0269B4A0	2_2_0269B4A0
Source: C:\Users\user\Desktop\Details.exe	Code function: 2_2_02694AD9	2_2_02694AD9
Source: C:\Users\user\Desktop\Details.exe	Code function: 2_2_0269BBD3	2_2_0269BBD3
Source: C:\Users\user\Desktop\Details.exe	Code function: 2_2_02699858	2_2_02699858
Source: C:\Users\user\Desktop\Details.exe	Code function: 2_2_0269BEB0	2_2_0269BEB0
Source: C:\Users\user\Desktop\Details.exe	Code function: 2_2_0269CD53	2_2_0269CD53
Source: C:\Users\user\Desktop\Details.exe	Code function: 2_2_0269B4F3	2_2_0269B4F3
Source: C:\Users\user\Desktop\Details.exe	Code function: 2_2_02693573	2_2_02693573

Source: Details.exe, 00000000.00000002.2086884615.0000000005230000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Details.exe
Source: Details.exe, 00000000.00000002.2086952660.0000000005290000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Details.exe
Source: Details.exe, 00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Details.exe
Source: Details.exe, 00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Details.exe
Source: Details.exe, 00000000.00000002.2085485300.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Details.exe
Source: Details.exe, 00000000.00000002.2085485300.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Details.exe
Source: Details.exe, 00000000.00000002.2085485300.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs Details.exe
Source: Details.exe, 00000000.00000002.2085485300.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Details.exe
Source: Details.exe, 00000000.00000002.2085485300.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs Details.exe
Source: Details.exe, 00000000.00000000.2078485576.0000000000792000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameavtry.exe. vs Details.exe
Source: Details.exe, 00000000.00000002.2084795839.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Details.exe
Source: Details.exe, 00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Details.exe
Source: Details.exe	Binary or memory string: OriginalFilenameavtry.exe. vs Details.exe

Source: Details.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Details.exe.5290000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 2.2.Details.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.Details.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Details.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.Details.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Details.exe.3c77e40.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Details.exe.3c77e40.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Details.exe.3c77e40.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Details.exe.3c77e40.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Details.exe.5290000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Details.exe.3bc7b70.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Details.exe.3c57610.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Details.exe.2bc98cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Details.exe.3c57610.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Details.exe.3c57610.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Details.exe.3c57610.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Details.exe.2bc708c.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Details.exe.3c77e40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Details.exe.3c77e40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Details.exe.3c77e40.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Details.exe.3c77e40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Details.exe.3c57610.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Details.exe.3c57610.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Details.exe.3c57610.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Details.exe.3c57610.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Details.exe.3bc7b70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Details.exe.3bc7b70.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Details.exe.3bc7b70.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Details.exe.3bc7b70.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2086952660.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Details.exe PID: 6464, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Details.exe PID: 6464, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Details.exe PID: 2276, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Details.exe PID: 2276, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.Details.exe.3c77e40.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Details.exe.3c77e40.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Details.exe.3c77e40.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Details.exe.3c77e40.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Details.exe.3c57610.4.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Details.exe.3c57610.4.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Details.exe.3c57610.4.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Details.exe.3c57610.4.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Details.exe.5290000.6.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Details.exe.3bc7b70.3.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Details.exe.5290000.6.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.Details.exe.3bc7b70.3.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@2/2

Source: C:\Users\user\Desktop\Details.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Details.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Details.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_03

Source: Details.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Details.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Details.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Details.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Details.exe	ReversingLabs: Detection: 50%
Source: Details.exe	Virustotal: Detection: 57%

Source: unknown	Process created: C:\Users\user\Desktop\Details.exe "C:\Users\user\Desktop\Details.exe"
Source: C:\Users\user\Desktop\Details.exe	Process created: C:\Users\user\Desktop\Details.exe "C:\Users\user\Desktop\Details.exe"
Source: C:\Users\user\Desktop\Details.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Details.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\Details.exe	Process created: C:\Users\user\Desktop\Details.exe "C:\Users\user\Desktop\Details.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Details.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\Details.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\Details.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Details.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Details.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Details.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: Details.exe

Static PE information: 0x8BED6FE1 [Mon May 23 05:21:37 2044 UTC]

Source: C:\Users\user\Desktop\Details.exe	Code function: 0_2_050A1C51 push esp; retf	0_2_050A1C52
Source: C:\Users\user\Desktop\Details.exe	Code function: 0_2_05CCA2E0 push 14418B05h; ret	0_2_05CCA2F3
Source: C:\Users\user\Desktop\Details.exe	Code function: 0_2_05CC9860 push 14418B05h; ret	0_2_05CCA2F3
Source: C:\Users\user\Desktop\Details.exe	Code function: 0_2_05E7C5BD push FFFFFF8Bh; iretd	0_2_05E7C5BF
Source: C:\Users\user\Desktop\Details.exe	Code function: 0_2_05E72C21 push 08418B05h; ret	0_2_05E72C33
Source: C:\Users\user\Desktop\Details.exe	Code function: 0_2_05E77112 push eax; retf	0_2_05E77119

Source: Details.exe

Static PE information: section name: .text entropy: 7.3573846175067015

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\Details.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Details.exe"
Source: C:\Users\user\Desktop\Details.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Details.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Details.exe PID: 6464, type: MEMORYSTR

Source: C:\Users\user\Desktop\Details.exe	Memory allocated: 1190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Memory allocated: 2B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Memory allocated: 25B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Memory allocated: 2750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Memory allocated: 25B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 599006	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 596587	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 595936	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 594835	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 594624	Jump to behavior

Source: C:\Users\user\Desktop\Details.exe	Window / User API: threadDelayed 7783			Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Window / User API: threadDelayed 2077			Jump to behavior

Source: C:\Users\user\Desktop\Details.exe TID: 4852	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 616	Thread sleep count: 7783 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 616	Thread sleep count: 2077 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -599006s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -596587s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -596046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -595936s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -594835s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe TID: 4368	Thread sleep time: -594624s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 599006	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 596587	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 595936	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 594835	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Thread delayed: delay time: 594624	Jump to behavior

Source: Details.exe, 00000002.00000002.2293833893.00000000008E7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln

Source: C:\Users\user\Desktop\Details.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Details.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Details.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Details.exe, EventLogInternal.cs	Reference to suspicious API methods: global::Interop.Kernel32.LoadLibraryExW(text, IntPtr.Zero, 2u)
Source: 0.2.Details.exe.2bc98cc.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.Details.exe.2bc98cc.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Details.exe

Memory written: C:\Users\user\Desktop\Details.exe base: 700000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Details.exe	Process created: C:\Users\user\Desktop\Details.exe "C:\Users\user\Desktop\Details.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Details.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\Details.exe	Queries volume information: C:\Users\user\Desktop\Details.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Queries volume information: C:\Users\user\Desktop\Details.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Details.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 2.2.Details.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Details.exe.3c77e40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Details.exe.3c57610.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Details.exe.3c77e40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Details.exe.3c57610.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Details.exe.3bc7b70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2294920659.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Details.exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Details.exe PID: 2276, type: MEMORYSTR

Source: Yara match	File source: 2.2.Details.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Details.exe.3c77e40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Details.exe.3c57610.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Details.exe.3c77e40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Details.exe.3c57610.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Details.exe.3bc7b70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Details.exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Details.exe PID: 2276, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 2.2.Details.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Details.exe.3c77e40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Details.exe.3c57610.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Details.exe.3c77e40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Details.exe.3c57610.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Details.exe.3bc7b70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2294920659.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Details.exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Details.exe PID: 2276, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 File Deletion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Details.exe	50%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeKeylogger
Details.exe	58%	Virustotal		Browse
Details.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
reallyfreegeoip.org	0%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
https://aka.ms/serializationformat-binary-obsolete	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/q	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	Avira URL Cloud	safe
https://aka.ms/dotnet-warnings/	0%	Avira URL Cloud	safe
http://reallyfreegeoip.org	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	1%	Virustotal		Browse
https://aka.ms/dotnet-warnings/	0%	Virustotal		Browse
https://aka.ms/serializationformat-binary-obsolete	0%	Virustotal		Browse
http://checkip.dyndns.org	1%	Virustotal		Browse
http://reallyfreegeoip.org	0%	Virustotal		Browse
http://checkip.dyndns.com	0%	Virustotal		Browse
https://aka.ms/binaryformatter	0%	Virustotal		Browse
https://reallyfreegeoip.org	0%	Virustotal		Browse
http://checkip.dyndns.org/q	0%	Virustotal		Browse
https://aka.ms/binaryformatter	0%	Avira URL Cloud	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	188.114.96.3	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.com	132.226.8.169	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/dotnet-warnings/	Details.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	Details.exe, 00000002.00000002.2294920659.0000000002858000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028C3000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028A8000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028B5000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	Details.exe, 00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/serializationformat-binary-obsolete	Details.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://reallyfreegeoip.org	Details.exe, 00000002.00000002.2294920659.000000000282D000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028C3000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028A8000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028B5000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	Details.exe, 00000002.00000002.2294920659.0000000002858000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028C3000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028A8000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.0000000002815000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028B5000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/binaryformatter	Details.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	Details.exe, 00000002.00000002.2294920659.0000000002809000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.0000000002858000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028C3000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028A8000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.0000000002815000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028B5000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	Details.exe, 00000002.00000002.2294920659.00000000028C3000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028A8000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.0000000002815000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028B5000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Details.exe, 00000002.00000002.2294920659.0000000002751000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	Details.exe, 00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Details.exe, 00000002.00000002.2294920659.0000000002815000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
188.114.96.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465790
Start date and time:	2024-07-02 04:16:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Details.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 166 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Details.exe, PID 2276 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:16:55	API Interceptor	153x Sleep call for process: Details.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	scan copy.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Find-DscResource_QoS.ps1	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	MT STENA IMPRESSION Vessel Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	LAQ-PO088PDF.bat	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	MT STENA IMPRESSION Vessel Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	MT Sea Gull 9 Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	MT Sea Gull 9 Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
188.114.96.3	Vg46FzGtNo.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	000366cm.nyashka.top/phpflowergenerator.php
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/mHgyHEv5/download
	file.exe	Get hash	malicious	FormBook	Browse	www.cavetta.org.mt/yhnb/
	http://johnlewisfr.com	Get hash	malicious	Unknown	Browse	johnlewisfr.com/
	cL7A9wGE3w.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	445798cm.nyashka.top/ProviderEternalLinephpRequestSecurePacketprocessauthwordpress.php
	http://www.youkonew.anakembok.de/	Get hash	malicious	HTMLPhisher	Browse	www.youkonew.anakembok.de/cdn-cgi/challenge-platform/h/g/jsd/r/89b98144d9c843b7
	hnCn8gE6NH.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	yenot.top/providerlowAuthApibigloadprotectflower.php
	288292021 ABB.exe	Get hash	malicious	FormBook	Browse	www.oc7o0.top/2zff/?Hp=4L8xoD0W4Zo4sy87CvwWXXlmZfhaBYNiZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk6zzmBcbZOQR3Nr9VCMayuUBptQdoGcq8y485hKv0f5POEUdLprTAYpXY&5H=CtUlKhgP42a
	eiqj38BeRo.rtf	Get hash	malicious	FormBook	Browse	www.liposuctionclinics2.today/btrd/?OR-TJfQ=g2Awi9g0RhXmDXdNu5BlCrpPGRTrEfCXfESYZTVa1wMirmNXITW5szlP5E4EhRYb22U+Mw==&2dc=kvXd-rKHCF
	Purchase Order -JJ023639-PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/9a4iHwft/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	PM114079-990528.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Bank Slip 2.doc	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	MT_80362_72605XLS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	JgRVqrgNs4.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	JgRVqrgNs4.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	H3fwQALXDX.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	oHchwlxMNG.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	zkB0qfWSJk.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	scan copy.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
checkip.dyndns.com	PM114079-990528.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Bank Slip 2.doc	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	MT_80362_72605XLS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	JgRVqrgNs4.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	JgRVqrgNs4.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	H3fwQALXDX.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	oHchwlxMNG.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	zkB0qfWSJk.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	scan copy.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	oHchwlxMNG.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	scan copy.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	CDMZxujRpn.elf	Get hash	malicious	Mirai	Browse	132.192.25.142
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Find-DscResource_QoS.ps1	Get hash	malicious	Unknown	Browse	132.226.8.169
	LEpsypIZxU.elf	Get hash	malicious	Mirai, Moobot	Browse	128.169.91.82
	itinerary_1719382117.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
CLOUDFLARENETUS	https://f8dde4bf9.skcrr.com/s/bb134f99?b3c4b4af7cc5=c3UuY2FpQHJvcy5jb20=	Get hash	malicious	Unknown	Browse	104.21.16.234
	https://ghufal.answermedia.site/KB/KB66958646	Get hash	malicious	Unknown	Browse	104.21.72.53
	PM114079-990528.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	https://punchbowl-sc.info/in/&d=DwMFAw	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://proposalbidinvitation.wordpress.com/	Get hash	malicious	Unknown	Browse	104.21.79.87
	https://hamids-worker.hamidyousefi93.workers.dev/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://t4ha7.shop/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://jiedian.dadabing023.workers.dev/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://worker-aliggggg.farnazmonsef1.workers.dev/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://aradcofeenet1.aradcofeenet1.workers.dev/	Get hash	malicious	Unknown	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PM114079-990528.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	MT_80362_72605XLS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	bJLd0SUHfj.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	PGjIoaqfQY.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	JgRVqrgNs4.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	x6221haMsm.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	JgRVqrgNs4.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	H3fwQALXDX.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	oHchwlxMNG.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	zkB0qfWSJk.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3

Process:	C:\Users\user\Desktop\Details.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.345062038205206
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Details.exe
File size:	493'056 bytes
MD5:	a8a7ded2a82dc5650d018a55944ed7f6
SHA1:	78ea0f8f73c8533b21900e20242df96ec1c56ce0
SHA256:	cdb27cbc1e485ca7b7c3f4f2eb90015befdf7991cb5742814ccf0c18bea2af11
SHA512:	3e2878b6cc46a71556e0f57e5b92c51595e39fe069d16974ee79f9f7ea9cbe9d073d2c467049862b6f23fff404bb8714e1919e39621606e4052e01e50e8cbce7
SSDEEP:	6144:ZXuAPKbl6eAs+AYJAmp1sWosos1kKBY0SQBhhASbOF7HAAPq/XtLMfFUYK8tvlC8:ZXuBxOukAVzAAylLMfCYK8tv
TLSH:	6DA4D05213D8475DF6EE2BB4A1712114C3BEFA696635F34D66C4A8ED2E633C08E10B93
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o................0..\|..........~.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x479a7e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x8BED6FE1 [Mon May 23 05:21:37 2044 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x79a24	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7a000	0x58e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x77a84	0x77c00	2940523784af9284b384750f0c17336e	False	0.6104208800887265	data	7.3573846175067015	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x7a000	0x58e	0x600	1702ccff915b2c385a113f63e5ba57d7	False	0.4147135416666667	data	4.025204759389211	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7c000	0xc	0x200	4969f1400d697c8f3a8677710fbed2bb	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x7a0a0	0x304	data			0.4365284974093264
RT_MANIFEST	0x7a3a4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 04:16:52.648969889 CEST	49710	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:16:52.653820992 CEST	80	49710	132.226.8.169	192.168.2.6
Jul 2, 2024 04:16:52.653887033 CEST	49710	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:16:52.654090881 CEST	49710	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:16:52.658808947 CEST	80	49710	132.226.8.169	192.168.2.6
Jul 2, 2024 04:16:54.455996990 CEST	80	49710	132.226.8.169	192.168.2.6
Jul 2, 2024 04:16:54.460496902 CEST	49710	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:16:54.465333939 CEST	80	49710	132.226.8.169	192.168.2.6
Jul 2, 2024 04:16:55.727102041 CEST	80	49710	132.226.8.169	192.168.2.6
Jul 2, 2024 04:16:55.769141912 CEST	49710	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:16:55.774126053 CEST	49714	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:55.774188042 CEST	443	49714	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:55.774266958 CEST	49714	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:55.780323982 CEST	49714	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:55.780354023 CEST	443	49714	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:56.258126020 CEST	443	49714	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:56.258255005 CEST	49714	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:56.263689995 CEST	49714	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:56.263701916 CEST	443	49714	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:56.264036894 CEST	443	49714	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:56.309277058 CEST	49714	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:56.356496096 CEST	443	49714	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:56.417574883 CEST	443	49714	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:56.417654991 CEST	443	49714	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:56.417709112 CEST	49714	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:56.423732996 CEST	49714	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:56.427119017 CEST	49710	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:16:56.431900024 CEST	80	49710	132.226.8.169	192.168.2.6
Jul 2, 2024 04:16:56.692641973 CEST	80	49710	132.226.8.169	192.168.2.6
Jul 2, 2024 04:16:56.695808887 CEST	49715	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:56.695863962 CEST	443	49715	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:56.695949078 CEST	49715	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:56.696311951 CEST	49715	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:56.696322918 CEST	443	49715	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:56.738030910 CEST	49710	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:16:57.163794994 CEST	443	49715	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:57.166019917 CEST	49715	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:57.166047096 CEST	443	49715	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:57.294500113 CEST	443	49715	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:57.294589043 CEST	443	49715	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:57.294651985 CEST	49715	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:57.295236111 CEST	49715	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:57.298094988 CEST	49710	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:16:57.299288988 CEST	49717	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:16:57.303276062 CEST	80	49710	132.226.8.169	192.168.2.6
Jul 2, 2024 04:16:57.303349972 CEST	49710	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:16:57.304053068 CEST	80	49717	132.226.8.169	192.168.2.6
Jul 2, 2024 04:16:57.304130077 CEST	49717	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:16:57.304244995 CEST	49717	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:16:57.308969021 CEST	80	49717	132.226.8.169	192.168.2.6
Jul 2, 2024 04:16:58.107150078 CEST	80	49717	132.226.8.169	192.168.2.6
Jul 2, 2024 04:16:58.108557940 CEST	49719	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:58.108611107 CEST	443	49719	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:58.108674049 CEST	49719	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:58.108936071 CEST	49719	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:58.108949900 CEST	443	49719	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:58.159724951 CEST	49717	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:16:58.576535940 CEST	443	49719	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:58.583291054 CEST	49719	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:58.583323956 CEST	443	49719	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:58.717989922 CEST	443	49719	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:58.718110085 CEST	443	49719	188.114.96.3	192.168.2.6
Jul 2, 2024 04:16:58.719715118 CEST	49719	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:58.719715118 CEST	49719	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:16:58.730762959 CEST	49720	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:16:58.735574007 CEST	80	49720	132.226.8.169	192.168.2.6
Jul 2, 2024 04:16:58.735795975 CEST	49720	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:16:58.735796928 CEST	49720	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:16:58.740616083 CEST	80	49720	132.226.8.169	192.168.2.6
Jul 2, 2024 04:17:00.819405079 CEST	80	49720	132.226.8.169	192.168.2.6
Jul 2, 2024 04:17:00.821142912 CEST	49722	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:00.821183920 CEST	443	49722	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:00.821362019 CEST	49722	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:00.821569920 CEST	49722	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:00.821579933 CEST	443	49722	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:00.862971067 CEST	49720	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:01.291203976 CEST	443	49722	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:01.293548107 CEST	49722	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:01.293574095 CEST	443	49722	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:01.437139034 CEST	443	49722	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:01.437241077 CEST	443	49722	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:01.437292099 CEST	49722	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:01.437829018 CEST	49722	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:01.444524050 CEST	49720	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:01.445472002 CEST	49723	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:01.449496984 CEST	80	49720	132.226.8.169	192.168.2.6
Jul 2, 2024 04:17:01.449570894 CEST	49720	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:01.450218916 CEST	80	49723	132.226.8.169	192.168.2.6
Jul 2, 2024 04:17:01.450318098 CEST	49723	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:01.450382948 CEST	49723	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:01.455796957 CEST	80	49723	132.226.8.169	192.168.2.6
Jul 2, 2024 04:17:03.789534092 CEST	80	49723	132.226.8.169	192.168.2.6
Jul 2, 2024 04:17:03.791313887 CEST	49724	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:03.791354895 CEST	443	49724	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:03.791450024 CEST	49724	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:03.791712046 CEST	49724	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:03.791723967 CEST	443	49724	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:03.831715107 CEST	49723	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:04.262629986 CEST	443	49724	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:04.264384985 CEST	49724	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:04.264408112 CEST	443	49724	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:04.407928944 CEST	443	49724	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:04.408044100 CEST	443	49724	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:04.408236980 CEST	49724	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:04.408860922 CEST	49724	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:04.412384987 CEST	49723	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:04.413476944 CEST	49725	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:04.417421103 CEST	80	49723	132.226.8.169	192.168.2.6
Jul 2, 2024 04:17:04.417496920 CEST	49723	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:04.418201923 CEST	80	49725	132.226.8.169	192.168.2.6
Jul 2, 2024 04:17:04.418292046 CEST	49725	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:04.418358088 CEST	49725	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:04.423075914 CEST	80	49725	132.226.8.169	192.168.2.6
Jul 2, 2024 04:17:06.904808044 CEST	80	49725	132.226.8.169	192.168.2.6
Jul 2, 2024 04:17:06.906348944 CEST	49726	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:06.906409025 CEST	443	49726	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:06.906511068 CEST	49726	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:06.906783104 CEST	49726	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:06.906799078 CEST	443	49726	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:06.956646919 CEST	49725	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:07.448164940 CEST	443	49726	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:07.449839115 CEST	49726	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:07.449867964 CEST	443	49726	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:07.605377913 CEST	443	49726	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:07.605493069 CEST	443	49726	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:07.605544090 CEST	49726	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:07.605947018 CEST	49726	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:07.608987093 CEST	49725	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:07.610228062 CEST	49727	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:07.614274979 CEST	80	49725	132.226.8.169	192.168.2.6
Jul 2, 2024 04:17:07.614339113 CEST	49725	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:07.615031958 CEST	80	49727	132.226.8.169	192.168.2.6
Jul 2, 2024 04:17:07.615092993 CEST	49727	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:07.615183115 CEST	49727	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:07.619910002 CEST	80	49727	132.226.8.169	192.168.2.6
Jul 2, 2024 04:17:10.405989885 CEST	80	49727	132.226.8.169	192.168.2.6
Jul 2, 2024 04:17:10.428968906 CEST	49730	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:10.433805943 CEST	80	49730	132.226.8.169	192.168.2.6
Jul 2, 2024 04:17:10.433932066 CEST	49730	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:10.434006929 CEST	49730	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:10.438735962 CEST	80	49730	132.226.8.169	192.168.2.6
Jul 2, 2024 04:17:10.456732035 CEST	49727	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:12.559190989 CEST	80	49730	132.226.8.169	192.168.2.6
Jul 2, 2024 04:17:12.559659958 CEST	49727	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:12.560679913 CEST	63021	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:12.560725927 CEST	443	63021	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:12.560806036 CEST	63021	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:12.561083078 CEST	63021	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:12.561095953 CEST	443	63021	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:12.564944983 CEST	80	49727	132.226.8.169	192.168.2.6
Jul 2, 2024 04:17:12.564997911 CEST	49727	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:12.612869978 CEST	49730	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:13.085683107 CEST	443	63021	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:13.094866037 CEST	63021	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:13.094896078 CEST	443	63021	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:13.237921953 CEST	443	63021	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:13.238025904 CEST	443	63021	188.114.96.3	192.168.2.6
Jul 2, 2024 04:17:13.238506079 CEST	63021	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:13.238905907 CEST	63021	443	192.168.2.6	188.114.96.3
Jul 2, 2024 04:17:13.408003092 CEST	49717	80	192.168.2.6	132.226.8.169
Jul 2, 2024 04:17:13.408639908 CEST	49730	80	192.168.2.6	132.226.8.169

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 04:16:52.635641098 CEST	52584	53	192.168.2.6	1.1.1.1
Jul 2, 2024 04:16:52.642591000 CEST	53	52584	1.1.1.1	192.168.2.6
Jul 2, 2024 04:16:55.761497021 CEST	56357	53	192.168.2.6	1.1.1.1
Jul 2, 2024 04:16:55.773507118 CEST	53	56357	1.1.1.1	192.168.2.6
Jul 2, 2024 04:17:12.369990110 CEST	53	61318	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 04:16:52.635641098 CEST	192.168.2.6	1.1.1.1	0x8b4f	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jul 2, 2024 04:16:55.761497021 CEST	192.168.2.6	1.1.1.1	0xe137	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 04:16:52.642591000 CEST	1.1.1.1	192.168.2.6	0x8b4f	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 2, 2024 04:16:52.642591000 CEST	1.1.1.1	192.168.2.6	0x8b4f	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jul 2, 2024 04:16:52.642591000 CEST	1.1.1.1	192.168.2.6	0x8b4f	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jul 2, 2024 04:16:52.642591000 CEST	1.1.1.1	192.168.2.6	0x8b4f	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jul 2, 2024 04:16:52.642591000 CEST	1.1.1.1	192.168.2.6	0x8b4f	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jul 2, 2024 04:16:52.642591000 CEST	1.1.1.1	192.168.2.6	0x8b4f	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jul 2, 2024 04:16:55.773507118 CEST	1.1.1.1	192.168.2.6	0xe137	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 2, 2024 04:16:55.773507118 CEST	1.1.1.1	192.168.2.6	0xe137	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	132.226.8.169	80	2276	C:\Users\user\Desktop\Details.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 04:16:52.654090881 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 2, 2024 04:16:54.455996990 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 02:16:54 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1bf5d5f3e089c0ae3508525cbee04c12 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 2, 2024 04:16:54.460496902 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 2, 2024 04:16:55.727102041 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 02:16:55 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b060a06d07a59939a6df1a2d83a8db86 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 2, 2024 04:16:56.427119017 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 2, 2024 04:16:56.692641973 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 02:16:56 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3eaca217034a1cdb793180e6765c7d5b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49717	132.226.8.169	80	2276	C:\Users\user\Desktop\Details.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 04:16:57.304244995 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 2, 2024 04:16:58.107150078 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 02:16:57 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 247556d9fcb0d4e7350a3fbfe4f2dffc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49720	132.226.8.169	80	2276	C:\Users\user\Desktop\Details.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 04:16:58.735796928 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 2, 2024 04:17:00.819405079 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 02:17:00 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9caebfbf248fcf11d3862bbe5b0b2ae2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49723	132.226.8.169	80	2276	C:\Users\user\Desktop\Details.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 04:17:01.450382948 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 2, 2024 04:17:03.789534092 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 02:17:03 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4a8c853f1b39d111b19e9a07a229d5d7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49725	132.226.8.169	80	2276	C:\Users\user\Desktop\Details.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 04:17:04.418358088 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 2, 2024 04:17:06.904808044 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 02:17:06 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4f11b9e808876620e805fe7a07dcf02d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49727	132.226.8.169	80	2276	C:\Users\user\Desktop\Details.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 04:17:07.615183115 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 2, 2024 04:17:10.405989885 CEST	730	IN	HTTP/1.1 502 Bad Gateway Date: Tue, 02 Jul 2024 02:17:10 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 5499c9556506a4ed22140156e5f8df53 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49730	132.226.8.169	80	2276	C:\Users\user\Desktop\Details.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 04:17:10.434006929 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 2, 2024 04:17:12.559190989 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 02:17:12 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 611a94134593b0a7055af111f77222da Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49714	188.114.96.3	443	2276	C:\Users\user\Desktop\Details.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 02:16:56 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-02 02:16:56 UTC	703	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 02:16:56 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2945 Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RMcBMoOFE8BT2tEn2L%2BvGjdVuS6tkxC8%2FXVvqvIttcqYBQdpcmc6HtKelKz0cDCHpVsq86Sdj4jrSBERCgdzHY0mmxG6WQWDMk9ai7qYt0DtfbvkTE5KAFjc9VcL69n5JJiuHEdq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89cb22f84c6a4232-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 02:16:56 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-02 02:16:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49715	188.114.96.3	443	2276	C:\Users\user\Desktop\Details.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 02:16:57 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-02 02:16:57 UTC	705	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 02:16:57 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2946 Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dxwdu5Z1xVVFdeGYkr4fBmZPOZc3dGKyf%2FYivpDziKBLB14P4CprYHRyy7sqcBUKVOqPYCRjKDTK%2Fgs39GaEMb%2By7zIXUSZMw89mc2OnBWLSrumBG1BwGHqTIpFINwdq1uV2oU5l"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89cb22fdb83442e9-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 02:16:57 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-02 02:16:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49719	188.114.96.3	443	2276	C:\Users\user\Desktop\Details.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 02:16:58 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-02 02:16:58 UTC	717	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 02:16:58 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2947 Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a%2FtWtvS%2BSB5lN%2BNpxNnq%2F%2FZylFICzL7sTfP%2Fu9qBL9BfMJaFoE9cYtPf1ZvmfIwvrarpSJ8IRoYKydL4sTSeHskaX%2BTFC6TY%2BvRNnvMN%2BgXngArRmdMHiNnvgkYuRXwy37Vqep0o"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89cb2306af8641cd-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 02:16:58 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-02 02:16:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49722	188.114.96.3	443	2276	C:\Users\user\Desktop\Details.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 02:17:01 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-02 02:17:01 UTC	705	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 02:17:01 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2950 Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z6716rBwQkW4AYg2ggiECg6fZEyGx4t6Z0Oh4X2j8N05%2FmjHzks%2B7xp54jSv9%2BvI8eHrXGkE5H5952mFHPzCYaySvB0pi2cWx0dKuUjr89eHtiQey6xctox7It1KG9i2Y1E8HJ1W"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89cb2317afed42ef-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 02:17:01 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-02 02:17:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49724	188.114.96.3	443	2276	C:\Users\user\Desktop\Details.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 02:17:04 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-02 02:17:04 UTC	703	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 02:17:04 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2953 Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tn56v65XL5ybjW3Sw6qHqSeczX6%2FLGgwp2%2Fgy0s46ZiTFl5YbBuriiq3XvGlaY1WBSgZoiVooiv9AQ2jdDfh18xGgv9P7VBQBmBLu3aONsRHsGGe5Y3OJ9Xr6X9Yxls8JaUpGm8R"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89cb232a2c2b43c9-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 02:17:04 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-02 02:17:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49726	188.114.96.3	443	2276	C:\Users\user\Desktop\Details.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 02:17:07 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-02 02:17:07 UTC	719	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 02:17:07 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2956 Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iQSM0q77NAvr65aPC%2F%2B%2FSDI1FvTdL08nAII3hE5HgtukqpngtpoJq3DcLIw08%2F%2F%2FJjmkvoyUKiNcHjyOtqvVD%2BN5HYdY0seCJev9vaY6dtQ4iYpmmTtFMzgC3yN1Ty%2F%2F%2Bi7DJxEg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89cb233e2fef4327-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 02:17:07 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-02 02:17:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	63021	188.114.96.3	443	2276	C:\Users\user\Desktop\Details.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 02:17:13 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-02 02:17:13 UTC	707	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 02:17:13 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2962 Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1eCeYk3En8KXiGchtLEpdlN%2Fh3nxZbFlxVON2lMDfMAPKBKqZMwqO5Y8rwsHVx1aBeiE3oG9LsD2OjXzIEa1p8I62eYGJbVQNS3uJbzOE4th0TlW6mMgr2u%2BhQPunt8Re%2FdzZZ%2BP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89cb23615f071760-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 02:17:13 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-02 02:17:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	22:16:51
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\Details.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Details.exe"
Imagebase:	0x790000
File size:	493'056 bytes
MD5 hash:	A8A7DED2A82DC5650D018A55944ED7F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.2086952660.0000000005290000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2085614528.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:16:51
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\Details.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Details.exe"
Imagebase:	0x2c0000
File size:	493'056 bytes
MD5 hash:	A8A7DED2A82DC5650D018A55944ED7F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.2293250186.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2294920659.0000000002751000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:17:12
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Details.exe"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	22:17:12
Start date:	01/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:17:12
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x8a0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.6%
Total number of Nodes:	283
Total number of Limit Nodes:	14

Executed Functions

Function 05CC0007 Relevance: 3.3, Instructions: 3263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b55b7658c0c959af06e88d1047f07619f893fa28052279ac61b9fe6308824a
Instruction ID: d6ce943e24d8a752eb59e8778988d290e4610a35069a534c4a5f3ea5976e3461
Opcode Fuzzy Hash: 23b55b7658c0c959af06e88d1047f07619f893fa28052279ac61b9fe6308824a
Instruction Fuzzy Hash: 1773D374A11219CFDB14EB64D894ADDB3B1FF9A300F5181EAE9096B360DB31AE85CF44

Function 05CC0040 Relevance: 3.2, Instructions: 3242
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37247b020926cda1de80a3391013a5d33e1bd6e5ba916546d0a182356c9f71cd
Instruction ID: 7f156813e1e510144aa79949ae463fef2178065c40b88b0c44cef626343c488a
Opcode Fuzzy Hash: 37247b020926cda1de80a3391013a5d33e1bd6e5ba916546d0a182356c9f71cd
Instruction Fuzzy Hash: 2B73C374A11219CFDB14EB64D894ADDB3B1FF9A300F5181EAE9096B360DB31AE85CF44

Function 050AB8A8 Relevance: 1.9, Strings: 1, Instructions: 615
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 050AC058

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID: CreateProcess
String ID: (
API String ID: 963392458-3887548279
Opcode ID: 53ca120a4b6b93d75f6b42533b4bf7e6970090ee6df48197765acb26cf380c70
Instruction ID: 4cc32ee2cd3f6a2d9c009560f07e8827e890361c7b8eed0e3a3a67e98e4f4895
Opcode Fuzzy Hash: 53ca120a4b6b93d75f6b42533b4bf7e6970090ee6df48197765acb26cf380c70
Instruction Fuzzy Hash: BF52D271E012298FDB64DF65C994BEDB7F2BF89300F1481EA9409AB295DB345E85CF40

Function 050AB898 Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4cf7a33e1892bff583cb5d7c275ce1527b460d94312899f0dec38c883510d9cc
Instruction ID: d75270215d475b6b5c089e1819964e25ba9c036aae65b0a8fd8d72e1dfb15ba1
Opcode Fuzzy Hash: 4cf7a33e1892bff583cb5d7c275ce1527b460d94312899f0dec38c883510d9cc
Instruction Fuzzy Hash: AA32E371E012298FDB64DFA5C954BEDB7F2BF89300F1481EA9409AB294DB745E85CF40

Function 050AA698 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe1f905cc85447e500e719f945c0dfa570915c3b03326c9e3338b96929c2192
Instruction ID: 7a44d59f61498856a0b1a318eebda7b9f042acaabcbd25c46efd7e5323baccd0
Opcode Fuzzy Hash: cbe1f905cc85447e500e719f945c0dfa570915c3b03326c9e3338b96929c2192
Instruction Fuzzy Hash: 80819D35F00259CBDB18EBB5985467EBBB3BFC8650B05852EE457E7288CE349842C791

Function 05CCEA78 Relevance: 2.0, Strings: 1, Instructions: 778COMMON

Download Yara Rule

Strings

k?'m^, xrefs: 05CCEAF8

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID: k?'m^
API String ID: 0-1754480785
Opcode ID: 4830b20092360889258ca6f23cb8be7deb1141a7b08cb186853645694848b387
Instruction ID: 0b4d344ad705e8778d6ca3e19333ca87aee7c4a7ec3c683afbd7ceac6c97f3bb
Opcode Fuzzy Hash: 4830b20092360889258ca6f23cb8be7deb1141a7b08cb186853645694848b387
Instruction Fuzzy Hash: 9F62D871E00B858ADB74DF7484987AE7EA2BB49300F204DAFD1EBCA680DB349581DF51

Function 05CCEAB8 Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

k?'m^, xrefs: 05CCEAF8

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID: k?'m^
API String ID: 0-1754480785
Opcode ID: 5c1740d439599c5b7f5cc4f491914b2f3da78212cd4ce70a10b04d0f77bc8c5e
Instruction ID: b3f46644aaa44d5c02a9d313caaa4354f92a0f2c0a6f1a0ccd3f2e2b3b32bc76
Opcode Fuzzy Hash: 5c1740d439599c5b7f5cc4f491914b2f3da78212cd4ce70a10b04d0f77bc8c5e
Instruction Fuzzy Hash: 36124BB0E05B828ADB74DF6485D869EBA91BB09300F204D9FC2FB8A295D735D186CF45

Function 0119A690 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0119A8E6

Memory Dump Source

Source File: 00000000.00000002.2085342109.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_Details.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 77ba2ae58471edcd87a7bdc807453a24160c34e80261813d1a12c970f9d136de
Instruction ID: 86a8fc191c65c7279f28be2666815dbe2bd731f321a01e025fef987d715e026c
Opcode Fuzzy Hash: 77ba2ae58471edcd87a7bdc807453a24160c34e80261813d1a12c970f9d136de
Instruction Fuzzy Hash: 3B714970A00B058FDB28DF2AE14575ABBF1FF88304F10892DD55ADBA50DB75E849CB91

Function 050AA52C Relevance: 1.6, APIs: 1, Instructions: 140
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,00000000,?), ref: 050AC514

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d73743ce2d9e2db85088835062741dd10bed085b5a75f81e8e8e22d7c3016d92
Instruction ID: b21bca946b8a5d8762792ee7b83c4fd7eb3326c9b35ddbceabe9752e0118847d
Opcode Fuzzy Hash: d73743ce2d9e2db85088835062741dd10bed085b5a75f81e8e8e22d7c3016d92
Instruction Fuzzy Hash: 5351F571901329DFEF20CFA9D944BDEBBB2BF48200F11819AE909A7240D7759A84CF91

Function 050AC3CC Relevance: 1.6, APIs: 1, Instructions: 139
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,00000000,?), ref: 050AC514

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e98139cbf0ad4791a593e1242b4506a27af39aab89d63d66077ae6a08352cfd4
Instruction ID: 0375c0bd45d4033ff83f2c5c3fc08446242adfec2720b100b1b9ad6e70792473
Opcode Fuzzy Hash: e98139cbf0ad4791a593e1242b4506a27af39aab89d63d66077ae6a08352cfd4
Instruction Fuzzy Hash: 00510575901329DFEF20CFA9D944BDEBBB2BF48300F11819AE909A7240D7759A84CF91

Function 050A3EC0 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 050A3F81

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: c41b73ab53339c21bff2eae8ede6dc6e83e810b88929185d3f0a2ae6b69897cd
Instruction ID: c1f02429d62e5c9cefa841e8e75ff9aaeb8410c31cd5f41f5ad183fc167a3cbf
Opcode Fuzzy Hash: c41b73ab53339c21bff2eae8ede6dc6e83e810b88929185d3f0a2ae6b69897cd
Instruction Fuzzy Hash: 9A4125B59103098FCB54CF99D489AAEBBF5FB88314F248859E519AB321D774A841CFA0

Function 050AB580 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 050AB618

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2adc50008a35d2603eb7fe74eacd5807c9bdbfa57fbb8999a10ac4b1040be24c
Instruction ID: 54000d0188ab96b41efde826f933a04d92491b91815084647407ff0d0e7e8290
Opcode Fuzzy Hash: 2adc50008a35d2603eb7fe74eacd5807c9bdbfa57fbb8999a10ac4b1040be24c
Instruction Fuzzy Hash: 262148769003499FDB10CFA9D885BEEBBF5FF88310F14842AE559A7240D7789550CBA4

Function 050AB588 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 050AB618

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6cc52a4a138badb2f3316fd2d50f5de05079114ccd3b55b8a4c94066f93aa9ab
Instruction ID: 220c8ff9720d862ad3461c7986e40e887edcb623ab60c4f19c796ff997313585
Opcode Fuzzy Hash: 6cc52a4a138badb2f3316fd2d50f5de05079114ccd3b55b8a4c94066f93aa9ab
Instruction Fuzzy Hash: 6E2126729003499FDB10CFAAD985BDEBBF5FF88310F10842AE919A7240D7789950CBA4

Function 0119CB58 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0119CB26,?,?,?,?,?), ref: 0119CBE7

Memory Dump Source

Source File: 00000000.00000002.2085342109.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_Details.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2c218475d131875ab187dcea5071bb282723e98a7e34ee751dc0ed1bda8dfa79
Instruction ID: 5da407a0addf7ce7f6bde22604bb5ec247685c1323b04c5436cefe74163088a7
Opcode Fuzzy Hash: 2c218475d131875ab187dcea5071bb282723e98a7e34ee751dc0ed1bda8dfa79
Instruction Fuzzy Hash: 9321D2B59002099FDB10CFAAD985ADEBBF4EB48320F14841AE958A3310D375A954CFA0

Function 0119BDE0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0119CB26,?,?,?,?,?), ref: 0119CBE7

Memory Dump Source

Source File: 00000000.00000002.2085342109.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_Details.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 86d6039e846f6892549b03f8d44a45facf9430391991a30c8b90ecef362c2422
Instruction ID: 1f2d4713df4f051800413883f471ce957426937a72d0f03a70af7b4e9bf6e86e
Opcode Fuzzy Hash: 86d6039e846f6892549b03f8d44a45facf9430391991a30c8b90ecef362c2422
Instruction Fuzzy Hash: 5D21E3B5904209DFDB10CFAAD984ADEBFF4FB48320F14801AE959A3310D374A954CFA5

Function 050AB4A9 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 050AB52E

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 60037b8cc727d4f85e13c6425baa8d815c66ba06f8d828fd1ec6c41d4010d68c
Instruction ID: 7640c3f050a63afde5c2081683317c0ffba591dafee84ac3e880ba9f5a3ac42a
Opcode Fuzzy Hash: 60037b8cc727d4f85e13c6425baa8d815c66ba06f8d828fd1ec6c41d4010d68c
Instruction Fuzzy Hash: 242118729003099FDB10DFAAC4857AEBBF4EF88324F14842AD519A7240DB78A945CFA5

Function 050AB4B0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 050AB52E

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 59e2877d60f29b2f9c37bdea21bc515719bd0908d5216afbe63f85bc6cda5299
Instruction ID: 87f59197578827faa0756498aedd2a89917c582cbdd5580275fa772e9781b011
Opcode Fuzzy Hash: 59e2877d60f29b2f9c37bdea21bc515719bd0908d5216afbe63f85bc6cda5299
Instruction Fuzzy Hash: A32127729003098FDB10DFAAC4857EEBBF4FF88324F14842AD519A7240DB78A945CFA5

Function 0119A100 Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0119A961,00000800,00000000,00000000), ref: 0119AB72

Memory Dump Source

Source File: 00000000.00000002.2085342109.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_Details.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 212c22d4b54135ca2e78424df08ca79dc19a93579645972d219f7ff200bd5ec5
Instruction ID: 53009da86cb07951268ba637e187389eb0295c62411c64b873aff17fba0e9efd
Opcode Fuzzy Hash: 212c22d4b54135ca2e78424df08ca79dc19a93579645972d219f7ff200bd5ec5
Instruction Fuzzy Hash: 552179B2804348CFDB14CFAAD844ADEBFF4EF49320F14846AD519A7200C3B4A544CFA5

Function 050AA550 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,00010002), ref: 050AC731

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e2efef71fd520046b03639fc618349b2100b55c90db0fe623d351d60103611b3
Instruction ID: 89abad84ad19fb1cdcc8ec6dfb6827786953362c4cd9ff59359d0d916e480898
Opcode Fuzzy Hash: e2efef71fd520046b03639fc618349b2100b55c90db0fe623d351d60103611b3
Instruction Fuzzy Hash: 6B21D3B6804249DFDB10CF9AD984BDEBBF4FB48310F10842AE958A7210D374A944CBA5

Function 050AA538 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 050AC673

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 563dce7ca972e3724e1b9f0092ac19753a9a8ec919a04361737c9b88d0126513
Instruction ID: 644f171c0a254349fdc0926981cd47ca072fe369f946dd0077fd8b481cdd3f90
Opcode Fuzzy Hash: 563dce7ca972e3724e1b9f0092ac19753a9a8ec919a04361737c9b88d0126513
Instruction Fuzzy Hash: 241137B2D043498FDB10CF9AD944BDEFBF4FB88220F15806AE418A3200D778A944CFA5

Function 050AC600 Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 050AC673

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3ca596f24bcc844f47361920220ad816de1a9c34a80671a956f4c3b9a9095ff5
Instruction ID: cb7cadb4698f00c5af73838e1dce88ede8c4147329c45b5d8e4d38d3a54d68a3
Opcode Fuzzy Hash: 3ca596f24bcc844f47361920220ad816de1a9c34a80671a956f4c3b9a9095ff5
Instruction Fuzzy Hash: 681137B2D002499FDB10CF9AD945BDEFBF4FB88320F15806AE418A3240D778A545CFA5

Function 050AC6BA Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,00010002), ref: 050AC731

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 536c5703a3bfd4954cf1f768464b9036d386d1ee4af938f26d2d0b68212918a6
Instruction ID: a95587e0acada0883b9f62dc430b512d860b1d53877a2483baf2d99504b4a11c
Opcode Fuzzy Hash: 536c5703a3bfd4954cf1f768464b9036d386d1ee4af938f26d2d0b68212918a6
Instruction Fuzzy Hash: CD21E4B5801349DFDB10CF9AD985ADEBBF4FB48320F10842AE558A3240D374A544CFA5

Function 0119A118 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0119A961,00000800,00000000,00000000), ref: 0119AB72

Memory Dump Source

Source File: 00000000.00000002.2085342109.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_Details.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e650fc8c7ba65b6015921e8a5930bd7cfce64f9f7a3e890a19014c551144a1dd
Instruction ID: df51696928276cb2a5df457ad812cd20038b00f3ae67b3b31e9d297d46242b26
Opcode Fuzzy Hash: e650fc8c7ba65b6015921e8a5930bd7cfce64f9f7a3e890a19014c551144a1dd
Instruction Fuzzy Hash: 111114B68003098FDB14CF9AD844A9EFBF5EF48320F14852AE529A7200C3B5A544CFA5

Function 0119AB00 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0119A961,00000800,00000000,00000000), ref: 0119AB72

Memory Dump Source

Source File: 00000000.00000002.2085342109.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_Details.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bed8e0e7c049c2f1d012044c608e4056f3ec7336f222dae4bec99a6d5e0fa425
Instruction ID: c588618776859511fe4bbe5b3da0e43e3f9a99307a4afba6a69fc4686aa29fff
Opcode Fuzzy Hash: bed8e0e7c049c2f1d012044c608e4056f3ec7336f222dae4bec99a6d5e0fa425
Instruction Fuzzy Hash: B11114B6C003099FDB14CF9AD544A9EFFF5EF48720F14852AE529A7200C7B9A545CFA1

Function 05E78BD0 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05E7AC85

Memory Dump Source

Source File: 00000000.00000002.2087398565.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e70000_Details.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7f5ea0b6b40c26fde3bb89eaa2490bd4fbefa46dbb7c0472495f31cf33076313
Instruction ID: 1341b9fe105177146acfe25346be2430002ff0bbe33e583f3ba8c73b08278a01
Opcode Fuzzy Hash: 7f5ea0b6b40c26fde3bb89eaa2490bd4fbefa46dbb7c0472495f31cf33076313
Instruction Fuzzy Hash: 521186B68043499FCB10CF99C849BEEBFF4EB48220F14845AD558A7240D374A840CFA5

Function 050AB670 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 050AB6E6

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a718dabdfd2b8f693e98f714bf3454a232e4f14549d0c8f44875534516e23923
Instruction ID: 9359788103897c912c5e54c1dfc6d25a1216a26a31f9436529cc97fe03321c00
Opcode Fuzzy Hash: a718dabdfd2b8f693e98f714bf3454a232e4f14549d0c8f44875534516e23923
Instruction Fuzzy Hash: E0114472900249CFDB10DFAAD844BEEBFF1AF88320F24841AE559A7250C7799950CFA0

Function 050AB678 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 050AB6E6

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c4a277e8a09e627aa9de5d8547a13953a9dbac5fe70b505edb5abdb4c0ac73b6
Instruction ID: 9cb5ababc412a3419ed78ca53973eb181502e77c33313c4d56ae827055460184
Opcode Fuzzy Hash: c4a277e8a09e627aa9de5d8547a13953a9dbac5fe70b505edb5abdb4c0ac73b6
Instruction Fuzzy Hash: 961156728002499FDB10DFAAD845BDEBFF5AF88320F14841AE519A7250CB79A510CFA0

Function 050AB731 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 050AB79A

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 23e674a1e88f3e09126db73468c0a56d3b848144937d0bac2845ee8605ee097f
Instruction ID: bb31c404f272eee0ee7dc7e3cb7e464299ff18f94fcc92d11487dd4590b82580
Opcode Fuzzy Hash: 23e674a1e88f3e09126db73468c0a56d3b848144937d0bac2845ee8605ee097f
Instruction Fuzzy Hash: E01158B2D003498FDB10DFAAC44579EFBF4AF88220F24841AD519A7240CBB9A500CF95

Function 05E73030 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,05E72EE9,?,?), ref: 05E73090

Memory Dump Source

Source File: 00000000.00000002.2087398565.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e70000_Details.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 704a1b7f46f6c452a2e2975974bf826682ba5adb0385a869c7a751b554dd8717
Instruction ID: d9cba408490e46ca4d7507996d8b2f981a469e5c5f3fee084a3dc2f785a30b0f
Opcode Fuzzy Hash: 704a1b7f46f6c452a2e2975974bf826682ba5adb0385a869c7a751b554dd8717
Instruction Fuzzy Hash: F01143B6800209CFDB10CFAAC489B9EBBF4EB48320F21841AE558A7240D778A544CFA0

Function 05E72364 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,05E72EE9,?,?), ref: 05E73090

Memory Dump Source

Source File: 00000000.00000002.2087398565.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e70000_Details.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b5be19256cf4dda7ebcb726e932e55834136bdf21a8b6a995edc6fa710c5b514
Instruction ID: 98b5dba6cbbfb83ca40c0be0e9b5495565f7593d3777e0497cdc8b71205ad082
Opcode Fuzzy Hash: b5be19256cf4dda7ebcb726e932e55834136bdf21a8b6a995edc6fa710c5b514
Instruction Fuzzy Hash: 801143B1804249CFDB20DF9AC485BDEBBF4EB48320F20845AE558A7240D378A944CFA4

Function 050AB738 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 050AB79A

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 748e81d149bc9c55efc8d80c466a7649590214363f3468c0c24fc507a568eae5
Instruction ID: b09a8c2f92a2b08f31e2554e737669e4b826f604d849c9596fc85822543e1b4a
Opcode Fuzzy Hash: 748e81d149bc9c55efc8d80c466a7649590214363f3468c0c24fc507a568eae5
Instruction Fuzzy Hash: A6113A719003498FDB10DFAAD54579EFBF4AF88724F24841AD519A7240CBB5A540CF95

Function 0119A880 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0119A8E6

Memory Dump Source

Source File: 00000000.00000002.2085342109.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_Details.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 70f35a8fad2181a0b1b6e3c3b3bbd39e4565c6ac3f576e3101490477f06214cc
Instruction ID: 2b38ec7088b940b76f1addb712a44247519995fe48d2ed2e567a8012b882b9c2
Opcode Fuzzy Hash: 70f35a8fad2181a0b1b6e3c3b3bbd39e4565c6ac3f576e3101490477f06214cc
Instruction Fuzzy Hash: 5F1102B5C003498FDB14DF9AD544A9EFBF4EF88220F10842AD528B7200D375A545CFA1

Function 05E78BF4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05E7AC85

Memory Dump Source

Source File: 00000000.00000002.2087398565.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e70000_Details.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 47ccacd86f8cf9561efe0ad5fbc44390ce4a665a152a6c25605733735913624b
Instruction ID: 5bd4f57a901d3969c92a9a605d384dcb68893e1b3558618b9c23bdfee030b1b9
Opcode Fuzzy Hash: 47ccacd86f8cf9561efe0ad5fbc44390ce4a665a152a6c25605733735913624b
Instruction Fuzzy Hash: 961125B5800349DFDB10CF8AC585BDEBBF8FB48320F14841AE558A7200D3B4A940CFA0

Function 05E7AC20 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05E7AC85

Memory Dump Source

Source File: 00000000.00000002.2087398565.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e70000_Details.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f00d7edb15f6e7d6667f5b7d7c4c9b7ed08ccdb648937d66c7c47d4064f35770
Instruction ID: 298b457119b9f1398ad0138ae4958f57e115d72637f7662693daf26a53adb996
Opcode Fuzzy Hash: f00d7edb15f6e7d6667f5b7d7c4c9b7ed08ccdb648937d66c7c47d4064f35770
Instruction Fuzzy Hash: 2D1103B5800349DFDB10CF9AC585BDEBBF4FB48324F14855AE568A3240D3B5A544CFA1

Function 05CCB300 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd632c1b9ee6cf4f1d219f39cbafbdbc72b779280bfcfc421a1394b82529502
Instruction ID: 534003744c4aae9239fced8072c34efbfad2a920bb0d783e2ffeac6e8ce1d253
Opcode Fuzzy Hash: 8fd632c1b9ee6cf4f1d219f39cbafbdbc72b779280bfcfc421a1394b82529502
Instruction Fuzzy Hash: 1CE17F30B11206CFDB08EBA5E995AAD7BB2FF88309F1044A9D506DB3A5DF359D01CB91

Function 05CC8674 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8716b1229b10a2ebe262c2044751fbd287eead80a359e5b9945cde03e392d43e
Instruction ID: 38288e14556f450da2097bdab2f467daee5359a7bede18080a8c281f5182ceea
Opcode Fuzzy Hash: 8716b1229b10a2ebe262c2044751fbd287eead80a359e5b9945cde03e392d43e
Instruction Fuzzy Hash: 0491D071A01248DFCB18DFA5D9486AEBFF2FF89300F1489AEE446A7750DB34A905CB51

Function 05CC86B0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f5cf94874beacbab87da7ba3c883dfa9b7a0919e2c92f0e6d248b82cf7ad99
Instruction ID: 4d7556ee73745d405c56f953bf9b7a28e1ce3db28bfedfdd2f1f123429ae6de6
Opcode Fuzzy Hash: 78f5cf94874beacbab87da7ba3c883dfa9b7a0919e2c92f0e6d248b82cf7ad99
Instruction Fuzzy Hash: A9813670E103599FDB04DFA9C8946AEBBF2BF88310F14856AE409EB350EB749905CB91

Function 05CCDCC8 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4243afe2bc80eb8f713374c0a4b9cc2d0b83af7fca6256e30036ae4d33427a08
Instruction ID: 90022fc9cd248d71968c317c9d4c918dd29c188444fa11edee1c44b0ec8bb256
Opcode Fuzzy Hash: 4243afe2bc80eb8f713374c0a4b9cc2d0b83af7fca6256e30036ae4d33427a08
Instruction Fuzzy Hash: 48719074A01249AFCB14DFA9D884DAEBBB2FF49714B1144A8F9029B361D731ED81CB50

Function 05CC7A5C Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f446fd91d38fa132add77b988ede8b5a529d8ff01aa416645ed48ce0654879c
Instruction ID: e13fdb083c278e89041c1e9e0a2c2549b8cc384cc882e4c787981e46f311c13d
Opcode Fuzzy Hash: 9f446fd91d38fa132add77b988ede8b5a529d8ff01aa416645ed48ce0654879c
Instruction Fuzzy Hash: BE515E71E102099FDB14DFA9C848AAFBFF6EF98710F10896EE815E7250DB749901CB90

Function 05CC4260 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc409954424ff72c70b36181956f4b8756f1b186c3656a5ae2eec4ac5abb2c5
Instruction ID: dba1f744e855639e9d3c8e8bcc71bf3e45144c5bcb57978e706c582703cd6ed8
Opcode Fuzzy Hash: 5dc409954424ff72c70b36181956f4b8756f1b186c3656a5ae2eec4ac5abb2c5
Instruction Fuzzy Hash: A6515830A0061A9FCB19CF58C890ABEBBF5FF84310B55C9ADD5669B284D774F915CB80

Function 05CCA0F8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a5ed744f0250405a4188b7c8bb76672a3a7eb6e42854d152748640923e4211
Instruction ID: 6ccc9ee9938893e795f6904e1b1e8d4fe211692048ffcb4029f66135c37dd51d
Opcode Fuzzy Hash: c9a5ed744f0250405a4188b7c8bb76672a3a7eb6e42854d152748640923e4211
Instruction Fuzzy Hash: E141D071B101048FDB04DF69D494AAEBBF5FB88310F1544BAE509EB350CB319D41CBA0

Function 05CC4CD8 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e4987422d4fee1b96262e6a3530a5108e346ed37f1e47499d9179ccf4fefcbb
Instruction ID: 8b5b9fe9af20241dc28b89aab11cc045674b3cfef109eb0fc99e6a42e68919dd
Opcode Fuzzy Hash: 2e4987422d4fee1b96262e6a3530a5108e346ed37f1e47499d9179ccf4fefcbb
Instruction Fuzzy Hash: D7418C35E002588BDF18EB78C0A46ADBEB2EF89212F5588ADD402B7244CF755D81CBA5

Function 05CCDCB8 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44cd92808ff6885119a99793eb53942516bca52e0188d9f0409fca24746240c1
Instruction ID: a6d87dc4b0caad2ded0b9f633c326d1cdf223412632c83ea169415f7b217879a
Opcode Fuzzy Hash: 44cd92808ff6885119a99793eb53942516bca52e0188d9f0409fca24746240c1
Instruction Fuzzy Hash: 4951A478A11204EFCB14DF68D498DAD7BB2FF49721B1144A8F9069B361DB31ED82CB50

Function 05CCFCB0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f88d934967ccde45d75e533b6cf08a2ca80bd21f1b47b58bfeee59c2f42f16
Instruction ID: d1fab105b21aa094d3bcfac9440ccbf00a8f93f045d9864a20eca227abc024e4
Opcode Fuzzy Hash: f5f88d934967ccde45d75e533b6cf08a2ca80bd21f1b47b58bfeee59c2f42f16
Instruction Fuzzy Hash: 0841F934A042198FDB54DFA8C844BDDBBB2FF89704F1144ACD905AB3A1DB78A905CFA0

Function 05CC9880 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 236e248516778e0158181da3d391ab93549a534fb8c362b8a47bbd07e0d9464f
Instruction ID: 597ac7f0b2cc833824822b0e807875d8e66d03ae22b766d0e0a0fd57f12c2828
Opcode Fuzzy Hash: 236e248516778e0158181da3d391ab93549a534fb8c362b8a47bbd07e0d9464f
Instruction Fuzzy Hash: 28418031B04A059FD718DF2AD888A6ABFF6FF84610B15C9ADD40AD7650DB30ED41CB90

Function 05CC5538 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e7b3b083cbadf5003c1b28974f42df55728c46a9579d31877e22df8eb9884a
Instruction ID: d398ff47a49c8b2ffa624f7755093d06d6aedef62d232d47ca7854425b18ea50
Opcode Fuzzy Hash: 47e7b3b083cbadf5003c1b28974f42df55728c46a9579d31877e22df8eb9884a
Instruction Fuzzy Hash: A131E134A1020AEBDB04AFA4D85999EBFB2FFD8314F108529E502BB350DF30AC05CB84

Function 05CC3D88 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b0332ab32fc4b8278a474990dd1d3f5517e7b38f71ecf3b6425b6bdf897dae
Instruction ID: 80bf2f5dac93111d5be6f51648d84734e2d7e17eb1f8131d6174c1aee5c6a9eb
Opcode Fuzzy Hash: e7b0332ab32fc4b8278a474990dd1d3f5517e7b38f71ecf3b6425b6bdf897dae
Instruction Fuzzy Hash: 3B31C335B002158FCB18EB68E4489ADBBF6FF89A10B0588AEE416D7350CF349E41CF91

Function 05CC4980 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893fad1c18aabea5f6aacbce18ded44efe6c889503723c2596920906d8abd7cb
Instruction ID: c53cfaeff899d51bb36f78ce302cf1578ebf7979c0f2e2d4e90b28b80787e8ca
Opcode Fuzzy Hash: 893fad1c18aabea5f6aacbce18ded44efe6c889503723c2596920906d8abd7cb
Instruction Fuzzy Hash: 0F31AD317001008FCB28DABDD894AA977F6EF89226B1545ADE51ACB3A0DB31DD01CB40

Function 05CC8574 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c00f8c60a453435309f8b61f884d67ba5a097f9527ebd091969f1cbbca7f8a02
Instruction ID: e5be30b4f60b7067290cd1ed57707a298bd2ca9e9c136adaf063d52307db22a4
Opcode Fuzzy Hash: c00f8c60a453435309f8b61f884d67ba5a097f9527ebd091969f1cbbca7f8a02
Instruction Fuzzy Hash: E341D1B1D01309DBDB10DFAAC984A9EFFB5BF48704F24856AD409BB240D7B56A46CF90

Function 05CC8AFE Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93fe0a621b567d1f062e3bd6c97589db49cdba947697071ab88df70464aea6f5
Instruction ID: 66977d8b3891ca93288b6f7701cd402cd0a63516c8eec13f836b8e3852259d37
Opcode Fuzzy Hash: 93fe0a621b567d1f062e3bd6c97589db49cdba947697071ab88df70464aea6f5
Instruction Fuzzy Hash: AE41DFB1D01309DBDB20DFAAC984ADEBFB5BF48704F24856AD409BB240D7756A46CF90

Function 05CC7A50 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea52ef646da134e2ade38b3be46d73ddff68f54088e9f6a78c07eaedeb8e5b5b
Instruction ID: 32f34ce0824808dfddb371ea94743271feab8166ce786466395bbf5093916fa8
Opcode Fuzzy Hash: ea52ef646da134e2ade38b3be46d73ddff68f54088e9f6a78c07eaedeb8e5b5b
Instruction Fuzzy Hash: 6941CFB0D00359DFDB14CF9AC884A9EFBB1BF48710F20866AE418BB250D7B05845CF90

Function 05CC4CD3 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7340c120ac2315d30fb3fb8512121a97ccc70a5a15071e8060422e4e0b4561
Instruction ID: ab82461e27fb9a4f4ee9b141205975c04d4e9acba853b8f5fe3b9cb293aceebd
Opcode Fuzzy Hash: 8c7340c120ac2315d30fb3fb8512121a97ccc70a5a15071e8060422e4e0b4561
Instruction Fuzzy Hash: D031C235E402498BDF18EB74C4A47AEBEB2EF89212F508CADD402B6244DF784980CB95

Function 05CC8C80 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc55dd289b74870db1b6c965a4e5e00f3e5040c907ef3d6e289a414f5b99c712
Instruction ID: 45fed8e365e16fe0bc11428e7c2b8af07d198640c61d70791e9221851001f998
Opcode Fuzzy Hash: fc55dd289b74870db1b6c965a4e5e00f3e5040c907ef3d6e289a414f5b99c712
Instruction Fuzzy Hash: 4E2160B1F001159FDB11DBA9C9149FFBFFAEFD8600F14899AD554E7254EA708E018B90

Function 05CC8A00 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1501fae8b91636b66e309fd6f2ee02fe2c9236bbeae0ef374bef8526498d29ea
Instruction ID: bbfb32b6ea9fe975121f0c4467487e183f62f415f4af212047f012869d1dc97e
Opcode Fuzzy Hash: 1501fae8b91636b66e309fd6f2ee02fe2c9236bbeae0ef374bef8526498d29ea
Instruction Fuzzy Hash: 4A21E1726042048FCB05DB38C8584AFBFF6EF95214B1589AED246DB355EF71E806CB91

Function 05CCB2F0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f982b41b29ee1e3b8850bafd6d42d5e6662ab3ed96e9e9df8aedb4092459f46
Instruction ID: 39d9128b97a20d95e6e739a31324c948f22161a9b8c4a788940a8892659fe012
Opcode Fuzzy Hash: 1f982b41b29ee1e3b8850bafd6d42d5e6662ab3ed96e9e9df8aedb4092459f46
Instruction Fuzzy Hash: 3C210531A1020AAFDB04DBB4E85666D7FB3FF84304F9549ADE5029B260DF749D01CB80

Function 05CCAD28 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f704490d34e03d68d2dbf83d80a3f7811a06589ea68255e0b70adc7007e8128a
Instruction ID: a361afb5829d643584402bdfdb3268a63e76de278c2ab700d09c8f05e1dbcf08
Opcode Fuzzy Hash: f704490d34e03d68d2dbf83d80a3f7811a06589ea68255e0b70adc7007e8128a
Instruction Fuzzy Hash: A0312A71610B088FD734CF38C88AB66BBF2FB45301F040EAEE0AAC7641D764E9188791

Function 05CCC9B7 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 741addde53d34d5538b67a913f32aba027b27d90f88b6d9d9055afa17e38577b
Instruction ID: 9e31b91c173a1fd382f59a91141862c2ce1295360eb41ded8caa98ea4d247ac2
Opcode Fuzzy Hash: 741addde53d34d5538b67a913f32aba027b27d90f88b6d9d9055afa17e38577b
Instruction Fuzzy Hash: 19317A70B101088FCB04DF69C499AAEBBF5FF4C714F1544A8E80AEB361CA35AC41CB60

Function 05CCAD38 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd39c807b79966e1932ca435f9be478ed597754528d8d1847b099d68e9deb25
Instruction ID: 47fca5b22ce9344942a3e2f4a3f1b2418368276c72f563a721ebd5d72e15bde1
Opcode Fuzzy Hash: 6cd39c807b79966e1932ca435f9be478ed597754528d8d1847b099d68e9deb25
Instruction Fuzzy Hash: 2421D530610B089BD734DE38D88AB66BBE2BB45211F040E6DE0AACB641D774E9588B91

Function 010FD5B8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085144984.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10fd000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba96489326750995b67ed619223e476ac6534381f3d032ac7c1661b753dcccfe
Instruction ID: b4f8aa216f287b49fad27735c9a6784bec37212cdea504349e342c61408c9e2f
Opcode Fuzzy Hash: ba96489326750995b67ed619223e476ac6534381f3d032ac7c1661b753dcccfe
Instruction Fuzzy Hash: D52167B2104200EFDB05DF54D9C4F2ABFA5FB88314F2081ADEA4D0B656C336D456CBA1

Function 05CC86A0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70367f3575aead36ca252526bfd25ab1c0c4700a2add8ee6a354bd1cdb50521e
Instruction ID: b291ada2cb0c404ef499e30a1c40c01b90cb659d3f448107261589a9d296bfb8
Opcode Fuzzy Hash: 70367f3575aead36ca252526bfd25ab1c0c4700a2add8ee6a354bd1cdb50521e
Instruction Fuzzy Hash: A4219F75E0021A9FDF45DBB9C8809EFBBF6EF99200F14446AD505F7280EB748A01CBA1

Function 0110D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085189071.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110d000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77483c990239bb5f335cb54955c65a010554cc3cb9399af7d9f934e68034e273
Instruction ID: 2e574115179b01567e0c788dd9fc104b6b7224f32392baa1857d034db1999c1a
Opcode Fuzzy Hash: 77483c990239bb5f335cb54955c65a010554cc3cb9399af7d9f934e68034e273
Instruction Fuzzy Hash: 69210375A04204EFDF1ADF94E980B26BB65EB84314F20C56DD90E4B29AC7B6D406CA62

Function 0110D1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085189071.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110d000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fdb4b458f7ecf4e3adf256abf3bdedad09d89ad8fc98b52c7bfa2b849304ca1
Instruction ID: 5dabd584ccfb1f686581218b9d4f2e443d97bd82f18e8873f070ac592dde1071
Opcode Fuzzy Hash: 2fdb4b458f7ecf4e3adf256abf3bdedad09d89ad8fc98b52c7bfa2b849304ca1
Instruction Fuzzy Hash: D6210775904304EFDF0ADFD4E5C0B26BB65FB84324F20C56DE9094B292C7B6D446CAA2

Function 05CCC51C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee8573f2aa1980382dd19a3f94001563d4bc311ae0a4af976ba9b62884d7e17
Instruction ID: d3928638eeb868f60c958c5a5eb0c4f5d560079b409468a09781ac3a89a0f0fd
Opcode Fuzzy Hash: aee8573f2aa1980382dd19a3f94001563d4bc311ae0a4af976ba9b62884d7e17
Instruction Fuzzy Hash: BF215E357002549BCB24DE19D584E6BBBBAFB84615B0088AEE60B8B751CB31F941CB54

Function 05CCD430 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 339b8abd1e93fe51b6187f2859a2218cc2593274287086fbb08df6a52711c7d3
Instruction ID: bbdeee981dbf9ef7df16efaa1b40f2f83fda17fcf1c813236c73fb2d7731d228
Opcode Fuzzy Hash: 339b8abd1e93fe51b6187f2859a2218cc2593274287086fbb08df6a52711c7d3
Instruction Fuzzy Hash: 40215C767006448FCB24DE15D580E6ABBB6FB88615B1188EEEA478BB51C734F941CB50

Function 05CCE518 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb939af9d75dec099ed1b3b89a9dd18ded36c93955ae2b8bc6a125c57099dc5f
Instruction ID: f057e8a4c9acaee03a45d95be8dc18bb218d4d156f7e1ec3915d39e1caaf6702
Opcode Fuzzy Hash: eb939af9d75dec099ed1b3b89a9dd18ded36c93955ae2b8bc6a125c57099dc5f
Instruction Fuzzy Hash: A0210E71E1024A9FCB05DFA9C8449EFFBF9FF99300B11855AE418E7211E770A952CB90

Function 05CCD6D0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cfaa4513dec9f08d1c84584072b8379c178b2e6ee2a68fef3ceb8a634a662e6
Instruction ID: 634cadde9b12962ee7a20a812d8d6c8835fe835204ba603f7892818f32f6939c
Opcode Fuzzy Hash: 3cfaa4513dec9f08d1c84584072b8379c178b2e6ee2a68fef3ceb8a634a662e6
Instruction Fuzzy Hash: E111DBB264D2C41FDB079B64D8656D47F70EF53354B1A48EFD8458F063C226891BD711

Function 05CCC580 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd102ae03b43208390fa08b58b4c6db9a27e9bbeef3a081b7a74f900d09951f
Instruction ID: 2f67ced81b3c27882834f32bd530ea989cf992785f358499f27bf9ecde443995
Opcode Fuzzy Hash: 8bd102ae03b43208390fa08b58b4c6db9a27e9bbeef3a081b7a74f900d09951f
Instruction Fuzzy Hash: 3321DB71E1020A9FCB04DFADC8848AFFBF9FF98300B10855AE518E7210E770A952CB90

Function 05CC4430 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0915bfc361eaf328436dc5dbafc4311f426f6cb81be2dee8974efe14cc59e1ae
Instruction ID: 6d5c17936f1ad097b12c8472eeaca873b16f3f7dd8dac3a8060ff071ecc11c1c
Opcode Fuzzy Hash: 0915bfc361eaf328436dc5dbafc4311f426f6cb81be2dee8974efe14cc59e1ae
Instruction Fuzzy Hash: A41129327146005FE714CA78F45175B7BEAFB98305F1589AEC196C7AC1DB74B8024B50

Function 05CCE758 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d63f5286fd32deb8fdc485158e1b47a3a1dfc5898aa63cdeec8498996b1addf
Instruction ID: 3071598e2f4709a96d196ad8dcb7da711370d9397ec85285ca4bdc4255c44038
Opcode Fuzzy Hash: 6d63f5286fd32deb8fdc485158e1b47a3a1dfc5898aa63cdeec8498996b1addf
Instruction Fuzzy Hash: 5F216A76A002198FDF10CFA4D8417EDBBB6FF45301F1485AAE519E7281DA38AA06CB80

Function 05CC89F0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85541a1a714104c756408ae2ce827f5c5d34e57ceecf438277b6ad6313b93cd7
Instruction ID: 01b109c54c8aa281e06650891286d3c0f8f55e5e4526573b8b5f1ffb78ea74e9
Opcode Fuzzy Hash: 85541a1a714104c756408ae2ce827f5c5d34e57ceecf438277b6ad6313b93cd7
Instruction Fuzzy Hash: 3E11B1716002058FDB04DB28C815AAF7BF6FF84214B408A6DD646EB364EF70ED05CB91

Function 010FD5B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085144984.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10fd000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: fab7906d1195ab46d4c5ebe1aacfdc6d9be2b8bda69bfc17cf9f1b79367a58e6
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: D211B176504284CFCB16CF54D5C4B16BFB1FB88314F2486ADD9490B657C33AD456CBA2

Function 05CCB1F1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30caba74b24ad8eadbc5de5b72be5c2f83157be378000851aa5afa4a796f06b9
Instruction ID: fdd2e1af130096d2974f317728a1e2390cb6daba707467909bcc8cbba7e2f083
Opcode Fuzzy Hash: 30caba74b24ad8eadbc5de5b72be5c2f83157be378000851aa5afa4a796f06b9
Instruction Fuzzy Hash: 8F116D303106048FE714AF68C8587AA37E6BF89724F1185ADD0AA9B7E5CF71AC069B51

Function 05CC4440 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f411bab0b60fae192407138e0e573aa098c0f66bb70638b625f5c496865ce3
Instruction ID: 1972a2cd2a0f6f061e6904d25aa2e7e86ef413681c0cfd122258c394d272f32f
Opcode Fuzzy Hash: 74f411bab0b60fae192407138e0e573aa098c0f66bb70638b625f5c496865ce3
Instruction Fuzzy Hash: 201126317106045BE718DA68F44175F7BDAFBC8715F108AADD28AC7BC5DB74B8014B80

Function 05CCB1F8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae422b84a28703d9b4329ba27320d455f51f099e72ad865e5eb9cafe509d6460
Instruction ID: c7b56b5889061b6b810da475b0bafc356e633b33a4202809fcc6b4dfcba93f4e
Opcode Fuzzy Hash: ae422b84a28703d9b4329ba27320d455f51f099e72ad865e5eb9cafe509d6460
Instruction Fuzzy Hash: A7119E303106048FD714AF68C85CB9A37D6FF8A714F1186ADE06A9B3E5CE71AC069B91

Function 0110D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085189071.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110d000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 5afe8b22e35f4b6217726322ffbc8e61adee7ff8d2fb1bae20942ad95fba39e4
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: FE11BE75904284CFCB16CF54E5C4B15BB61FB44314F24C6A9D8094B69AC37AD40ACB62

Function 0110D1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085189071.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110d000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 253e759ce8401a5115492742e5b0a2562355fcf363d2ccbbd3db310b1dda219c
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: B911BB75904284CFCB06CF94E5C0B15BBA2FB84324F24C6A9D8094B296C37AD44ACFA2

Function 05CC98B8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb0b6f6cda53acaadd91f6ae66613d6b2a5befaba110fb39d5afc41dcd551c3
Instruction ID: 9368eaf3c7b9a25221c67caa897987fea9bb5ca6ce16149da28d0ba2dd70c7d4
Opcode Fuzzy Hash: eeb0b6f6cda53acaadd91f6ae66613d6b2a5befaba110fb39d5afc41dcd551c3
Instruction Fuzzy Hash: E101D472B052949FCF07AB7888955BFBF76DF89211B1508EED505EB282DA300906C7E6

Function 05CC85B0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a3ebb47e301f92cfb280ce8e85178e639810ef088f255894b70e0aae63c94a
Instruction ID: 5bdc8ba7ba2c8941611a3cca7290fe4265b9913a1a896dfb7b4da33acc386893
Opcode Fuzzy Hash: c6a3ebb47e301f92cfb280ce8e85178e639810ef088f255894b70e0aae63c94a
Instruction Fuzzy Hash: E311F3B5C046099FDB10DF9AD444A9EFBF4EB48320F14855AE519A7210D3B8A545CFA1

Function 05CCD6A0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17f3c8f086174227274272eb36dcb36dee1b76e07257e44bdc5496434d6b213
Instruction ID: 25b15c3b5f103bc6f0f2fd93e324473652f4321b8d89b7be7d94efdda5569daa
Opcode Fuzzy Hash: a17f3c8f086174227274272eb36dcb36dee1b76e07257e44bdc5496434d6b213
Instruction Fuzzy Hash: D301C031204240DFCB05EB64E854D68BB76FF85360725C9AFE10A8B165CB32D942CB80

Function 05CC8FA0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e91cbd89b4890e4ee162f93e8579652e0697b0114d45b70fef03ab451e25ee
Instruction ID: d66d1877a07f3b0cc304a07bfce7af306edbd3f4b97de7b775d97823f1b5af77
Opcode Fuzzy Hash: 65e91cbd89b4890e4ee162f93e8579652e0697b0114d45b70fef03ab451e25ee
Instruction Fuzzy Hash: A31102B6C006498FDB10DFAAD589BDEFBF4EF48320F14845AE519A7210D378A945CFA0

Function 05CC3911 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baecb357ae910268950e568db0abf52732155cbaaf176833a603e85b90114d3a
Instruction ID: de11807e74dd1536c9cebe703d7061e3af7540c40ef912ae51999d18fbbb2618
Opcode Fuzzy Hash: baecb357ae910268950e568db0abf52732155cbaaf176833a603e85b90114d3a
Instruction Fuzzy Hash: 0C1126303003014BEB046768E4157DE7AD6EB95319F10C65DE1D98F6C2CEFA684647E1

Function 05CC3D61 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e5af34a80a396e686d230cb2de19bf149dbc826a22b9b682a32a0046c3d002
Instruction ID: bcc17c184be5ea62642fc24c9631c60244e48b8ad18d8f233498996ed77884cf
Opcode Fuzzy Hash: c9e5af34a80a396e686d230cb2de19bf149dbc826a22b9b682a32a0046c3d002
Instruction Fuzzy Hash: 5511C436B142818FCB25DB78E8446A97BE2BF8A601F0588EED555DB350DB349801CF54

Function 05CC4D62 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d089b3ddb5560440c1fcc3c4eb496435d483ac8cc70319d058aa3b5fefc9d800
Instruction ID: dc0ecc7caddbfedefc7a49433bc168a84297189119ec9264ffeb150cb149e45e
Opcode Fuzzy Hash: d089b3ddb5560440c1fcc3c4eb496435d483ac8cc70319d058aa3b5fefc9d800
Instruction Fuzzy Hash: 35117335E40209CFDF18EF64C4A47AD7EB2EF94316F1588ACC002A6280DF784940CBA5

Function 05CC3920 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304b2514b6ad43b15325fee41d0968c70407100548e7439d860e1f5e3b916b57
Instruction ID: 50be4980e81577b6f642b5ab86a50cfa938a8841576db4a489c954b7991d1137
Opcode Fuzzy Hash: 304b2514b6ad43b15325fee41d0968c70407100548e7439d860e1f5e3b916b57
Instruction Fuzzy Hash: A101DE303003118BEB08A768E41579A7ACAEB94319F10C65DE1998F6C2CEF6684647E1

Function 05CCE5C0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02eff423e6c57d2f472716719c8356463248f1060cdb00f75e50e97ca34efc49
Instruction ID: 5aeb5fcb678aaca01ded32b3cd59509ff9e383df3cdebacb9be27aa56a2c6c92
Opcode Fuzzy Hash: 02eff423e6c57d2f472716719c8356463248f1060cdb00f75e50e97ca34efc49
Instruction Fuzzy Hash: 7201D4712142048FC715D729D854D65BBFAFFC2214B15D5AED50ACB261DB70EC02CB50

Function 05CCE648 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1096ade7c36d36e4df97b62f660fa3f3a5c980f9912fadb4e02e3ff7dfd5c477
Instruction ID: b5f6aca331d14dda8f9578217acfa44bf22551ff74a9609a449d8c14092a4357
Opcode Fuzzy Hash: 1096ade7c36d36e4df97b62f660fa3f3a5c980f9912fadb4e02e3ff7dfd5c477
Instruction Fuzzy Hash: 4F012B317102049BDB15E725D800B7A7BAAFFC2210F14C9BDC40A87255DF70DD42CB90

Function 05CCE658 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1acb563cea318d2ec8b51a6594c55ef7e82c49f0be763f7af446133c8ea03d
Instruction ID: cba14c08142aca2f030bd573ed379946471ddd5a1242492498e2687a113c562e
Opcode Fuzzy Hash: 1e1acb563cea318d2ec8b51a6594c55ef7e82c49f0be763f7af446133c8ea03d
Instruction Fuzzy Hash: D501F9307102188BCB19E679D810A3B7BAFBFC1224B14C9BDC40A8B644DF70DD42CB90

Function 05CCE5D0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5afb3a60d42632b14a624c50b57ef07e87e52eaa1fb8bd7627153b9193054c8c
Instruction ID: eb3f9d4a08fb386ea4b0887e1bce3c654e1ee2074dc495844e5cd8523c71ca93
Opcode Fuzzy Hash: 5afb3a60d42632b14a624c50b57ef07e87e52eaa1fb8bd7627153b9193054c8c
Instruction Fuzzy Hash: 12016D303102058FC715DB29D844D66BBEAFFC6624B14C9AED50ACB620DBB1EC02CB90

Function 05CCB918 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11650bf0fceee2404c5944d327bcb1a8929085f26054c4112d6c9fce589c167a
Instruction ID: ca64daf71a3bc08d9ba94f03f51e8e0e8d481a97cda493641b8daa8f9569c0a5
Opcode Fuzzy Hash: 11650bf0fceee2404c5944d327bcb1a8929085f26054c4112d6c9fce589c167a
Instruction Fuzzy Hash: 5C01DF3090124AEFCB05EFB4E46A4AC7FB1FB41204B10569AD845E7291DE380E05DB91

Function 05CC98E0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2563d6433a23fda5279ba630f9e6b453d2f3e7d7af6dc841f877f7cbc13f52ab
Instruction ID: c95326891de23dfbfecf08f81664b5dbd4dac84cc060072caf3e6fe2bc4976c2
Opcode Fuzzy Hash: 2563d6433a23fda5279ba630f9e6b453d2f3e7d7af6dc841f877f7cbc13f52ab
Instruction Fuzzy Hash: 20F09075B001189B8F16E6A898959BFBFBAEBC8610F0004ADE605A7340CE301E02D7E6

Function 05CCC59C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5f45421ce197339271f238f34e6a32d20a2b176bf1fd01e058b177de924923
Instruction ID: bacfa3c5893a2beb706eae9a0c39490d42e3455bb41e2e6a329b0c5c801b87b6
Opcode Fuzzy Hash: 2c5f45421ce197339271f238f34e6a32d20a2b176bf1fd01e058b177de924923
Instruction Fuzzy Hash: 44F01D729501098FDB90DFB8C8467BD7BF5FB04305F1489BAE418D3251EA38DA558B81

Function 05CC4568 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e6e078e30734ceffdbcaa5226aa465c06117d4a6239dcf7b4832e662bd1616
Instruction ID: 2845af5f50b5aef1a4b0df72ff6b71841f9f151013349096d4e5b77613319709
Opcode Fuzzy Hash: 29e6e078e30734ceffdbcaa5226aa465c06117d4a6239dcf7b4832e662bd1616
Instruction Fuzzy Hash: 96F0C276E082559FCB21DBBC98581EA7FF0EB44206B0488AED455D7240D7749A0ACB80

Function 05CC451A Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4db4d4a0fc8fe985d427d47e5a1f5ebbe196e180029c071f6de57fce824550
Instruction ID: ae385b3f8d4848f623fa01b5f0b19c7b822e15714ae6c51b69c8a7dc754fdd8d
Opcode Fuzzy Hash: 8d4db4d4a0fc8fe985d427d47e5a1f5ebbe196e180029c071f6de57fce824550
Instruction Fuzzy Hash: 43F0BE76A042199FCB119AA898185DABFB1EB45201F0148AAD945D3240E630AD0ACB80

Function 05CCBFF8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8debe48539d2b206f282c763c99405388a6ab0c9acca5edbf1f7b806766d2dc
Instruction ID: 55a40364242fa3dc6a674f8953153fb31ea4ca01511850798d25627bd89203bc
Opcode Fuzzy Hash: b8debe48539d2b206f282c763c99405388a6ab0c9acca5edbf1f7b806766d2dc
Instruction Fuzzy Hash: F1F0A731608118AFD745DAA8A4516EABFE9EB85165F18409ED11DC3281DE31E901C790

Function 05CCB928 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2408f059065741c1e4aa08ecd4cab773f5dc01f1d4d84625c280d3aa4c2c38
Instruction ID: f0cbd8fa549f81129f322eba9ac9317abe98b0a0c1baf9f50a45acc8f6921558
Opcode Fuzzy Hash: ab2408f059065741c1e4aa08ecd4cab773f5dc01f1d4d84625c280d3aa4c2c38
Instruction Fuzzy Hash: 01F0AF30A0120EEFCB04EFB8E5699ACBFB2FB84204B1056ADE805E7340DE341E04CB90

Function 05CCE6DA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3919c36452a9d0c60ee83cfae3896adaade8e89d0f96c54f2ee59189909a21
Instruction ID: 3705297635d467e40168c6bdb656a330b421908b68931a0741820463e8bf1b91
Opcode Fuzzy Hash: cf3919c36452a9d0c60ee83cfae3896adaade8e89d0f96c54f2ee59189909a21
Instruction Fuzzy Hash: E5F06D729142898FDB91CFB8C8467AC7FB0FF05305F1985FAD018D7292E6388A49CB40

Function 05CC3A10 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24de6e04bffdaecfed40464ac17446b88c4df896e26bc92deb6b847818c8b1c7
Instruction ID: 68e7e603b6b7ae2dff6fe2676dfb05f07f9956bdde2b33a046b95179217eb083
Opcode Fuzzy Hash: 24de6e04bffdaecfed40464ac17446b88c4df896e26bc92deb6b847818c8b1c7
Instruction Fuzzy Hash: 78F034316007448F9B28CF58E482A957BE2FB047587200C9DE81ACF302D776ED138B84

Function 05CCEA11 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96be9d3385fcfe76751840d98b71625ea3e03252fe9e79ab4c735bbfa18d63f9
Instruction ID: 18071976816d9cb3c7b1ee97f9705f17a760cb4c4d1e837583cf2a9355a6a472
Opcode Fuzzy Hash: 96be9d3385fcfe76751840d98b71625ea3e03252fe9e79ab4c735bbfa18d63f9
Instruction Fuzzy Hash: 9FF02733618AA09FC712CB58E4848D4BF79FB4732431A88CAE059CF6A3C332C842CB41

Function 05CC4DBD Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154b93ec7c3d3c1d740b320a327e65fbb908d4e49d7dbe6c226e6e31d3aac8f9
Instruction ID: d167e4b19dca1363ad1665db8619ba996ee8f0d3d8df4dff9ee07545da1724d5
Opcode Fuzzy Hash: 154b93ec7c3d3c1d740b320a327e65fbb908d4e49d7dbe6c226e6e31d3aac8f9
Instruction Fuzzy Hash: AFF09070A4030ACBDF18EF75C4697AEBEB2BF84316F11886CD002AA180DF744840CF95

Function 05CC9C98 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0459a21dfec0c013cd0d2f1f2e01035b6fffae453fdbe324fe099b9184ac3cd4
Instruction ID: 0b703a662ad7079affc9cfda99e259f2d383882a2564125db811320cafcffa69
Opcode Fuzzy Hash: 0459a21dfec0c013cd0d2f1f2e01035b6fffae453fdbe324fe099b9184ac3cd4
Instruction Fuzzy Hash: 57E04F72B001186B5B04EEB9CC408AFBEFFDB84650F1184BAD509D3204FD31AD018390

Function 05CCEA20 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3ca188b69fd56c338ae5c65bad490bc1f00d65557aff3e92caa1c345c63bf8
Instruction ID: db0c26650384961a2953da8b2b92fa7dfc15d1f8737b2e4df42f3372fdaa7139
Opcode Fuzzy Hash: 7e3ca188b69fd56c338ae5c65bad490bc1f00d65557aff3e92caa1c345c63bf8
Instruction Fuzzy Hash: 7CE09237211528DBC710DB48F4818B9B7AEFB856693288096E40DCB660D737DC02C380

Function 05CC3A01 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7549d2e8a4a492aa458e1acc191500c3df882f80b09b6ff0a77b996ab7da8f
Instruction ID: 9494c43790797a101d123f71f7c9b646c7623bfc513fe3c6d4e7694adbac6229
Opcode Fuzzy Hash: aa7549d2e8a4a492aa458e1acc191500c3df882f80b09b6ff0a77b996ab7da8f
Instruction Fuzzy Hash: E7E0DF323146859BCB15DB58E442AD97FE2FB86314B184C9DE40ACF702EB69E913CB84

Function 05CC4528 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ff27571164b6f678deadaecae48b6db54c9a104edb3db06e2d8260c191b122
Instruction ID: bd310b6ae224cea981d45257ccba6ac1a7f3ea9e4a6f5ec049917bbe47429c77
Opcode Fuzzy Hash: 27ff27571164b6f678deadaecae48b6db54c9a104edb3db06e2d8260c191b122
Instruction Fuzzy Hash: DBE06535A101199FCB10DAADD8085DEBBF4FB84315F004569D955D3340D770AA19CFC0

Function 05CC8999 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a944c4bdccb4ec0c3937f2c540d375f3c2da57346cca5c88222652085183c9
Instruction ID: 2f061fd1626e01e2867d4b106d03a44c7561012d009ba7d4556b5b08725aeb6e
Opcode Fuzzy Hash: e9a944c4bdccb4ec0c3937f2c540d375f3c2da57346cca5c88222652085183c9
Instruction Fuzzy Hash: 17F0ED71A0434AEFCB01EBB0E90164DBFB8FF52304B22548AD800D7342EA726E10EB11

Function 05CC38CB Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b79bec8577c0f01b20ee32c91b728c4bb171dab5eca929aa199c31c754c63f52
Instruction ID: a3ba3cecc007596cb985e2ac9794dcf9dbaf649d2bf4a77258ae3f150360b91d
Opcode Fuzzy Hash: b79bec8577c0f01b20ee32c91b728c4bb171dab5eca929aa199c31c754c63f52
Instruction Fuzzy Hash: E1E020313883900BD30B639475107D97FDE8B8B635F0940AFE445CB343C9984C4143E0

Function 05CC9C46 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76fd92e0a48a32c7ad48adc46c5a3b4757baaac9fa2848442d01214a4fa329a1
Instruction ID: 465c2c2e786f7f6ab18422fb9193a61145b3ed9297f459b7fdba0218bed2e39d
Opcode Fuzzy Hash: 76fd92e0a48a32c7ad48adc46c5a3b4757baaac9fa2848442d01214a4fa329a1
Instruction Fuzzy Hash: C9E0DF32D4020DEACF249B81E508BFCFFB0FB4434AF2008AAE012B1440C7701680CB90

Function 05CCEA69 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6136832766493dea3f333471000a3af265edad9a67fd86f4f8eba4e919eefbc6
Instruction ID: 8f1fea8ca8a77af50df832f8284f08940e1e2b920d4530197b293a03a6c84dc6
Opcode Fuzzy Hash: 6136832766493dea3f333471000a3af265edad9a67fd86f4f8eba4e919eefbc6
Instruction Fuzzy Hash: FBE0DF328247A09FC322A788D008AD07FBCF706220F4784D6E88487692C628AC818F91

Function 05CC4C81 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea44d1c705d03d66f9639549048a046cc9a3bb2115dfe9abd3bc71a95da4a856
Instruction ID: 0243043fb6430bd31991740f38ee0fa203f81d4f1d5856b9d12768736e106341
Opcode Fuzzy Hash: ea44d1c705d03d66f9639549048a046cc9a3bb2115dfe9abd3bc71a95da4a856
Instruction Fuzzy Hash: 46E0E53655B3C18FDB039F6899A06593FB0DE23205B0919DED4829B497D6248848CF52

Function 05CC89A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ab1d2f7be5922e70ce0283635a4e26285e43909588c0b3bbc623b4dd526e51
Instruction ID: cb772425319a8d4a2a3b9127bf1d72c43fba6998acdacb5a29de4ceab73ab1c2
Opcode Fuzzy Hash: 39ab1d2f7be5922e70ce0283635a4e26285e43909588c0b3bbc623b4dd526e51
Instruction Fuzzy Hash: 2EE08C30A0020AEFCB00EFA4EA0199DBBB9FF45304B208199EC05E7704EF726E10EB51

Function 05CC38E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bccae97233d20116f938584fe694ee6529ee8998d0af03061f7a9ba86bfce743
Instruction ID: 9190b18d99c40d7c68583946ed86b7f223b6f6ec88ccf516d5518bcefe1e1777
Opcode Fuzzy Hash: bccae97233d20116f938584fe694ee6529ee8998d0af03061f7a9ba86bfce743
Instruction Fuzzy Hash: 1DD05E317442140BD70D6788A1107DAB6DE9FCD651F0580AAE5098B381CAA19C0102D5

Function 05CC4E30 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 316ce18ee887b63606d0fecc1576e78a7811f984494a8cc653b37b03942ab87e
Instruction ID: 9de238fc87c2e65b6cdc4c36ad32e1d0c105aed15057408218e16185af0cd249
Opcode Fuzzy Hash: 316ce18ee887b63606d0fecc1576e78a7811f984494a8cc653b37b03942ab87e
Instruction Fuzzy Hash: 39E0E278A40209CFCB04CF64E1A9EADFFB0AF08701F21C869E426E7261CB309804CF50

Function 05CCA500 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b6cb2a44717df3fe06ba96c6d8d425ca6836d2b12c7bd6edd40611465cc192
Instruction ID: 65e3f664fee120c4caed68527a543fd73f0d92cb5abcb9364d595d31630e4735
Opcode Fuzzy Hash: c8b6cb2a44717df3fe06ba96c6d8d425ca6836d2b12c7bd6edd40611465cc192
Instruction Fuzzy Hash: 33B0922271563A13DA08319D6420AEE77CF8B8AA61F4104BFE60E877858DD6AC4112EA

Function 05CC44F0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b06fb94eb8ce5d7f44c85d1dfed5ab623b82d98e5fc4a7827551e9166f3cc927
Instruction ID: 263366f8eb674029fa739af105c777b742b234aa5808b16db647b35f7010d694
Opcode Fuzzy Hash: b06fb94eb8ce5d7f44c85d1dfed5ab623b82d98e5fc4a7827551e9166f3cc927
Instruction Fuzzy Hash: ADD012727483C04FD725DF6464040457FB29F72500B07C8AED1858F262D5358C51C754

Function 05CCD720 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087350293.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57fab25f73214b35b091c82aa85ca85078f9e1fed1458bc373a64c0fb4ddff61
Instruction ID: dc3790ceedc3df0fe77f26196d4be0ebf3cc5d04157ddeff4740d7c9ebb78fb2
Opcode Fuzzy Hash: 57fab25f73214b35b091c82aa85ca85078f9e1fed1458bc373a64c0fb4ddff61
Instruction Fuzzy Hash: 47C04C32544108BBCB027E91DC09E5ABF2ABB55794F148059F7180E165D773EA63FBD0

Non-executed Functions

Function 050A0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef15db1e98a6d999ff996cd556099fa196a57d323a48cfc740ec432756cc7504
Instruction ID: e5339a46008e60ce2563fdde27a64e489aafcfbbf6a23722fe518a118659cd4b
Opcode Fuzzy Hash: ef15db1e98a6d999ff996cd556099fa196a57d323a48cfc740ec432756cc7504
Instruction Fuzzy Hash: EC1295B040AB49ABE710CF65F94C18D3BB9FF41318B516209D2622F2E6E7BC194ACF44

Function 0119D3DC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085342109.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450c8a909d23a9aa4eeb1db284c30161791bbd61d233935ba3f17d5d1a0730e0
Instruction ID: 35a827962ab2788d1ba28633eac9e81d3d5bce8e0eed5425f2d6e4cb0b77d2ed
Opcode Fuzzy Hash: 450c8a909d23a9aa4eeb1db284c30161791bbd61d233935ba3f17d5d1a0730e0
Instruction Fuzzy Hash: 7FA18032E0020ACFCF09DFB9D8445DEBBB2FF85304B15856AE916AB261DB35E915CB50

Function 050A0006 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2086559463.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5f9d4b541b2746dc9f0e3552d0e83755d5a4e14c9b99a7328eb203bf4a8300
Instruction ID: bb374c4adf58d5630ef3aca33555034432473e168fd775caaaff2b5d3a0347c3
Opcode Fuzzy Hash: 5c5f9d4b541b2746dc9f0e3552d0e83755d5a4e14c9b99a7328eb203bf4a8300
Instruction Fuzzy Hash: 23C107B0806B49ABD711CF75F84818D7BB9FF85314F516209D2626B2E2EBBC184ACF44

Analysis Process: Details.exePID: 2276, Parent PID: 6464COMMON

Executed Functions

Function 02699858 Relevance: .9, Instructions: 864COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab75ed5f32f896e096ed5bdeb4798a3145d102a2cbe6af09f9e848e0413477a
Instruction ID: 686e7723d342f0d41a254b4a63560b43790e249ad863c926240cdbdb45041f25
Opcode Fuzzy Hash: 5ab75ed5f32f896e096ed5bdeb4798a3145d102a2cbe6af09f9e848e0413477a
Instruction Fuzzy Hash: F3723A71A01209DFCF15CFA8C984AAEBBF6BF88314F158559E8059B3A5DB30ED91CB50

Function 02696108 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89397c593236365b42be8fcf4308c656b536bd6e6de0c2e3604a666ec958aa19
Instruction ID: e4ff1667a57c5e3bac31e2bad5e7ab245184fee6d2b39288c08881e3f19ea7a5
Opcode Fuzzy Hash: 89397c593236365b42be8fcf4308c656b536bd6e6de0c2e3604a666ec958aa19
Instruction Fuzzy Hash: 60127D70A002198FDF14DFA9C854BAEBBFABF88304F148569E5069B395DF349C85CB90

Function 02696730 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae1c1c49f6f0d97f1b39d643ceb708edc8052fb1e5e51ec5e435e16fe69b3ad
Instruction ID: eb07c7af032d9f8583ce8f511aaa94d3096e10a46e435d3b1c1b40bbba3a3fe9
Opcode Fuzzy Hash: eae1c1c49f6f0d97f1b39d643ceb708edc8052fb1e5e51ec5e435e16fe69b3ad
Instruction Fuzzy Hash: 08022B70A00219DFCF14CFA9C984AADBBBAFF88354F15846AE415AB365DB30DD91CB50

Function 0269B4A0 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a8106b176db28d036dfbe66d7088b3b4e084f6dba214a9d3486022b7141812
Instruction ID: 10d3cf925343e27ce891ef7818b3bd7f128d33cd07527bf5cd9a256a73519b60
Opcode Fuzzy Hash: 22a8106b176db28d036dfbe66d7088b3b4e084f6dba214a9d3486022b7141812
Instruction Fuzzy Hash: 9EA1F574E00258CFDB18DFAAD894A9DBBF6FF89304F14816AD409AB365DB709942CF50

Function 0269C470 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52259c455a1c60e67f1bc95c9dad66035e32051df06880279f91920641c8615f
Instruction ID: 68884100ddee47eeaffd834a6c05e03df43b6e035ef73bed9662a0edf7186cec
Opcode Fuzzy Hash: 52259c455a1c60e67f1bc95c9dad66035e32051df06880279f91920641c8615f
Instruction Fuzzy Hash: F791D774E00258CFDF18DFA9D884A9DBBF2BF89310F14916AD409AB365DB749942CF10

Function 0269BEB0 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90fa8134fd105e122ef929cacab15909644b752b51c4d7a9dc6511fc80fa5200
Instruction ID: fcf45921a9efc76f30d8603a40130ca9329afde783608907e95571548b4f5479
Opcode Fuzzy Hash: 90fa8134fd105e122ef929cacab15909644b752b51c4d7a9dc6511fc80fa5200
Instruction Fuzzy Hash: 1391C674E00258CFDF18DFA9D884A9DBBF2BF89304F14806AD409AB365DB755986CF50

Function 0269BBD3 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbbef40ec67b918e0474caef08d953d506c967d16e1e2bd64cfd13ad2a67717
Instruction ID: ef9fc70c1ae9ee8daacadaf81712bd02f03042ccd3ffec7facbe7f67add7d768
Opcode Fuzzy Hash: cfbbef40ec67b918e0474caef08d953d506c967d16e1e2bd64cfd13ad2a67717
Instruction Fuzzy Hash: F291B174E00258CFDF18DFAAD884A9DBBF6BF88304F148069D409AB365DB709986CF50

Function 0269C753 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7753d6769e745d14c6e95701de3ffb139fed629e2c72352cd48aa51efc17c08e
Instruction ID: 3aa145fb855426fb57b0286bd0a89d435e10814fad9516ef720f63cada5f808c
Opcode Fuzzy Hash: 7753d6769e745d14c6e95701de3ffb139fed629e2c72352cd48aa51efc17c08e
Instruction Fuzzy Hash: 1481C474E00218CFDF18DFAAD984A9DBBF2BF89310F14906AD409AB365DB749946CF10

Function 02694AD9 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd82c470eabbec031b4a1145983f0ee151c9f9c33f883863b5adc36b986fbd7
Instruction ID: 9c2ab46202969a3ed4272a3dc763cd19e6b93f4c5c992cdd7a9d6505f672c294
Opcode Fuzzy Hash: dcd82c470eabbec031b4a1145983f0ee151c9f9c33f883863b5adc36b986fbd7
Instruction Fuzzy Hash: 1881B474E00218CFDF18DFAAD884A9DBBF2BF88304F149169D419AB365DB745986CF10

Function 0269C193 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d617feacb1cb402afd3d986fca3391acf9b39476eb247ce63486f6fbb272a2f4
Instruction ID: b9fe2c76b3ad607d5e0722e595867c10e768e76cf1886ea8e3b88f8e46fb2a3f
Opcode Fuzzy Hash: d617feacb1cb402afd3d986fca3391acf9b39476eb247ce63486f6fbb272a2f4
Instruction Fuzzy Hash: 8D81A574E00218CFDF18DFAAD884A9DBBF2BF89300F14906AD419AB365DB749946CF54

Function 0269CD53 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c463c82c04bc27fdafe23e985d600a41b8b2c42644650b8afe5d92dea934ed6
Instruction ID: 6602bf6393253845fe4d4ce7809d086207002f344a73df65791aaea5463e1a91
Opcode Fuzzy Hash: 6c463c82c04bc27fdafe23e985d600a41b8b2c42644650b8afe5d92dea934ed6
Instruction Fuzzy Hash: D381A674E00218CFDB18DFAAD994A9DBBF6BF88300F14D06AE409AB365DB745946CF50

Function 0269B4F3 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7544995bb36f901cd81d482cecfecfd93d716a6957e858362a340e343c8b6507
Instruction ID: 81235d3d90a8f1c1bd7e271568193fe8a724ca32cee4c6d88758301bcae7e2bd
Opcode Fuzzy Hash: 7544995bb36f901cd81d482cecfecfd93d716a6957e858362a340e343c8b6507
Instruction Fuzzy Hash: 1061B074E00648CFDB18DFAAD994A9DBBF2BF89304F14C169D418AB365DB745942CF10

Function 026977F0 Relevance: .7, Instructions: 702COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dfe315513dacb0e2db4a774e14dd99208ac371a81e093d5c73bc6318e74d433
Instruction ID: 9b0188a504acc4b6024568f3867abb50d3bba91b34600638f687acd3a3849577
Opcode Fuzzy Hash: 7dfe315513dacb0e2db4a774e14dd99208ac371a81e093d5c73bc6318e74d433
Instruction Fuzzy Hash: 2A52FF74A00259CFEB54DBE4C8A0B9EBF76EB85300F1081AEC20A6B395DF359D859F51

Function 026987E9 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07f1f1fee4342d888db26fc1edd0f53868fbfc98ce1590a9d209237df981eb7
Instruction ID: ced5e5e1022385f881397cdca42a35a59564157bd29e539004de29b88a3502a4
Opcode Fuzzy Hash: d07f1f1fee4342d888db26fc1edd0f53868fbfc98ce1590a9d209237df981eb7
Instruction Fuzzy Hash: A0F159707052018FDF199B29C958B3D36AEAF87718F1944AAE502CB3A6EF65CC82C751

Function 02696E58 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e16fd946df79b57308af2b0b2d63840ab6449134341fe60d49f36134ce8ea535
Instruction ID: c7a65a686380a487a80c2a0b1b320c0142a5a6f05030a3b34087560c773f3494
Opcode Fuzzy Hash: e16fd946df79b57308af2b0b2d63840ab6449134341fe60d49f36134ce8ea535
Instruction Fuzzy Hash: 94124A70A10249CFCF19CF69D984A9EBBFAAF89314F148599E909DB361DB30ED41CB50

Function 0269A818 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280fd15e3fd0a8e43ca4eece0edf2f93b2cc50c63c48643302f2214833c0accc
Instruction ID: eb35840a656fc59c3e57d4164707e4208c7e7ae5d5943073d707a30a43788444
Opcode Fuzzy Hash: 280fd15e3fd0a8e43ca4eece0edf2f93b2cc50c63c48643302f2214833c0accc
Instruction Fuzzy Hash: 6BF10B75A00114CFCF04DFADC584AADBBF6BF88314B1A8199E519AB365CB31EC41CB50

Function 02690C8F Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d0c90bd903c4b3a5dd735f5839df912099eb1a5f20f373528c2939b4fc4eef
Instruction ID: 74b026a80ab2e2c377ffe09201c05790fa97e2357e9a049d33b241dc1c9dae5d
Opcode Fuzzy Hash: 68d0c90bd903c4b3a5dd735f5839df912099eb1a5f20f373528c2939b4fc4eef
Instruction Fuzzy Hash: CF22C574A0121ACFDB98EF64E884B9DBBB2FF88301F1099A9D509A7319DB745D85CF40

Function 02690CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b9530e92ab4edd9cb3846b4f219d6d05247f745173f0b03c76b45b576f235b
Instruction ID: 082532775eda0fdceb122bfce47d05fb50c45ecdd305e0d4bdbf9332b04b7e5b
Opcode Fuzzy Hash: 04b9530e92ab4edd9cb3846b4f219d6d05247f745173f0b03c76b45b576f235b
Instruction Fuzzy Hash: 1322C77490121ACFDB98EF64E884B9DBBB2FF88301F1099A9D509A7319DB745D85CF40

Function 026956A8 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2dfef6ef04251376dee6719752aecfb46605bb2116aff335830cdd99eba205
Instruction ID: e9bbe008e6cf655a30384771a63e9e872ccce2de761b10a9a8e54f3e0d60b0d1
Opcode Fuzzy Hash: 4e2dfef6ef04251376dee6719752aecfb46605bb2116aff335830cdd99eba205
Instruction Fuzzy Hash: C5B1BD307042518FDF1A9F78C894B3E7BAAAB88314F548969E907CB391DF758C46CB90

Function 0269215C Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 935269576aebd57867f52d6fd3a47f3e84f4e0eed6291fa7776872906d9df977
Instruction ID: 65bccf5a2b1aa9c6b61d5a16011ae2e3a5f174501c3ef0dfa590bcc9ca285203
Opcode Fuzzy Hash: 935269576aebd57867f52d6fd3a47f3e84f4e0eed6291fa7776872906d9df977
Instruction Fuzzy Hash: 65A10B31E406169FCF19CF68CAA07AEBBF9BF85310F105597C915AB290DF309A85CB51

Function 02695C08 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b701acc00deeb57c5ab8113f0a8ddfe3fb8f70bc97692b65da1f8c80cd06b9dd
Instruction ID: 82cee1b7267f56b824fc15bff6ef83e4a949d733ed7def90c7f3068479c1b0e7
Opcode Fuzzy Hash: b701acc00deeb57c5ab8113f0a8ddfe3fb8f70bc97692b65da1f8c80cd06b9dd
Instruction Fuzzy Hash: E1818131A00105DFCF1ADF69C498A6DB7BABF89214B948169D406DB3A5DF31EC42CB91

Function 02697438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f781ea59ca2873b0041190c830a663d5ebc4c86fa309820d85865deeb7cd4240
Instruction ID: 672d7027f1e7ea6756ba816831d8a86939c1d9d06f5c4df6890dc42d05089d5c
Opcode Fuzzy Hash: f781ea59ca2873b0041190c830a663d5ebc4c86fa309820d85865deeb7cd4240
Instruction Fuzzy Hash: 7D71D8747102058FCF56DF29C898AADBBEAAF49604B1544A9E906CB3B1DF70EC51CB90

Function 0269D36B Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38011e4fad1ce94fa7c041d0c0daf5fab604ced19624d6f8c46b08709bd580b6
Instruction ID: 45b698cc3193062230f2d0c25715fc9efd97dedc593212beb97cfb7e9f3b9402
Opcode Fuzzy Hash: 38011e4fad1ce94fa7c041d0c0daf5fab604ced19624d6f8c46b08709bd580b6
Instruction Fuzzy Hash: BC51CD708A53428FCB882B24E1AC1AEBBB1FB4F7677957D00E25E89015CB3160B9DA15

Function 0269D378 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d40f4899181865118454abd855c3c88ad22b1dc929aa395ee8ead450694b86a4
Instruction ID: 3f879614b12f79069583333890633fd3fceb38b8ab5afd507c2d0ec0efd40b30
Opcode Fuzzy Hash: d40f4899181865118454abd855c3c88ad22b1dc929aa395ee8ead450694b86a4
Instruction Fuzzy Hash: DF519D708B53428FCB883F65E1AC16EBBA5FB4F7677917D00E21E89044CB3160B4DA15

Function 0269D033 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb8aebfa164b12ce8f2223158b61ce9cf633009a08d4d5c0635badef09d5507
Instruction ID: 82f39d42e7016b3ca7fd271ae62177829426a2c08107fcbf127d61b3c40e9360
Opcode Fuzzy Hash: cbb8aebfa164b12ce8f2223158b61ce9cf633009a08d4d5c0635badef09d5507
Instruction Fuzzy Hash: 1651A574E01208DFDB58DFA9D5849DDBBF2BF89300F24816AE809AB365DB30A841CF40

Function 02693908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 136d3b5d5a2997ff98bcf2baa6f700bc6f007c404f318da91ae0755bd958007c
Instruction ID: 5d1e4c80ea3814adb2f814d06e0a75e71506fb4d1690305e85c2d55ef5ab377a
Opcode Fuzzy Hash: 136d3b5d5a2997ff98bcf2baa6f700bc6f007c404f318da91ae0755bd958007c
Instruction Fuzzy Hash: 5E519374E01248DFCB08DFA9D59499DBBB6FF89300B209469E809AB364DB35AD42CF54

Function 0269A650 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5631dc30118bdd40433cefba893a34182aa1d5ef5a2aa2a1378c316f69022920
Instruction ID: f6041d14fd866aba03388b6da0cbdd302eedc608bb3ad5bbc83436f5af8be3bb
Opcode Fuzzy Hash: 5631dc30118bdd40433cefba893a34182aa1d5ef5a2aa2a1378c316f69022920
Instruction Fuzzy Hash: CB41C235B002049FCF199BB9D955AAE7FF7ABC8710F248469D516E7391CE319C02CB90

Function 02699A63 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4eae1f4ea5a7713fed10deb6b55d2391327fbc1bf81e6f73742cbc38c5a9f6
Instruction ID: 1961273620df8b2834c300a88fa84451fde10540f734b9bf7479559f26cf682a
Opcode Fuzzy Hash: 6e4eae1f4ea5a7713fed10deb6b55d2391327fbc1bf81e6f73742cbc38c5a9f6
Instruction Fuzzy Hash: 7D51EC31A05249DFCF15CFA4C840B9EBFB6EF89314F04815AE805AB3A5DB34E951CBA0

Function 02693428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c7c2e183448f4091d947cb8b6e85adcac4aa4e49d5dbf6241b7b89224bb115
Instruction ID: 369e261f6f401d212dfe9e442f8bbe2bfc89b7de7e208ad9de6d7038f36e4fff
Opcode Fuzzy Hash: c0c7c2e183448f4091d947cb8b6e85adcac4aa4e49d5dbf6241b7b89224bb115
Instruction Fuzzy Hash: E031E431B003258BDF1D4AAA899827E79DEABCA714F1944BDD906C3384DFB4CC6587A1

Function 02694DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f97f9dfde1c62e0916b4a1b1b7525993306b9eba53a49bc5fdd03b848be3cf
Instruction ID: 3f500e3e60734178a5e69982bcef1233ff3a55c812b5eb23aebdfd4095e25965
Opcode Fuzzy Hash: c0f97f9dfde1c62e0916b4a1b1b7525993306b9eba53a49bc5fdd03b848be3cf
Instruction Fuzzy Hash: 7A3150316041499FCF459FA4D894AAF7FAAEB88304F008469FA158B394CF35CC62DBD1

Function 026976D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc28ecdb2152a55f138d39450a0f22ab8a9fe5ee989a29f10b03321b0229bef
Instruction ID: 32ec45ce35112170c511d1c1cbe5d0825662989fc4e59d2a8efad993ec3a7c02
Opcode Fuzzy Hash: adc28ecdb2152a55f138d39450a0f22ab8a9fe5ee989a29f10b03321b0229bef
Instruction Fuzzy Hash: 7721C4743242419BDF1B16398C94B3EBA9FAFC8618718447AD606CF799EF26CC42D781

Function 0269A809 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf686bc5ec8934d7b3c912061c822705edb5ec927c20fb1b3d74f29cf17d50a
Instruction ID: 2173ccb2b60bb82c5efd0fbd50d630009d6330979c60e88ca8efa0a85638d383
Opcode Fuzzy Hash: 3bf686bc5ec8934d7b3c912061c822705edb5ec927c20fb1b3d74f29cf17d50a
Instruction Fuzzy Hash: E331B370E005158FCF04CFA9C8889AEBBF7BF89354B158159E556DB3A5CB309D42CB90

Function 026976E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6972dfed1fc8c50c583bc3a307d5b298dc2da491ac03d80d6e1fdd62817799ca
Instruction ID: 652789ab921c41a24f6858eb13bb3e02bafa1766b36d6cace9e165a3b1c88bc2
Opcode Fuzzy Hash: 6972dfed1fc8c50c583bc3a307d5b298dc2da491ac03d80d6e1fdd62817799ca
Instruction Fuzzy Hash: D0217F743242015BEF1A1A258894B7EB69FAFC8718F144479D606CF798EF66CC82E781

Function 0269D5B9 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5090295fac6dc57e49fa5fe8eb2611557f71f05803f68bc82664573323b354
Instruction ID: 5ec0637c0c28871aca286edc50d46a8d4c1eb02fbc675c4cd13e84770e3e0b11
Opcode Fuzzy Hash: cc5090295fac6dc57e49fa5fe8eb2611557f71f05803f68bc82664573323b354
Instruction Fuzzy Hash: 17213730C112598ECF05EFF8E8446ECBBB5FF5A304F109629D84577254EB716A5ACB80

Function 02692060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a823b6660c9cd2e335e6a21c50abc1aad7ac396214465fd04b32a39da9f77c
Instruction ID: 4c2babd6dd3598918e291a37445df469400b2d4508258aa62f9413b717ab20e5
Opcode Fuzzy Hash: 93a823b6660c9cd2e335e6a21c50abc1aad7ac396214465fd04b32a39da9f77c
Instruction Fuzzy Hash: 3321C135A00256AFCF14DF24D850AAE77A9EB9C390F50C459ED0A9B344DF35EA42CBD1

Function 02695A63 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eff77e6e62b1b771b2e464aefe6c6a0194ec5959c57694d9c95f864ef425f40
Instruction ID: 99d5e192af7084c84d4834e7c816bae2e51b9cf7a3f75ae1eb21dcbfecbc39a2
Opcode Fuzzy Hash: 3eff77e6e62b1b771b2e464aefe6c6a0194ec5959c57694d9c95f864ef425f40
Instruction Fuzzy Hash: 2E21BE317056528FCB6A9A65C4A452EBBA6AF89660B0585A9E907CB394CF34DC06CBC0

Function 0240D404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294302986.000000000240D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0240D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_240d000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 189015cd4c507763f2dbbbfae3d7bfa683eb7e096e47a56946cee424309de709
Instruction ID: 55e1b1fde60fdfa645eb1b489daca3d88fe227c9432bfb413bb8b9b04d1d57de
Opcode Fuzzy Hash: 189015cd4c507763f2dbbbfae3d7bfa683eb7e096e47a56946cee424309de709
Instruction Fuzzy Hash: 89212876904244EFDB08DF54D9C0B27BF65FB84324F20C17AE9090B296C336E49ACBA1

Function 0269D6B7 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8642a3e89a21413b82beb71ec059dc0ea2a1ed57102317e5538e16e854d516c2
Instruction ID: 9b0a010908ab29b57a2e5853847c83c728ae04f3efb7330b770fd1d27982518f
Opcode Fuzzy Hash: 8642a3e89a21413b82beb71ec059dc0ea2a1ed57102317e5538e16e854d516c2
Instruction Fuzzy Hash: F6214874D022498FCF08DFB0D850AEDB7B6BB89304F20A479C80577395CB799846CE58

Function 026939ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22fe3f4a91a0883d014925603b861a726c9a8ff533475252bc7f3ee4b9ce64bb
Instruction ID: 6618a122ee6e3539c85b02f8dcc1b5cf0d45269404b442abbe9a8e13494e53e6
Opcode Fuzzy Hash: 22fe3f4a91a0883d014925603b861a726c9a8ff533475252bc7f3ee4b9ce64bb
Instruction Fuzzy Hash: EA31C674E01348DFCB48DFA8E59489DBBB6FF49301B209469E809AB325DB35AD55CF40

Function 02694DBB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811eb862c01181a9c6650394c91471a0b58c48f6ba359cef5cef3cd6feea0b82
Instruction ID: 68dc25ebf145fa2c3721f611c2416bb414ca14d660ed8c4fc2ede6003a90ead0
Opcode Fuzzy Hash: 811eb862c01181a9c6650394c91471a0b58c48f6ba359cef5cef3cd6feea0b82
Instruction Fuzzy Hash: B72192316042459FCF5A9F78D454A6B3FAAEB84314F10446AE9458B391DF38CC56CBD1

Function 0269D6C8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e63932f77c25f72e67a0f9a28bd882d600af5d4bb17e109510028a462abeabb
Instruction ID: c7a4a79b2815d7dee5662e83ce8363ea5cf527f685d18a071dd7b40ac6624948
Opcode Fuzzy Hash: 9e63932f77c25f72e67a0f9a28bd882d600af5d4bb17e109510028a462abeabb
Instruction Fuzzy Hash: C6211774D022088FDF08EFB1D850AEDB7B6BB89305F10A469C41577394CB799841CF64

Function 02695A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78798d8f64ab55a38825b2ad82baef284de30ae5e71b28782b12dc59c0c7ad0
Instruction ID: 27fd9b2afd01534e4ca8f5e1a88ff5e19b3a98020ebe3edbddc4ae3219d55dcc
Opcode Fuzzy Hash: f78798d8f64ab55a38825b2ad82baef284de30ae5e71b28782b12dc59c0c7ad0
Instruction Fuzzy Hash: 7011A1317016128FCB1A9A29C4A893EB7AABFC47617554579E907CB354DF30DC06CBD0

Function 02691F61 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 642e329fe8bd685132f2763f7e26572eaa6108e63f21ecb30dfc46fec3fd577d
Instruction ID: a3b429092d76b7a52257432f26311cad49087590d77acbd339cdfe0ea1f7cb16
Opcode Fuzzy Hash: 642e329fe8bd685132f2763f7e26572eaa6108e63f21ecb30dfc46fec3fd577d
Instruction Fuzzy Hash: 0521EFB4C0124E8FCF44EFA8D8455EDBFF0BB4A300F1055AAD805B3214EB341A96CBA1

Function 02691F08 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8e63caa6c01e5bba179801363e0265a7a486c95e63d0d23c2b211646c4c22f
Instruction ID: 243b4e596d296d3b430cab87ea70f31309e1e00960c34b59d7408f402279107e
Opcode Fuzzy Hash: 5e8e63caa6c01e5bba179801363e0265a7a486c95e63d0d23c2b211646c4c22f
Instruction Fuzzy Hash: 29213570C0424A8FCF05EFA8C4945EDBFF0BF4A314F1451AAC405B7250EB305A85CBA2

Function 0240D3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294302986.000000000240D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0240D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_240d000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 8aa74393898c0a24463e48c7b6361bb44576344c130ae7403675d092473a836f
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 9511D376904284DFCB15CF50D9C4B16BF71FB84324F24C6AAD8090B756C33AE45ACBA1

Function 02695607 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befff1d50c9316740d5e2c1d9d32304a99e58aed19704a1ffbd48acada30d1e9
Instruction ID: fd545c876fb5d63cacfc1277ebbf4ea7913968a9ffc271fda85b85ab451fc1c0
Opcode Fuzzy Hash: befff1d50c9316740d5e2c1d9d32304a99e58aed19704a1ffbd48acada30d1e9
Instruction Fuzzy Hash: 8101C432A051156FDF568E659810AEF7FABDBC9650B28806AE509D7290CE718C52CBA0

Function 02692010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 135d722671499a66a4050708ee96264743c685cfabf11bd0195b17b6d94f353d
Instruction ID: f69ed39eec1faf9e543fe092ca6afc964ad562af21688d860024996f9d5561fd
Opcode Fuzzy Hash: 135d722671499a66a4050708ee96264743c685cfabf11bd0195b17b6d94f353d
Instruction Fuzzy Hash: AAE06832C213D71ACF029370BC240EEBF34FED7214B084196D86037006EB60164ACB70

Function 02692020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bfeba667f84cbaa4bdb79f7f71f0367eb44fac9bf8dc4f79ea5c60fc044c6ff
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: 3bfeba667f84cbaa4bdb79f7f71f0367eb44fac9bf8dc4f79ea5c60fc044c6ff
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 02698258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: edc8b7666d1b880fb5d82720d3c0c52ae6111b7330c9b2d1d2a25aeffb4344bc
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 2FC08C3320C2282AAA38108F7C80EB3BB8CC3C23F4A250137F91CE3300AC42AC8141F8

Function 0269A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f40719a0a277514bc63c1b420b2c142cf70c8934870cf727d5af8e59336d0f9c
Instruction ID: 242223b22892a6f2c3beb7cc2bf566b0298e852ca0aae689b77362a5596a28ef
Opcode Fuzzy Hash: f40719a0a277514bc63c1b420b2c142cf70c8934870cf727d5af8e59336d0f9c
Instruction Fuzzy Hash: 60D0677BB511089FCF049F98E8409DDB7B6FB9C221B048526EA15E7260C6319961DB50

Function 02695EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997dcb8fbcb8a203bb5db19baf03c500f6b49e105b0516002c02e69432b43779
Instruction ID: fccf11f11b344d1b584123f5b55b778f57f0f61d6cbd9a69485a4818c434d295
Opcode Fuzzy Hash: 997dcb8fbcb8a203bb5db19baf03c500f6b49e105b0516002c02e69432b43779
Instruction Fuzzy Hash: 48D0C2304083C28BC75AE370F5A50583F32AA81204B4495DDE80449106DEFD084B8B51

Function 02695EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2294612294.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2690000_Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b219f0a9b0499fa8acf53a4c09ab19fdfbfd7b1d62ece01df830a4dd7e8ea1d
Instruction ID: 7754a8b36e22c9b3b31f4b6efb58715449ee2f647b1d1f9f3a536b55643a2104
Opcode Fuzzy Hash: 9b219f0a9b0499fa8acf53a4c09ab19fdfbfd7b1d62ece01df830a4dd7e8ea1d
Instruction Fuzzy Hash: 7CC0123150034A87D68DF775E9845193F6AA6C0300F40A968A20909119DFFC1C854691

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Details.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Details.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
Details.exe

Function 05CC0007 Relevance: 3.3, Instructions: 3263
COMMON

Function 05CC0040 Relevance: 3.2, Instructions: 3242
COMMON

Function 050AB8A8 Relevance: 1.9, Strings: 1, Instructions: 615
COMMON

Function 0119A690 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 050AA52C Relevance: 1.6, APIs: 1, Instructions: 140
processCOMMON

Function 050AC3CC Relevance: 1.6, APIs: 1, Instructions: 139
processCOMMON

Function 050A3EC0 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 050AB580 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Function 050AB588 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 0119CB58 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0119BDE0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 050AB4A9 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Function 050AB4B0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 0119A100 Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre