Edit tour

Windows Analysis Report
j6OUc3S2uP.exe

Overview

General Information

Sample name:	j6OUc3S2uP.exe renamed because original name is a hash value
Original sample name:	ec7e4a2cfd34ceccca73309ac6862f233904b1ab888b7a903ee18ecaf0c65626.exe
Analysis ID:	1467013
MD5:	d662387f9f11b665b70d14c19177b058
SHA1:	3aa3745a01043cecec79b49a29cdfff60265d519
SHA256:	ec7e4a2cfd34ceccca73309ac6862f233904b1ab888b7a903ee18ecaf0c65626
Tags:	exe
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

j6OUc3S2uP.exe (PID: 5800 cmdline: "C:\Users\user\Desktop\j6OUc3S2uP.exe" MD5: D662387F9F11B665B70D14C19177B058)

AddInProcess32.exe (PID: 1336 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

cmd.exe (PID: 2144 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 2760 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

AddInProcess32.exe (PID: 2536 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

WerFault.exe (PID: 1292 cmdline: C:\Windows\system32\WerFault.exe -u -p 5800 -s 1020 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "varlutnant@valleycountysar.org", "Password": "i~~Ga+6_-~V*", "Host": "valleycountysar.org", "Port": "26"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x147e6:$a1: get_encryptedPassword 0x14ad2:$a2: get_encryptedUsername 0x145f2:$a3: get_timePasswordChanged 0x146ed:$a4: get_passwordField 0x147fc:$a5: set_encryptedPassword 0x15e20:$a7: get_logins 0x15d83:$a10: KeyLoggerEventArgs 0x15a1c:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x180c4:$x1: $%SMTPDV$ 0x1812a:$x2: $#TheHashHere%& 0x19721:$x3: %FTPDV$ 0x19815:$x4: $%TelegramDv$ 0x15a1c:$x5: KeyLoggerEventArgs 0x15d83:$x5: KeyLoggerEventArgs 0x19745:$m2: Clipboard Logs ID 0x19965:$m2: Screenshot Logs ID 0x19a75:$m2: keystroke Logs ID 0x19d4f:$m3: SnakePW 0x1993d:$m4: \SnakeKeylogger\
00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xaa94e:$a1: get_encryptedPassword 0xcb396:$a1: get_encryptedPassword 0xaac3a:$a2: get_encryptedUsername 0xcb682:$a2: get_encryptedUsername 0xaa75a:$a3: get_timePasswordChanged 0xcb1a2:$a3: get_timePasswordChanged 0xaa855:$a4: get_passwordField 0xcb29d:$a4: get_passwordField 0xaa964:$a5: set_encryptedPassword 0xcb3ac:$a5: set_encryptedPassword 0xabf88:$a7: get_logins 0xcc9d0:$a7: get_logins 0xabeeb:$a10: KeyLoggerEventArgs 0xcc933:$a10: KeyLoggerEventArgs 0xabb84:$a11: KeyLoggerEventArgsEventHandler 0xcc5cc:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xae22c:$x1: $%SMTPDV$ 0xcec74:$x1: $%SMTPDV$ 0xae292:$x2: $#TheHashHere%& 0xcecda:$x2: $#TheHashHere%& 0xaf889:$x3: %FTPDV$ 0xd02d1:$x3: %FTPDV$ 0xaf97d:$x4: $%TelegramDv$ 0xd03c5:$x4: $%TelegramDv$ 0xabb84:$x5: KeyLoggerEventArgs 0xabeeb:$x5: KeyLoggerEventArgs 0xcc5cc:$x5: KeyLoggerEventArgs 0xcc933:$x5: KeyLoggerEventArgs 0xaf8ad:$m2: Clipboard Logs ID 0xafacd:$m2: Screenshot Logs ID 0xafbdd:$m2: keystroke Logs ID 0xd02f5:$m2: Clipboard Logs ID 0xd0515:$m2: Screenshot Logs ID 0xd0625:$m2: keystroke Logs ID 0xafeb7:$m3: SnakePW 0xd08ff:$m3: SnakePW 0xafaa5:$m4: \SnakeKeylogger\
00000000.00000002.2128243811.000001D22110B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000002.00000002.2226314920.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: j6OUc3S2uP.exe PID: 5800	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: j6OUc3S2uP.exe PID: 5800	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: j6OUc3S2uP.exe PID: 5800	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: j6OUc3S2uP.exe PID: 5800	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: j6OUc3S2uP.exe PID: 5800	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b4d4:$a1: get_encryptedPassword 0x2b7b6:$a2: get_encryptedUsername 0x2b2ea:$a3: get_timePasswordChanged 0x2b3e5:$a4: get_passwordField 0x2b4ea:$a5: set_encryptedPassword 0x2d8dc:$a7: get_logins 0x2d83f:$a10: KeyLoggerEventArgs 0x2d4d8:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: j6OUc3S2uP.exe PID: 5800	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2d4d8:$x5: KeyLoggerEventArgs 0x2d83f:$x5: KeyLoggerEventArgs 0x2e12d:$x5: KeyLoggerEventArgs 0x2e461:$x5: KeyLoggerEventArgs 0x2fa10:$m2: Clipboard Logs ID 0x2fb07:$m2: Screenshot Logs ID 0x2fb5d:$m2: keystroke Logs ID 0x2fc92:$m3: SnakePW 0x2faf3:$m4: \SnakeKeylogger\
Process Memory Space: AddInProcess32.exe PID: 1336	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AddInProcess32.exe PID: 1336	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: AddInProcess32.exe PID: 1336	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x15f68:$a1: get_encryptedPassword 0x1624a:$a2: get_encryptedUsername 0x15d7e:$a3: get_timePasswordChanged 0x15e79:$a4: get_passwordField 0x15f7e:$a5: set_encryptedPassword 0x18370:$a7: get_logins 0x182d3:$a10: KeyLoggerEventArgs 0x17f6c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: AddInProcess32.exe PID: 1336	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17f6c:$x5: KeyLoggerEventArgs 0x182d3:$x5: KeyLoggerEventArgs 0x18bc1:$x5: KeyLoggerEventArgs 0x18ef5:$x5: KeyLoggerEventArgs 0x1a4a4:$m2: Clipboard Logs ID 0x1a59b:$m2: Screenshot Logs ID 0x1a5f1:$m2: keystroke Logs ID 0x1a726:$m3: SnakePW 0x1a587:$m4: \SnakeKeylogger\
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.AddInProcess32.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x149e6:$a1: get_encryptedPassword 0x14cd2:$a2: get_encryptedUsername 0x147f2:$a3: get_timePasswordChanged 0x148ed:$a4: get_passwordField 0x149fc:$a5: set_encryptedPassword 0x16020:$a7: get_logins 0x15f83:$a10: KeyLoggerEventArgs 0x15c1c:$a11: KeyLoggerEventArgsEventHandler
2.2.AddInProcess32.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c31f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b551:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b984:$a4: \Orbitum\User Data\Default\Login Data 0x1c9c3:$a5: \Kometa\User Data\Default\Login Data
2.2.AddInProcess32.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1559c:$s1: UnHook 0x155a3:$s2: SetHook 0x155ab:$s3: CallNextHook 0x155b8:$s4: _hook
2.2.AddInProcess32.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c4:$x1: $%SMTPDV$ 0x1832a:$x2: $#TheHashHere%& 0x19921:$x3: %FTPDV$ 0x19a15:$x4: $%TelegramDv$ 0x15c1c:$x5: KeyLoggerEventArgs 0x15f83:$x5: KeyLoggerEventArgs 0x19945:$m2: Clipboard Logs ID 0x19b65:$m2: Screenshot Logs ID 0x19c75:$m2: keystroke Logs ID 0x19f4f:$m3: SnakePW 0x19b3d:$m4: \SnakeKeylogger\
0.2.j6OUc3S2uP.exe.1d23125ef68.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.j6OUc3S2uP.exe.1d23127f9b0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.j6OUc3S2uP.exe.1d23127f9b0.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.j6OUc3S2uP.exe.1d23125ef68.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.j6OUc3S2uP.exe.1d23127f9b0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12be6:$a1: get_encryptedPassword 0x12ed2:$a2: get_encryptedUsername 0x129f2:$a3: get_timePasswordChanged 0x12aed:$a4: get_passwordField 0x12bfc:$a5: set_encryptedPassword 0x14220:$a7: get_logins 0x14183:$a10: KeyLoggerEventArgs 0x13e1c:$a11: KeyLoggerEventArgsEventHandler
0.2.j6OUc3S2uP.exe.1d23125ef68.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12be6:$a1: get_encryptedPassword 0x12ed2:$a2: get_encryptedUsername 0x129f2:$a3: get_timePasswordChanged 0x12aed:$a4: get_passwordField 0x12bfc:$a5: set_encryptedPassword 0x14220:$a7: get_logins 0x14183:$a10: KeyLoggerEventArgs 0x13e1c:$a11: KeyLoggerEventArgsEventHandler
0.2.j6OUc3S2uP.exe.1d23127f9b0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a51f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19751:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b84:$a4: \Orbitum\User Data\Default\Login Data 0x1abc3:$a5: \Kometa\User Data\Default\Login Data
0.2.j6OUc3S2uP.exe.1d23125ef68.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a51f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19751:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b84:$a4: \Orbitum\User Data\Default\Login Data 0x1abc3:$a5: \Kometa\User Data\Default\Login Data
0.2.j6OUc3S2uP.exe.1d23127f9b0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1379c:$s1: UnHook 0x137a3:$s2: SetHook 0x137ab:$s3: CallNextHook 0x137b8:$s4: _hook
0.2.j6OUc3S2uP.exe.1d23127f9b0.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x164c4:$x1: $%SMTPDV$ 0x1652a:$x2: $#TheHashHere%& 0x17b21:$x3: %FTPDV$ 0x17c15:$x4: $%TelegramDv$ 0x13e1c:$x5: KeyLoggerEventArgs 0x14183:$x5: KeyLoggerEventArgs 0x17b45:$m2: Clipboard Logs ID 0x17d65:$m2: Screenshot Logs ID 0x17e75:$m2: keystroke Logs ID 0x1814f:$m3: SnakePW 0x17d3d:$m4: \SnakeKeylogger\
0.2.j6OUc3S2uP.exe.1d23125ef68.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1379c:$s1: UnHook 0x137a3:$s2: SetHook 0x137ab:$s3: CallNextHook 0x137b8:$s4: _hook
0.2.j6OUc3S2uP.exe.1d23125ef68.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x164c4:$x1: $%SMTPDV$ 0x1652a:$x2: $#TheHashHere%& 0x17b21:$x3: %FTPDV$ 0x17c15:$x4: $%TelegramDv$ 0x13e1c:$x5: KeyLoggerEventArgs 0x14183:$x5: KeyLoggerEventArgs 0x17b45:$m2: Clipboard Logs ID 0x17d65:$m2: Screenshot Logs ID 0x17e75:$m2: keystroke Logs ID 0x1814f:$m3: SnakePW 0x17d3d:$m4: \SnakeKeylogger\
0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x149e6:$a1: get_encryptedPassword 0x14cd2:$a2: get_encryptedUsername 0x147f2:$a3: get_timePasswordChanged 0x148ed:$a4: get_passwordField 0x149fc:$a5: set_encryptedPassword 0x16020:$a7: get_logins 0x15f83:$a10: KeyLoggerEventArgs 0x15c1c:$a11: KeyLoggerEventArgsEventHandler
0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c31f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b551:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b984:$a4: \Orbitum\User Data\Default\Login Data 0x1c9c3:$a5: \Kometa\User Data\Default\Login Data
0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1559c:$s1: UnHook 0x155a3:$s2: SetHook 0x155ab:$s3: CallNextHook 0x155b8:$s4: _hook
0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c4:$x1: $%SMTPDV$ 0x1832a:$x2: $#TheHashHere%& 0x19921:$x3: %FTPDV$ 0x19a15:$x4: $%TelegramDv$ 0x15c1c:$x5: KeyLoggerEventArgs 0x15f83:$x5: KeyLoggerEventArgs 0x19945:$m2: Clipboard Logs ID 0x19b65:$m2: Screenshot Logs ID 0x19c75:$m2: keystroke Logs ID 0x19f4f:$m3: SnakePW 0x19b3d:$m4: \SnakeKeylogger\
0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x149e6:$a1: get_encryptedPassword 0x3542e:$a1: get_encryptedPassword 0x14cd2:$a2: get_encryptedUsername 0x3571a:$a2: get_encryptedUsername 0x147f2:$a3: get_timePasswordChanged 0x3523a:$a3: get_timePasswordChanged 0x148ed:$a4: get_passwordField 0x35335:$a4: get_passwordField 0x149fc:$a5: set_encryptedPassword 0x35444:$a5: set_encryptedPassword 0x16020:$a7: get_logins 0x36a68:$a7: get_logins 0x15f83:$a10: KeyLoggerEventArgs 0x369cb:$a10: KeyLoggerEventArgs 0x15c1c:$a11: KeyLoggerEventArgsEventHandler 0x36664:$a11: KeyLoggerEventArgsEventHandler
0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c31f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cd67:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b551:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bf99:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b984:$a4: \Orbitum\User Data\Default\Login Data 0x3c3cc:$a4: \Orbitum\User Data\Default\Login Data 0x1c9c3:$a5: \Kometa\User Data\Default\Login Data 0x3d40b:$a5: \Kometa\User Data\Default\Login Data
0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1559c:$s1: UnHook 0x35fe4:$s1: UnHook 0x155a3:$s2: SetHook 0x35feb:$s2: SetHook 0x155ab:$s3: CallNextHook 0x35ff3:$s3: CallNextHook 0x155b8:$s4: _hook 0x36000:$s4: _hook
0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c4:$x1: $%SMTPDV$ 0x38d0c:$x1: $%SMTPDV$ 0x1832a:$x2: $#TheHashHere%& 0x38d72:$x2: $#TheHashHere%& 0x19921:$x3: %FTPDV$ 0x3a369:$x3: %FTPDV$ 0x19a15:$x4: $%TelegramDv$ 0x3a45d:$x4: $%TelegramDv$ 0x15c1c:$x5: KeyLoggerEventArgs 0x15f83:$x5: KeyLoggerEventArgs 0x36664:$x5: KeyLoggerEventArgs 0x369cb:$x5: KeyLoggerEventArgs 0x19945:$m2: Clipboard Logs ID 0x19b65:$m2: Screenshot Logs ID 0x19c75:$m2: keystroke Logs ID 0x3a38d:$m2: Clipboard Logs ID 0x3a5ad:$m2: Screenshot Logs ID 0x3a6bd:$m2: keystroke Logs ID 0x19f4f:$m3: SnakePW 0x3a997:$m3: SnakePW 0x19b3d:$m4: \SnakeKeylogger\
Click to see the 28 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "varlutnant@valleycountysar.org", "Password": "i~~Ga+6_-~V*", "Host": "valleycountysar.org", "Port": "26"}

Multi AV Scanner detection for submitted file

Source: j6OUc3S2uP.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: j6OUc3S2uP.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.2128243811.000001D22110B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: j6OUc3S2uP.exe PID: 5800, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.0

Source: j6OUc3S2uP.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdbhT source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbn source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WERBC43.tmp.dmp.6.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D13000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D13000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D07000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: AddInProcess32.exe, 00000002.00000002.2226314920.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: j6OUc3S2uP.exe, 00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgP
Source: AddInProcess32.exe, 00000002.00000002.2226314920.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D13000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: j6OUc3S2uP.exe, 00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D13000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: j6OUc3S2uP.exe PID: 5800, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: j6OUc3S2uP.exe PID: 5800, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: AddInProcess32.exe PID: 1336, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: AddInProcess32.exe PID: 1336, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Code function: 0_2_00007FFD3469BC90	0_2_00007FFD3469BC90
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Code function: 0_2_00007FFD3469C071	0_2_00007FFD3469C071
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Code function: 0_2_00007FFD34691990	0_2_00007FFD34691990
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Code function: 0_2_00007FFD3469418C	0_2_00007FFD3469418C
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Code function: 0_2_00007FFD34698730	0_2_00007FFD34698730
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Code function: 0_2_00007FFD346A4BC9	0_2_00007FFD346A4BC9
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Code function: 0_2_00007FFD34693B79	0_2_00007FFD34693B79
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Code function: 0_2_00007FFD3469B43A	0_2_00007FFD3469B43A
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Code function: 0_2_00007FFD34697928	0_2_00007FFD34697928
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Code function: 0_2_00007FFD346A038F	0_2_00007FFD346A038F
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Code function: 0_2_00007FFD346A4459	0_2_00007FFD346A4459
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Code function: 0_2_00007FFD3469143D	0_2_00007FFD3469143D
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Code function: 0_2_00007FFD346A4C22	0_2_00007FFD346A4C22
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Code function: 0_2_00007FFD34760402	0_2_00007FFD34760402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02A6B328	2_2_02A6B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02A6C190	2_2_02A6C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02A66111	2_2_02A66111
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02A6C753	2_2_02A6C753
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02A6C470	2_2_02A6C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02A64AD9	2_2_02A64AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02A6CA33	2_2_02A6CA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02A6BBD3	2_2_02A6BBD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02A66880	2_2_02A66880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02A6BEB3	2_2_02A6BEB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02A6B4F3	2_2_02A6B4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02A63573	2_2_02A63573

Source: C:\Users\user\Desktop\j6OUc3S2uP.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5800 -s 1020

Source: j6OUc3S2uP.exe

Static PE information: No import functions for PE file found

Source: j6OUc3S2uP.exe, 00000000.00000002.2127964858.000001D21F5E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAqabukokuloveliqirolo0 vs j6OUc3S2uP.exe
Source: j6OUc3S2uP.exe, 00000000.00000002.2128853645.000001D2312A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAqabukokuloveliqirolo0 vs j6OUc3S2uP.exe
Source: j6OUc3S2uP.exe, 00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs j6OUc3S2uP.exe
Source: j6OUc3S2uP.exe, 00000000.00000000.2074587169.000001D21F272000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAzibixune@ vs j6OUc3S2uP.exe
Source: j6OUc3S2uP.exe, 00000000.00000002.2128853645.000001D23139C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAqabukokuloveliqirolo0 vs j6OUc3S2uP.exe
Source: j6OUc3S2uP.exe	Binary or memory string: OriginalFilenameAzibixune@ vs j6OUc3S2uP.exe

Source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: j6OUc3S2uP.exe PID: 5800, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: j6OUc3S2uP.exe PID: 5800, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: AddInProcess32.exe PID: 1336, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: AddInProcess32.exe PID: 1336, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack, --k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack, --k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack, --k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack, --k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@11/6@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5800

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e8146d4f-eff0-4df8-9628-a4650c58c225

Jump to behavior

Source: j6OUc3S2uP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\j6OUc3S2uP.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: j6OUc3S2uP.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\j6OUc3S2uP.exe

File read: C:\Users\user\Desktop\j6OUc3S2uP.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\j6OUc3S2uP.exe "C:\Users\user\Desktop\j6OUc3S2uP.exe"
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5800 -s 1020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\j6OUc3S2uP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\j6OUc3S2uP.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: j6OUc3S2uP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: j6OUc3S2uP.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: j6OUc3S2uP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdbhT source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbn source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERBC43.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WERBC43.tmp.dmp.6.dr

Source: j6OUc3S2uP.exe

Static PE information: 0x9B9359DD [Mon Sep 16 18:47:57 2052 UTC]

Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Code function: 0_2_00007FFD34760062 push esp; retf 4810h	0_2_00007FFD34760312
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Code function: 0_2_00007FFD34760479 push 00000004h; ret	0_2_00007FFD347604B9
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Code function: 0_2_00007FFD347616C1 push 00000017h; ret	0_2_00007FFD347617B9
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Code function: 0_2_00007FFD34761779 push 00000017h; ret	0_2_00007FFD347617B9

Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: j6OUc3S2uP.exe PID: 5800, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: j6OUc3S2uP.exe, 00000000.00000002.2128243811.000001D22110B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: j6OUc3S2uP.exe, 00000000.00000002.2128243811.000001D22110B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Memory allocated: 1D21F5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Memory allocated: 1D2390D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4C50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599436	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598446	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596686	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596137	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595311	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594983	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594546	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 1845			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 8006			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3928	Thread sleep count: 1845 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3928	Thread sleep count: 8006 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -599655s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -599436s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -599327s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -598999s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -598446s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -597999s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -597671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -597561s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -597015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -596796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -596686s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -596468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -596137s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -595968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -595640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -595421s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -595311s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -595093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -594983s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -594765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3960	Thread sleep time: -594546s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599436	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598446	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596686	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596137	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595311	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594983	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594546	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: j6OUc3S2uP.exe, 00000000.00000002.2128243811.000001D22110B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: j6OUc3S2uP.exe, 00000000.00000002.2128243811.000001D22110B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: j6OUc3S2uP.exe, 00000000.00000002.2128243811.000001D22110B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: j6OUc3S2uP.exe, 00000000.00000002.2128243811.000001D22110B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: j6OUc3S2uP.exe, 00000000.00000002.2128243811.000001D22110B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: AddInProcess32.exe, 00000002.00000002.2225804965.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: j6OUc3S2uP.exe, 00000000.00000002.2128243811.000001D22110B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: j6OUc3S2uP.exe, 00000000.00000002.2128243811.000001D22110B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: j6OUc3S2uP.exe, 00000000.00000002.2128243811.000001D22110B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: j6OUc3S2uP.exe, 00000000.00000002.2128243811.000001D22110B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: j6OUc3S2uP.exe, 00000000.00000002.2128243811.000001D22110B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: j6OUc3S2uP.exe, 00000000.00000002.2128243811.000001D22110B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\j6OUc3S2uP.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: j6OUc3S2uP.exe, ---.cs	Reference to suspicious API methods: GetProcAddress(_061B_FBB4_FD41, _0610_FBCC_0613_FBCF_060B_FBBE_06DB)
Source: j6OUc3S2uP.exe, ---.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (uint)_06D8_FBD1_FD47_FDE3_FBBC_FDDD_06EC_061F.Length, 64u, out var _FBB5_FBC8)
Source: j6OUc3S2uP.exe, ---.cs	Reference to suspicious API methods: LoadLibrary(_FDD7_0607_0655(_FBCD_065B_06D4_FDCA._FDCA_FDE4_FD40_060A))

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\j6OUc3S2uP.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\j6OUc3S2uP.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: A38008	Jump to behavior

Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\j6OUc3S2uP.exe	Queries volume information: C:\Users\user\Desktop\j6OUc3S2uP.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\j6OUc3S2uP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2226314920.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: j6OUc3S2uP.exe PID: 5800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 1336, type: MEMORYSTR

Source: Yara match	File source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: j6OUc3S2uP.exe PID: 5800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 1336, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.j6OUc3S2uP.exe.1d23127f9b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.j6OUc3S2uP.exe.1d23125ef68.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2226314920.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: j6OUc3S2uP.exe PID: 5800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 1336, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	311 Process Injection	1 Masquerading	OS Credential Dumping	121 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
j6OUc3S2uP.exe	63%	ReversingLabs	ByteCode-MSIL.Spyware.Snakekeylogger
j6OUc3S2uP.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.orgP	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
http://reallyfreegeoip.org	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	true	unknown
checkip.dyndns.com	132.226.8.169	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D13000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D13000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D07000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D13000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.orgP	AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	AddInProcess32.exe, 00000002.00000002.2226314920.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	j6OUc3S2uP.exe, 00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://reallyfreegeoip.org	AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	j6OUc3S2uP.exe, 00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2226314920.0000000002D13000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
188.114.96.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467013
Start date and time:	2024-07-03 16:27:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	j6OUc3S2uP.exe renamed because original name is a hash value
Original Sample Name:	ec7e4a2cfd34ceccca73309ac6862f233904b1ab888b7a903ee18ecaf0c65626.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@11/6@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 86% Number of executed functions: 75 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target AddInProcess32.exe, PID 1336 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: j6OUc3S2uP.exe

Simulations

Behavior and APIs

Time	Type	Description
10:27:56	API Interceptor	1x Sleep call for process: WerFault.exe modified
10:27:56	API Interceptor	91x Sleep call for process: AddInProcess32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	lista de cotizaciones.xlam.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	scan copy.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Find-DscResource_QoS.ps1	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	MT STENA IMPRESSION Vessel Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	LAQ-PO088PDF.bat	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	MT STENA IMPRESSION Vessel Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
188.114.96.3	9098393827383039.exe	Get hash	malicious	FormBook	Browse	www.coinwab.com/kqqj/
	SOA 020724.exe	Get hash	malicious	FormBook	Browse	www.ad14.fun/az6h/?Vn=Ydx4qJJ0n&3jJlx=2tWzkzncG4ra8DBegJJBToW7oB13AdJXZ1KkbDLW+Ah9MGsNEQDOdLre6u2t4zOJ63yLnsPJ97sPnqMxsSzbOxuABFq0Im2Ecm9EQ8GOdhogxDCvRrrALITlDFg7ZHNgcXHQPxMcHnGf
	Adjunto confirmacion de pedido.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.coinwab.com/kqqj/
	aAEsSBx24sxHhRz.exe	Get hash	malicious	FormBook	Browse	www.camperelektrikde.shop/dy13/?GdIHAFZ=8bNdgr3QvPw6/pDIZNt+55DvjzemDI0RO+pYD3qlulbIe6f7Sn3K06Z4F4Tg3hK83Y0/&BhU=5jl0ddZhNnYlOrV0
	http://sp.26skins.com/steamstore/category/adventure_rpg/?snr=1_5_9__12	Get hash	malicious	Unknown	Browse	sp.26skins.com/favicon.ico
	30Fqen2Bu3.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/TbaYPT0S/download
	30Fqen2Bu3.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/TbaYPT0S/download
	Vg46FzGtNo.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	000366cm.nyashka.top/phpflowergenerator.php
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/mHgyHEv5/download
	file.exe	Get hash	malicious	FormBook	Browse	www.cavetta.org.mt/yhnb/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	7vwfhMuUQg.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	1mXbuDDPbF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	k8TljgjfDl.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	IMG_0178520003023PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	MT_01452_03607PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	whiteee.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	whiteee.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	PM114079-990528.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
checkip.dyndns.com	7vwfhMuUQg.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	1mXbuDDPbF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.130.0
	k8TljgjfDl.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	project plan.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	IMG_0178520003023PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	MT_01452_03607PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	payment.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	whiteee.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	whiteee.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	7vwfhMuUQg.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	k8TljgjfDl.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	project plan.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	MT_01452_03607PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	lista de cotizaciones.xlam.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	oHchwlxMNG.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	scan copy.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	CDMZxujRpn.elf	Get hash	malicious	Mirai	Browse	132.192.25.142
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
CLOUDFLARENETUS	7vwfhMuUQg.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	MUdeeReQ5R.exe	Get hash	malicious	FormBook	Browse	172.67.147.144
	q86onx3LvU.exe	Get hash	malicious	PureLog Stealer	Browse	104.21.10.178
	Vertex Business Services_SKM_C950633210_650106.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	6Ek4nfs2y1.exe	Get hash	malicious	PhoenixKeylogger, PureLog Stealer	Browse	104.21.10.178
	9098393827383039.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	https://www.filemail.com/t/RuKZYfeB	Get hash	malicious	HTMLPhisher	Browse	172.64.41.3
	kZa81nzREg.exe	Get hash	malicious	AgentTesla	Browse	172.67.196.55
	q86onx3LvU.exe	Get hash	malicious	PureLog Stealer	Browse	104.21.10.178
	d8gZVaN0ms.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, Stealc, Vidar	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	7vwfhMuUQg.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	kZa81nzREg.exe	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	ptKNiAaGus.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	beK7HmoXro.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	1mXbuDDPbF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	k8TljgjfDl.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	IMG_0178520003023PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	MT_01452_03607PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	fin.746.msi	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Adware.DownwareNET.4.16171.10714.exe	Get hash	malicious	Unknown	Browse	188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_j6OUc3S2uP.exe_ec5336e1243d7bf75db30977b6a261e84eea9ad_ad983b20_5cee530d-8701-4278-8562-3cfde6cd09e4\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.98719320412137
Encrypted:	false
SSDEEP:	192:e0sd+mT0UnU1aWh8UOzuiF5Z24lO8SKc:hdmAUnU1au8PzuiF5Y4lO8M
MD5:	EDACD9941FFDFD20E05EC53E7BCA1FE3
SHA1:	43BE449EED72610E372EF31C7F3EE453EC686595
SHA-256:	0938A8ADCFE3974B32F21090FB0859289332121C160E9E7F1F1953DC8A4BF43E
SHA-512:	22E4C68C371A9453962BFA80998C65328B920EC2CAC391BB9A58B2C65F3929DCCDCD92F9AB1F95A1129CAA523C3188D3D00FDDD0E7B918248F7B4345974CF9E3
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.4.9.0.4.7.3.6.5.7.3.4.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.4.9.0.4.7.4.2.3.5.4.5.8.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.c.e.e.5.3.0.d.-.8.7.0.1.-.4.2.7.8.-.8.5.6.2.-.3.c.f.d.e.6.c.d.0.9.e.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.b.3.4.0.b.e.-.b.a.3.c.-.4.8.0.e.-.b.7.7.7.-.c.1.4.5.e.d.c.d.7.5.9.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.j.6.O.U.c.3.S.2.u.P...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.z.i.b.i.x.u.n.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.a.8.-.0.0.0.1.-.0.0.1.5.-.e.2.5.8.-.9.f.2.f.5.5.c.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.9.1.4.b.3.6.2.c.4.2.8.2.0.e.5.a.a.f.1.4.a.f.2.9.1.1.b.7.6.1.d.0.0.0.0.0.0.0.0.!.0.0.0.0.3.a.a.3.7.4.5.a.0.1.0.4.3.c.e.c.e.c.7.9.b.4.9.a.2.9.c.d.f.f.f.6.0.2.6.5.d.5.1.9.!.j.6.O.U.c.3.S.2.u.P...e.x.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC43.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Wed Jul 3 14:27:53 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	386195
Entropy (8bit):	3.278691226775555
Encrypted:	false
SSDEEP:	3072:jidttQP7+d1T1CCqF3+vcw4Od5L6cqMcS9g9gIk4Bny:jidttcQqF3QcwTd52cj9gx
MD5:	BDBE6DB06F153D57BFB310BF382D3D49
SHA1:	9705806D6C36C3266EEA8FEC0F4681B089389031
SHA-256:	4C9C5EF645D8925836B3E18CD74BA7E25A5C54A751E4DBA518F92EF3999EDD33
SHA-512:	CB1ACBC4D314C0A8C8BB4895C560B17F98D13F9D23533831F8F451E771106B032C6C3E1616C52B112FCD58A061C2537ED5F00E1FAF4A791937341E3C4F5B2C44
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........_.f....................................$...........0...........4E...s..........l.......8...........T............(...............6...........8..............................................................................eJ......p9......Lw......................T............_.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD9C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8604
Entropy (8bit):	3.7065111032866693
Encrypted:	false
SSDEEP:	192:R6l7wVeJ2Cy6Y2DtRQLZFXugmfdLdprg89bs6pcfXSYm:R6lXJLy6YARQ/XugmfdL9s6CfC9
MD5:	EAA3C3DC0C0BE45FC9E66180EE5AE41C
SHA1:	B7F51B91DDC2ABF4F61EA00C5AF13B5E8CF7A76B
SHA-256:	0F0DE34309540E68C79E4A44A60985C9CA49EEE4EBED0739B39A00F275A4A196
SHA-512:	966537884812D742BA31528BA1A83FE8069575C2908360AFD7DBA8B68667F19A02830FD4E348049C24899ED2F087B43A8AD7146C0C973F292630F554CF3CE694
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBDDB.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4761
Entropy (8bit):	4.527883158121395
Encrypted:	false
SSDEEP:	48:cvIwWl8zsjJg771I9RmWpW8VYIYm8M4JpdbdYSDFKyq851dOLl9uXChdtYodtSFd:uIjf9I7un7V4JpNuqO9OChzYozSFd
MD5:	2AB8A72917B639C61F6383288421588F
SHA1:	C9C277A8C3972C7466ECD20F390769D42D755A73
SHA-256:	BA5BE02BA2454D31349291633C471D57B79C9761D242F64933D2F39524EC988C
SHA-512:	C68EE49849D0EDA0B3E9A10D881393FD12ED7F08D172FD513EC21392D49BC2086A6B0CCB68F90157D87033BC292236DF1C3C482B4B7B1A835D16EF698567F3A1
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="394890" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468984494981576
Encrypted:	false
SSDEEP:	6144:ozZfpi6ceLPx9skLmb0ffZWSP3aJG8nAgeiJRMMhA2zX4WABluuNdjDH5S:+ZHtfZWOKnMM6bFpPj4
MD5:	2171AA049D5E02AA222F73EBBD3C52FE
SHA1:	D99A4FA565C5F92D627ECD32C559E956E31A327E
SHA-256:	8B8349B9A9C089C4D09E2AD9263D0FD9A6E5C2B3B24CD54730DDAA7F1F9D34A7
SHA-512:	D9B7B4781A9FA5CDC34DE6840673FFEE10E55C947CE4EBEA37ED2AF31DBD27E785260322F0E66A2869FADCE28373766D1B99AE078801AD9F87710F46A8EFB49A
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.k.0U...............................................................................................................................................................................................................................................................................................................................................E...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.298054666584365
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	j6OUc3S2uP.exe
File size:	983'001 bytes
MD5:	d662387f9f11b665b70d14c19177b058
SHA1:	3aa3745a01043cecec79b49a29cdfff60265d519
SHA256:	ec7e4a2cfd34ceccca73309ac6862f233904b1ab888b7a903ee18ecaf0c65626
SHA512:	3bea71cee5f1a9bb94b9b01d3394b18a4a6a1b3e3e267f3fb11d3a9fe418364294fd906043031a64f6017a6e8f8dd5dfc85a11588209dda668fc8517d47c3508
SSDEEP:	12288:o+WbFkpXD7n1FDoPNUCobwMtFTUhqxDd1XK8:o+4i3nnDAUCobwQ3h1V
TLSH:	82251250B98B6D83FE5A0432D9E078F165FE9E63B6F585AFCFD68E18900527DA050E30
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Y............"...0.D:............... ....@...... ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9B9359DD [Mon Sep 16 18:47:57 2052 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x8f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5a28	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3a44	0x3c00	33a5de703d7da7e92e4605088fabb465	False	0.6321614583333334	data	6.106458819653683	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x8f4	0xa00	4988a2533468bd4c2924e268064d13ea	False	0.292578125	data	4.410476500252751	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x60b8	0x328	data			0.4962871287128713
RT_VERSION	0x63e0	0x328	data	English	United States	0.4975247524752475
RT_MANIFEST	0x6708	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 16:27:54.680623055 CEST	49710	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:27:54.685636997 CEST	80	49710	132.226.8.169	192.168.2.6
Jul 3, 2024 16:27:54.685754061 CEST	49710	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:27:54.686101913 CEST	49710	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:27:54.691657066 CEST	80	49710	132.226.8.169	192.168.2.6
Jul 3, 2024 16:27:56.498684883 CEST	80	49710	132.226.8.169	192.168.2.6
Jul 3, 2024 16:27:56.504717112 CEST	49710	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:27:56.510543108 CEST	80	49710	132.226.8.169	192.168.2.6
Jul 3, 2024 16:27:56.773188114 CEST	80	49710	132.226.8.169	192.168.2.6
Jul 3, 2024 16:27:56.826502085 CEST	49710	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:27:56.965706110 CEST	49713	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:27:56.965774059 CEST	443	49713	188.114.96.3	192.168.2.6
Jul 3, 2024 16:27:56.965873003 CEST	49713	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:27:56.978285074 CEST	49713	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:27:56.978319883 CEST	443	49713	188.114.96.3	192.168.2.6
Jul 3, 2024 16:27:57.464049101 CEST	443	49713	188.114.96.3	192.168.2.6
Jul 3, 2024 16:27:57.464134932 CEST	49713	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:27:57.467638969 CEST	49713	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:27:57.467658043 CEST	443	49713	188.114.96.3	192.168.2.6
Jul 3, 2024 16:27:57.467942953 CEST	443	49713	188.114.96.3	192.168.2.6
Jul 3, 2024 16:27:57.512106895 CEST	49713	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:27:57.552515030 CEST	443	49713	188.114.96.3	192.168.2.6
Jul 3, 2024 16:27:57.622929096 CEST	443	49713	188.114.96.3	192.168.2.6
Jul 3, 2024 16:27:57.623014927 CEST	443	49713	188.114.96.3	192.168.2.6
Jul 3, 2024 16:27:57.623099089 CEST	49713	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:27:57.629080057 CEST	49713	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:27:57.632159948 CEST	49710	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:27:57.637104988 CEST	80	49710	132.226.8.169	192.168.2.6
Jul 3, 2024 16:27:57.890364885 CEST	80	49710	132.226.8.169	192.168.2.6
Jul 3, 2024 16:27:57.893491030 CEST	49716	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:27:57.893544912 CEST	443	49716	188.114.96.3	192.168.2.6
Jul 3, 2024 16:27:57.893624067 CEST	49716	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:27:57.893882990 CEST	49716	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:27:57.893898010 CEST	443	49716	188.114.96.3	192.168.2.6
Jul 3, 2024 16:27:57.935801983 CEST	49710	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:27:58.460987091 CEST	443	49716	188.114.96.3	192.168.2.6
Jul 3, 2024 16:27:58.498735905 CEST	49716	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:27:58.498832941 CEST	443	49716	188.114.96.3	192.168.2.6
Jul 3, 2024 16:27:58.604918003 CEST	443	49716	188.114.96.3	192.168.2.6
Jul 3, 2024 16:27:58.605004072 CEST	443	49716	188.114.96.3	192.168.2.6
Jul 3, 2024 16:27:58.605086088 CEST	49716	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:27:58.605547905 CEST	49716	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:27:58.608649969 CEST	49710	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:27:58.609724045 CEST	49717	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:27:58.614547014 CEST	80	49710	132.226.8.169	192.168.2.6
Jul 3, 2024 16:27:58.614733934 CEST	49710	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:27:58.615782976 CEST	80	49717	132.226.8.169	192.168.2.6
Jul 3, 2024 16:27:58.615854979 CEST	49717	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:27:58.615983009 CEST	49717	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:27:58.621171951 CEST	80	49717	132.226.8.169	192.168.2.6
Jul 3, 2024 16:27:59.431138992 CEST	80	49717	132.226.8.169	192.168.2.6
Jul 3, 2024 16:27:59.433397055 CEST	49718	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:27:59.433451891 CEST	443	49718	188.114.96.3	192.168.2.6
Jul 3, 2024 16:27:59.433689117 CEST	49718	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:27:59.439517021 CEST	49718	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:27:59.439536095 CEST	443	49718	188.114.96.3	192.168.2.6
Jul 3, 2024 16:27:59.482651949 CEST	49717	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:27:59.910398960 CEST	443	49718	188.114.96.3	192.168.2.6
Jul 3, 2024 16:27:59.916441917 CEST	49718	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:27:59.916495085 CEST	443	49718	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:00.061551094 CEST	443	49718	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:00.061659098 CEST	443	49718	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:00.061748981 CEST	49718	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:00.062236071 CEST	49718	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:00.066421986 CEST	49719	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:00.071468115 CEST	80	49719	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:00.071558952 CEST	49719	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:00.071702003 CEST	49719	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:00.076595068 CEST	80	49719	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:00.863605022 CEST	80	49719	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:00.864658117 CEST	49721	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:00.864694118 CEST	443	49721	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:00.864801884 CEST	49721	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:00.864986897 CEST	49721	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:00.865001917 CEST	443	49721	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:00.904532909 CEST	49719	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:01.330514908 CEST	443	49721	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:01.332509995 CEST	49721	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:01.332531929 CEST	443	49721	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:01.473273993 CEST	443	49721	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:01.473378897 CEST	443	49721	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:01.473596096 CEST	49721	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:01.473942041 CEST	49721	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:01.476968050 CEST	49719	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:01.478080034 CEST	49722	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:01.483808041 CEST	80	49722	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:01.483916044 CEST	49722	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:01.483973026 CEST	49722	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:01.485541105 CEST	80	49719	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:01.485637903 CEST	49719	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:01.489017010 CEST	80	49722	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:02.277437925 CEST	80	49722	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:02.278755903 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:02.278808117 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:02.278899908 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:02.279093981 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:02.279110909 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:02.326421976 CEST	49722	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:02.746546030 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:02.748106003 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:02.748136997 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:02.888115883 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:02.888223886 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:02.888344049 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:02.888842106 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:02.891690969 CEST	49722	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:02.892680883 CEST	49724	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:02.897188902 CEST	80	49722	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:02.897238016 CEST	49722	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:02.897505045 CEST	80	49724	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:02.897567034 CEST	49724	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:02.897638083 CEST	49724	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:02.902682066 CEST	80	49724	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:03.692728996 CEST	80	49724	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:03.693933010 CEST	49725	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:03.693983078 CEST	443	49725	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:03.694065094 CEST	49725	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:03.694320917 CEST	49725	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:03.694331884 CEST	443	49725	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:03.748354912 CEST	49724	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:04.240773916 CEST	443	49725	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:04.242685080 CEST	49725	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:04.242712975 CEST	443	49725	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:04.389669895 CEST	443	49725	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:04.389763117 CEST	443	49725	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:04.389816046 CEST	49725	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:04.390207052 CEST	49725	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:04.393153906 CEST	49724	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:04.394270897 CEST	49726	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:04.398437023 CEST	80	49724	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:04.398493052 CEST	49724	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:04.399173021 CEST	80	49726	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:04.399230957 CEST	49726	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:04.399297953 CEST	49726	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:04.404093981 CEST	80	49726	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:05.315958023 CEST	80	49726	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:05.317342043 CEST	49727	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:05.317389965 CEST	443	49727	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:05.317476034 CEST	49727	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:05.317724943 CEST	49727	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:05.317744017 CEST	443	49727	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:05.357722044 CEST	49726	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:05.906047106 CEST	443	49727	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:05.907962084 CEST	49727	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:05.907984018 CEST	443	49727	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:06.061378002 CEST	443	49727	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:06.061474085 CEST	443	49727	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:06.061738968 CEST	49727	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:06.067466021 CEST	49727	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:06.074454069 CEST	49726	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:06.075216055 CEST	49728	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:06.080029011 CEST	80	49726	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:06.080091000 CEST	49726	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:06.080174923 CEST	80	49728	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:06.080295086 CEST	49728	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:06.080382109 CEST	49728	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:06.085210085 CEST	80	49728	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:06.869908094 CEST	80	49728	132.226.8.169	192.168.2.6
Jul 3, 2024 16:28:06.872245073 CEST	49729	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:06.872301102 CEST	443	49729	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:06.872416019 CEST	49729	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:06.872723103 CEST	49729	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:06.872735023 CEST	443	49729	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:06.920315981 CEST	49728	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:07.369416952 CEST	443	49729	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:07.371793985 CEST	49729	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:07.371829987 CEST	443	49729	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:07.515276909 CEST	443	49729	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:07.515404940 CEST	443	49729	188.114.96.3	192.168.2.6
Jul 3, 2024 16:28:07.515482903 CEST	49729	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:07.516114950 CEST	49729	443	192.168.2.6	188.114.96.3
Jul 3, 2024 16:28:07.871536016 CEST	49728	80	192.168.2.6	132.226.8.169
Jul 3, 2024 16:28:07.871603012 CEST	49717	80	192.168.2.6	132.226.8.169

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 16:27:54.668005943 CEST	63427	53	192.168.2.6	1.1.1.1
Jul 3, 2024 16:27:54.675436974 CEST	53	63427	1.1.1.1	192.168.2.6
Jul 3, 2024 16:27:56.941545010 CEST	56523	53	192.168.2.6	1.1.1.1
Jul 3, 2024 16:27:56.956187963 CEST	53	56523	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 16:27:54.668005943 CEST	192.168.2.6	1.1.1.1	0x72e0	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:56.941545010 CEST	192.168.2.6	1.1.1.1	0xc1c7	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 16:27:54.675436974 CEST	1.1.1.1	192.168.2.6	0x72e0	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 16:27:54.675436974 CEST	1.1.1.1	192.168.2.6	0x72e0	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:54.675436974 CEST	1.1.1.1	192.168.2.6	0x72e0	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:54.675436974 CEST	1.1.1.1	192.168.2.6	0x72e0	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:54.675436974 CEST	1.1.1.1	192.168.2.6	0x72e0	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:54.675436974 CEST	1.1.1.1	192.168.2.6	0x72e0	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:56.956187963 CEST	1.1.1.1	192.168.2.6	0xc1c7	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:56.956187963 CEST	1.1.1.1	192.168.2.6	0xc1c7	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	132.226.8.169	80	1336	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:27:54.686101913 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 3, 2024 16:27:56.498684883 CEST	272	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:27:56 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 3, 2024 16:27:56.504717112 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 3, 2024 16:27:56.773188114 CEST	272	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:27:56 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 3, 2024 16:27:57.632159948 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 3, 2024 16:27:57.890364885 CEST	272	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:27:57 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49717	132.226.8.169	80	1336	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:27:58.615983009 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 3, 2024 16:27:59.431138992 CEST	272	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:27:59 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49719	132.226.8.169	80	1336	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:28:00.071702003 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 3, 2024 16:28:00.863605022 CEST	272	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:28:00 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49722	132.226.8.169	80	1336	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:28:01.483973026 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 3, 2024 16:28:02.277437925 CEST	272	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:28:02 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49724	132.226.8.169	80	1336	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:28:02.897638083 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 3, 2024 16:28:03.692728996 CEST	272	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:28:03 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49726	132.226.8.169	80	1336	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:28:04.399297953 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 3, 2024 16:28:05.315958023 CEST	272	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:28:05 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49728	132.226.8.169	80	1336	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:28:06.080382109 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 3, 2024 16:28:06.869908094 CEST	272	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:28:06 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49713	188.114.96.3	443	1336	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 14:27:57 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-03 14:27:57 UTC	706	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:27:57 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29501 Last-Modified: Wed, 03 Jul 2024 06:16:16 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EhWWUI842e8I21nFDD4rwdtZXweGRYcf2XqLDPA4KXWQITraA%2BEsOnhEi9ErEgJBUjKpY0foTtAE7cbL0lGtFIuRnhR7oLPz6DSN8QqWL3jghFcqF%2FREd8UkN97g3lQ4WnxDK%2FCt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d78f2cca61c32c-EWR alt-svc: h3=":443"; ma=86400
2024-07-03 14:27:57 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-03 14:27:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49716	188.114.96.3	443	1336	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 14:27:58 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-03 14:27:58 UTC	714	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:27:58 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29502 Last-Modified: Wed, 03 Jul 2024 06:16:16 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tn1FwsZDkn2kX2EY0HgW1LPHe10pOYnrEfXamgKN25E0pDJsl7RWpzYMfmYEJ%2FnNFOftBGp6M3KNmdV%2FK%2B4Vg%2BEXGKikmB3jne4GwmzXU%2FIXQ1SbF%2BZYbnrwaEApEH%2FvhzHbxtoG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d78f32ec7217c1-EWR alt-svc: h3=":443"; ma=86400
2024-07-03 14:27:58 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-03 14:27:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49718	188.114.96.3	443	1336	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 14:27:59 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-03 14:28:00 UTC	714	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:28:00 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29504 Last-Modified: Wed, 03 Jul 2024 06:16:16 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W6y0tJc66etB8LLzbpg7BGmGf%2Bgw5bI8eVp976LWLp9P%2F6x9Xzs0E0ipXF%2FsByhLMG88PvbvPIy0Cg%2BtASGzSMSY%2BrmjoJwWmdigAV%2FFw3Gh5DgttyP9O8hLc9%2FwgKS88uVHuhIN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d78f3c0c8f198e-EWR alt-svc: h3=":443"; ma=86400
2024-07-03 14:28:00 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-03 14:28:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49721	188.114.96.3	443	1336	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 14:28:01 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-03 14:28:01 UTC	714	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:28:01 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29505 Last-Modified: Wed, 03 Jul 2024 06:16:16 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q4kHi%2BqKHOeKj2zlQktRDWqMKP1iQoQpzkX9%2BAlp1z3Beqy0qQ5%2FlrXGBFkPeR7q%2Bws57l7g9F%2Fc12GCKBV9W8Uufe4SfH858oVLm4CZYdfWrqP6uEFufPU4maiLxM%2B%2BAcE4ffkW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d78f44ce8642dc-EWR alt-svc: h3=":443"; ma=86400
2024-07-03 14:28:01 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-03 14:28:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49723	188.114.96.3	443	1336	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 14:28:02 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-03 14:28:02 UTC	712	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:28:02 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29506 Last-Modified: Wed, 03 Jul 2024 06:16:16 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fGN2XsI3x0%2BxWUQ91gqAUKleJKtGBvnI3SBknqJB7ZDc8%2BPCZ3atmjq6kAhpAgwaZTefxzLX2En1aRLMT69t%2FeQFh7SQjUcJzywEn9%2BO4k7HGxJMneU%2Fo1%2BqsNOPRv4QmnjhRalu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d78f4dacab4246-EWR alt-svc: h3=":443"; ma=86400
2024-07-03 14:28:02 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-03 14:28:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49725	188.114.96.3	443	1336	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 14:28:04 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-03 14:28:04 UTC	708	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:28:04 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29508 Last-Modified: Wed, 03 Jul 2024 06:16:16 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3V8doQ%2BMW4igw4hBEIsdrse3AQP871k3DZXB%2Bs0YVzEFwSqB3WhqaegWgHpLXZPM6D9DXIrjKQBR6C38FIZg7z0U%2BTVCnFqSbUu6nHkuVoeu%2BuSXdvhJIdyXvSbseJlXHZrAJQVB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d78f56f96c43e8-EWR alt-svc: h3=":443"; ma=86400
2024-07-03 14:28:04 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-03 14:28:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49727	188.114.96.3	443	1336	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 14:28:05 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-03 14:28:06 UTC	710	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:28:06 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29510 Last-Modified: Wed, 03 Jul 2024 06:16:16 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zb54T3PxtRaemU%2Bh%2BXDaBkYN3%2B01dkaYM73WSAmTdI7BsQRmaFLEub%2F9EFriXA3mH0PCvwDjl0VvanGlmx4f9DBnLWwVTAdCsC8l5oYaHDFGmlr48%2FXMQt5JWxZ6uwst2OOMwW0V"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d78f617ecd8c78-EWR alt-svc: h3=":443"; ma=86400
2024-07-03 14:28:06 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-03 14:28:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49729	188.114.96.3	443	1336	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 14:28:07 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-03 14:28:07 UTC	710	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:28:07 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29511 Last-Modified: Wed, 03 Jul 2024 06:16:16 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kjqquCi9z1Md3jDmOEjdhIC5TasOtAuvlxncZC8WSlQ3Vxr9RRESaC4jUPQ5VbncRQ%2FgcFiGRkBuSP%2FwdUkt5yXfukp%2BX4GdugcWkhbczDnXlRW7OBn%2Bgh%2FF2cvhvJhUtUQyaOvG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d78f6a984a7c94-EWR alt-svc: h3=":443"; ma=86400
2024-07-03 14:28:07 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-03 14:28:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	10:27:51
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\j6OUc3S2uP.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\j6OUc3S2uP.exe"
Imagebase:	0x1d21f270000
File size:	983'001 bytes
MD5 hash:	D662387F9F11B665B70D14C19177B058
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2128853645.000001D2311C9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2128243811.000001D22110B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:27:52
Start date:	03/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x960000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.2225393920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2226314920.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:27:52
Start date:	03/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	10:27:53
Start date:	03/07/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5800 -s 1020
Imagebase:	0x7ff604ed0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:28:06
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:28:06
Start date:	03/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:28:06
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x2b0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD3469418C Relevance: 5.5, Strings: 4, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K_H, xrefs: 00007FFD34694471
hKr4, xrefs: 00007FFD346942A4
fish, xrefs: 00007FFD346941E0
h]W4, xrefs: 00007FFD34694220

Memory Dump Source

Source File: 00000000.00000002.2130528492.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34690000_j6OUc3S2uP.jbxd

Similarity

API ID:
String ID: fish$hKr4$h]W4$K_H
API String ID: 0-3580322329
Opcode ID: 8921af5b5d2e0db190709568c73496f3a2fe3e7690aa554db427cabe5c81affa
Instruction ID: baabd70423ef55554b81fee32e8d6a1ac64b00c54d5e5b3600e2e6ad5faa509d
Opcode Fuzzy Hash: 8921af5b5d2e0db190709568c73496f3a2fe3e7690aa554db427cabe5c81affa
Instruction Fuzzy Hash: 93D13631B1CB5A4FE75DAF2888A51B577E1FF96310B04427EE58BC72D2DD18AC028781

Function 00007FFD3469B43A Relevance: 4.4, Strings: 3, Instructions: 665
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pu4, xrefs: 00007FFD3469B646
Pu4, xrefs: 00007FFD3469BADD
Pu4, xrefs: 00007FFD3469B603

Memory Dump Source

Source File: 00000000.00000002.2130528492.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34690000_j6OUc3S2uP.jbxd

Similarity

API ID:
String ID: Pu4$Pu4$Pu4
API String ID: 0-804084860
Opcode ID: 8ac297fc22a167d01c4e116307706179a9c28ade155740ffd7a0d8952d5f2785
Instruction ID: 08b39ce1f66d43104ee8b880a3186defe61bf94945afbec1a5ed4a4582a13d5f
Opcode Fuzzy Hash: 8ac297fc22a167d01c4e116307706179a9c28ade155740ffd7a0d8952d5f2785
Instruction Fuzzy Hash: A5226631B0CAAA4FE749DF2484A11F577E1FF86301B1445BED58AC72A6DE6CB846C381

Function 00007FFD34760402 Relevance: 2.9, Strings: 1, Instructions: 1648
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A, xrefs: 00007FFD34760786

Memory Dump Source

Source File: 00000000.00000002.2130886858.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34760000_j6OUc3S2uP.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: e9aae695b3b41ccd360c2b86ce7f25cc2c4c9b4772a79b0657c2f234baddee7c
Instruction ID: 84b143313dce3fb5d15764b0d02c959ce72c1e764e830f83a212c0b293e8cfd3
Opcode Fuzzy Hash: e9aae695b3b41ccd360c2b86ce7f25cc2c4c9b4772a79b0657c2f234baddee7c
Instruction Fuzzy Hash: 67B22BB2A0E7C58FEB56DB2888A55A47BE1EF57310F0805FED589CB193DA1C7806C781

Function 00007FFD3469C071 Relevance: 2.7, Strings: 1, Instructions: 1459COMMON

Download Yara Rule

Strings

`}u4, xrefs: 00007FFD3469CB3F

Memory Dump Source

Source File: 00000000.00000002.2130528492.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34690000_j6OUc3S2uP.jbxd

Similarity

API ID:
String ID: `}u4
API String ID: 0-901229082
Opcode ID: 1c73510116bc3a0a873439b4900dce5825399588a1bfe02f3acbed662e140754
Instruction ID: b9145ae5b6edbad08dd91d8c5021f0e856aeb5ab15cf617d1c8cc348cd031657
Opcode Fuzzy Hash: 1c73510116bc3a0a873439b4900dce5825399588a1bfe02f3acbed662e140754
Instruction Fuzzy Hash: CFA2373160CB998FE759DF28C4A44F5B7E1FF87304B1445BED18AC72A6DA78A846C780

Function 00007FFD346A038F Relevance: 2.6, Strings: 1, Instructions: 1363COMMON

Download Yara Rule

Strings

t4, xrefs: 00007FFD346A0D6B

Memory Dump Source

Source File: 00000000.00000002.2130528492.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34690000_j6OUc3S2uP.jbxd

Similarity

API ID:
String ID: t4
API String ID: 0-1487776003
Opcode ID: e93a96f3ac7b401333458756946027b6df9c59eaf3d8f031b17ed5cad1e00d74
Instruction ID: 1b3ac096751f5ceb476fd432dcabab267971ceaf154213cb96177aad8efc735e
Opcode Fuzzy Hash: e93a96f3ac7b401333458756946027b6df9c59eaf3d8f031b17ed5cad1e00d74
Instruction Fuzzy Hash: DD726571A0DF6A4FE398DF2884A15F577E1FF96300B0445BED58AC7292DE28E846C781

Function 00007FFD34693B79 Relevance: 2.0, Strings: 1, Instructions: 702COMMON

Download Yara Rule

Strings

x61, xrefs: 00007FFD34693ED8

Memory Dump Source

Source File: 00000000.00000002.2130528492.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34690000_j6OUc3S2uP.jbxd

Similarity

API ID:
String ID: x61
API String ID: 0-1264169018
Opcode ID: e343df01f4dd50fa5aae74aff7d528e9b3cac27d54bbaee2435533ad955d489a
Instruction ID: 7cfcd2a3c879ed6934efea2b0487a8fb10bcd5916df71201115d7c3f08ba0efc
Opcode Fuzzy Hash: e343df01f4dd50fa5aae74aff7d528e9b3cac27d54bbaee2435533ad955d489a
Instruction Fuzzy Hash: DD126A31B0CA5A4FE7199E2898E51F977E1EFD6311F18417FD08AC31D2DE6C68869341

Function 00007FFD3469BC90 Relevance: 1.7, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD3469BE0E

Memory Dump Source

Source File: 00000000.00000002.2130528492.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34690000_j6OUc3S2uP.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: c1e50938995982dd19b028fd7b4b7afd7910c3d91450562b564a41c7a9d99c41
Instruction ID: ddc1d9563c6a5c7b3c823712be1a72c085cc486f57b6e911c0fec4563570f028
Opcode Fuzzy Hash: c1e50938995982dd19b028fd7b4b7afd7910c3d91450562b564a41c7a9d99c41
Instruction Fuzzy Hash: 4BD14731A0CB964FE318CF2984E11F577E2FFD6301B1446BEE5CAC72A1DA68E4069781

Function 00007FFD34698730 Relevance: 1.1, Instructions: 1073COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130528492.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34690000_j6OUc3S2uP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a15d595b06e05b5a9c8418f4ac65496f7194e14c16561520da3bc103406ac4
Instruction ID: e5e9bcfc18cd2d8c874a27a362247ce59a1103e19d865305fdbf3eeb88c63804
Opcode Fuzzy Hash: 07a15d595b06e05b5a9c8418f4ac65496f7194e14c16561520da3bc103406ac4
Instruction Fuzzy Hash: DC62B530708A194FDBA8EE2CD4A5AB977E1FF56301B1401BEE54EC7293DE68EC429741

Function 00007FFD34691990 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130528492.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34690000_j6OUc3S2uP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b24851f0548de77756d4cd874e60d494e2716e2fb60e34745534e8bd64b32a9
Instruction ID: dd8398f6228578f0c68d093627df039c36fd028342489d133ffa644b76a50374
Opcode Fuzzy Hash: 1b24851f0548de77756d4cd874e60d494e2716e2fb60e34745534e8bd64b32a9
Instruction Fuzzy Hash: 60120330B1CA2A8FEB58DE18C4E05F973A1FF96315B2441BDD54EC7196DA68B882D780

Function 00007FFD346A4BC9 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130528492.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34690000_j6OUc3S2uP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c360a28ed34564b0940c2ec6c0536a6f2655544007218091133f53d16ea505bb
Instruction ID: 2957f7e66d52cb7bf458d57e6b8d4ab7370039ca5a4f176c56878e28713275c9
Opcode Fuzzy Hash: c360a28ed34564b0940c2ec6c0536a6f2655544007218091133f53d16ea505bb
Instruction Fuzzy Hash: 36416B7260D7490FD31E9A748C661B57BA5EB83320B15C2BFD0CAC71A7DD68A80783D2

Function 00007FFD346A4C22 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130528492.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34690000_j6OUc3S2uP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0b1dd61e828e6569dbd643aa32f02620857a1e78cad970aaed2a20b83c11ab
Instruction ID: d2851699579048896f28786ee5e91d97d598298c50b49ff92e9c2f525fed6824
Opcode Fuzzy Hash: 2c0b1dd61e828e6569dbd643aa32f02620857a1e78cad970aaed2a20b83c11ab
Instruction Fuzzy Hash: A6415B7160D7890FD31A9B348C651A67BA6EB83310B15C2BBD0CAC71E7DD38A90683D2

Function 00007FFD34760062 Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

A, xrefs: 00007FFD34760236

Memory Dump Source

Source File: 00000000.00000002.2130886858.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34760000_j6OUc3S2uP.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: 1c11f3e8517d15379e8866762e6f6ad93a4a5c3b8032d6f7bce73e0462bdbe2b
Instruction ID: 451a51e53f0a20dfd1796c743baf31f3cc96939866ce43f70263e52e7c2e1a01
Opcode Fuzzy Hash: 1c11f3e8517d15379e8866762e6f6ad93a4a5c3b8032d6f7bce73e0462bdbe2b
Instruction Fuzzy Hash: 29D12771A0EBC58FEB56DB2888A15E47FA1EF53310F1805EBD189CB097DA2C7846C791

Function 00007FFD3469314A Relevance: 1.6, APIs: 1, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007FFD34693221

Memory Dump Source

Source File: 00000000.00000002.2130528492.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34690000_j6OUc3S2uP.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 74f0901ad251e69315c8de2db6ad2caeab09ad8dd34d96b7682368899c589ba7
Instruction ID: 49fe618fa9cba480de1ffdfe79be42470149d1e7909cb98a7a1dbe36ad47ae6e
Opcode Fuzzy Hash: 74f0901ad251e69315c8de2db6ad2caeab09ad8dd34d96b7682368899c589ba7
Instruction Fuzzy Hash: 70410A3190C7884FDB199BA898565E97FE1EF57321F0442AFD089C31E2CB686456C791

Function 00007FFD3469982D Relevance: 1.6, APIs: 1, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007FFD346A81D1

Memory Dump Source

Source File: 00000000.00000002.2130528492.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34690000_j6OUc3S2uP.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f177ab8a4735e660ac86bbe65c1fb9318c38384fe8d3aa3cbd3ea4e312c06d4a
Instruction ID: 4946d8d9f66515a7d0f9c0c2fa174bd10426e5d5ba8b62c2881a9df89c022e0c
Opcode Fuzzy Hash: f177ab8a4735e660ac86bbe65c1fb9318c38384fe8d3aa3cbd3ea4e312c06d4a
Instruction Fuzzy Hash: C5312831A0CA5C4FDB18DF9DD8596F97BE1EB96321F00023FD04AD3252CB646846C791

Function 00007FFD347601A0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130886858.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34760000_j6OUc3S2uP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54bd977c8695779b2fdef122ca61700533e2d918e52a1be4e3f36725b113f02e
Instruction ID: 57e80f846fd7a136faff49c250d3204f870f0e355047406101bb16ca20c6995a
Opcode Fuzzy Hash: 54bd977c8695779b2fdef122ca61700533e2d918e52a1be4e3f36725b113f02e
Instruction Fuzzy Hash: 3161E971A09A898FDB59DF18C8E15A877E1FF66310F1405AEC14AC7196DB2CB845C780

Function 00007FFD3476110A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130886858.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34760000_j6OUc3S2uP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb06f464898be59efcd6a0e97807291c436dc34891e0228c98c5673c7024730
Instruction ID: ddf1f10cbdc9c716dcd0d308f7c1dd83e2bee551e2793ca18f3c931faabcb0b7
Opcode Fuzzy Hash: 3eb06f464898be59efcd6a0e97807291c436dc34891e0228c98c5673c7024730
Instruction Fuzzy Hash: 56414B75A08A898FEB46DF18C8E50E87BE1FF56310B0401BED18AC7596CA2DBC41C7C0

Function 00007FFD34760A04 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130886858.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34760000_j6OUc3S2uP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4262ecd337f5de9f648ee196588b27340d380db346343c4557eabe9c53bbe405
Instruction ID: e41ee8ec2076a8a75f52eeed5fb9edc9c72e54cf0cbff432ab8502d0098923ec
Opcode Fuzzy Hash: 4262ecd337f5de9f648ee196588b27340d380db346343c4557eabe9c53bbe405
Instruction Fuzzy Hash: 6DE01A30E146288EDF60DB48CC81BEAB3B1FF85300F0041E5D54DE3241CA306A84CF42

Non-executed Functions

Function 00007FFD346A4459 Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FFD346A44C6

Memory Dump Source

Source File: 00000000.00000002.2130528492.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34690000_j6OUc3S2uP.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: ddf4f887f81649a5519ee1bccca78d885d3b99d950cd81a118be81a0c3a79f9e
Instruction ID: 859244106d8f337f8a892168d916d45f66cd3ac6719690da71d1a4dde8e45c2d
Opcode Fuzzy Hash: ddf4f887f81649a5519ee1bccca78d885d3b99d950cd81a118be81a0c3a79f9e
Instruction Fuzzy Hash: EB514C7260E7950FD35E9A7C5C560A17BE5EB8722070983BFD1C6CB2E7E9186C078391

Function 00007FFD34697928 Relevance: .5, Instructions: 512COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130528492.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34690000_j6OUc3S2uP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43256783d2a6fd52533c151d6ff3f959e4d2badb92cb0a200a7b8a4bd2fcad9f
Instruction ID: 32792442e6e7e2a72ad4a51cec06e268f595eb1f5c547e6f9df1fe597d19ec29
Opcode Fuzzy Hash: 43256783d2a6fd52533c151d6ff3f959e4d2badb92cb0a200a7b8a4bd2fcad9f
Instruction Fuzzy Hash: A3E1C661A0E7D64FE3569B3848B11A17FE0EF53210B1941FBC1D9C72E3DA5CA80AD751

Function 00007FFD3469143D Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130528492.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34690000_j6OUc3S2uP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e124dcc278364ccfab3fdc2aa3ce644808a1a6eb22cf680f5e0646dd4b0993d
Instruction ID: a9de2b688fced3aa4eda081e5eb3b4b75391d34739659a105f18747959e0a07c
Opcode Fuzzy Hash: 6e124dcc278364ccfab3fdc2aa3ce644808a1a6eb22cf680f5e0646dd4b0993d
Instruction Fuzzy Hash: 5B51EF60A5E3D24BF7579F7848B00F17FA09F03228B2945FAC1DACA0A3D98C6846D356

Analysis Process: AddInProcess32.exePID: 1336, Parent PID: 5800COMMON

Executed Functions

Function 02A66111 Relevance: .5, Instructions: 510COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2335ec66b8136b885ef3a02896408a1517aa4e6bd686e91063ed838d3e5dbfa
Instruction ID: 4bd18a7a2f96f26afac3c7061af1aa384fe9b4331f31ec29c1d0bf50fc9911fe
Opcode Fuzzy Hash: c2335ec66b8136b885ef3a02896408a1517aa4e6bd686e91063ed838d3e5dbfa
Instruction Fuzzy Hash: 9F128F70A002189FDB14DF69C988BAEBBFABF88704F148569E405DB395DF389D45CB90

Function 02A6B328 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b398ba0ae76ffe071ff37bc3e5da47ddf6e187919be1e90819e402adc4dbe52e
Instruction ID: e2ec6b8acabc7efc61012f344349c43ccb8ad79adedae99ad84a5aa5941fa0e2
Opcode Fuzzy Hash: b398ba0ae76ffe071ff37bc3e5da47ddf6e187919be1e90819e402adc4dbe52e
Instruction Fuzzy Hash: 52E1D975A00618CFDB14CFA9D988AADBBB1FF48314F158469E819EB361DB31E941CF60

Function 02A66880 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a157825c6b6ad82d52a6eae7a75ba22ebf8f99c0c2f7a726c67b84e6d448f11e
Instruction ID: d5f8200d2cd73490fcc05c351f0868135a6c93a7c11b9de9c74fdb258bcf118b
Opcode Fuzzy Hash: a157825c6b6ad82d52a6eae7a75ba22ebf8f99c0c2f7a726c67b84e6d448f11e
Instruction Fuzzy Hash: 01D14C71A00219DFCB15CFA9C988ABDBBBAFF88704F158165E805AB265DB35EC41CF50

Function 02A6C753 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07a55ac7748bca07574ad65832c8229db9a4251ca20d6f2277912f95ab6e8f7
Instruction ID: 862740989e620b637f695b86e3474b8d9deb64dbd8d6177941b123dd99b3e03c
Opcode Fuzzy Hash: e07a55ac7748bca07574ad65832c8229db9a4251ca20d6f2277912f95ab6e8f7
Instruction Fuzzy Hash: C981D675E00218DFDB14DFA9D988BADBBF2BF89310F14806AD449AB365DB709981CF10

Function 02A6BEB3 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3fb21c84a8975e3bfa711e6c232f181a02eb1ccc1219e27e963cdce766adb40
Instruction ID: 1bf4b3a5b83964027b0eef94db49c4ae915435b4b0738c7855c7713fd4f3d010
Opcode Fuzzy Hash: a3fb21c84a8975e3bfa711e6c232f181a02eb1ccc1219e27e963cdce766adb40
Instruction Fuzzy Hash: 6481D574E00218DFDB14DFA9D988BADBBF2BF89310F14806AD419AB365DB709985CF10

Function 02A6C470 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb850a390256a043f6944ee7e82ff215b935b427eb2b76169492554ea92015b
Instruction ID: 3d8c2c8ccdf6477cde7f18d38f400ef3f7bf6a73cb2c1d0f08fa4bbce69adf41
Opcode Fuzzy Hash: 3eb850a390256a043f6944ee7e82ff215b935b427eb2b76169492554ea92015b
Instruction Fuzzy Hash: 7D81C774E00218CFDB54DFA9D988BADBBF2BF88310F14906AD459AB365DB709981CF10

Function 02A64AD9 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4942354f9df813497383a31715bbcb60246bb2d25981573c5909427f94dab8
Instruction ID: 0d5e0ec88ed8ee77dc7105bdd44c94e8991eadd8d5a73247a1aaa9394e9730b0
Opcode Fuzzy Hash: 0e4942354f9df813497383a31715bbcb60246bb2d25981573c5909427f94dab8
Instruction Fuzzy Hash: FC81C574E00218DFDB58DFA9D984BADBBF2BF89300F148069D819AB365DB349985CF10

Function 02A6CA33 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee1935be31108e49a3f28abef7a0f487a182a1b67b2049ab273e09e68882b1f
Instruction ID: cd0824b9874fa0677c633a14ac13da615c43ea8904535413d9be14968a573795
Opcode Fuzzy Hash: 6ee1935be31108e49a3f28abef7a0f487a182a1b67b2049ab273e09e68882b1f
Instruction Fuzzy Hash: 1181B674E00218DFDB14DFA9D988AADBBF2BF88310F14806AD559AB365DB749941CF10

Function 02A6C190 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ac02e08cdec6ad801aa57ce74fb207eb75fb3237b6d0b713268dd72a00880e
Instruction ID: ca0afe812f09dab68d2c225e6118bb6991afed2bd575e42fd71591390a8930d9
Opcode Fuzzy Hash: 46ac02e08cdec6ad801aa57ce74fb207eb75fb3237b6d0b713268dd72a00880e
Instruction Fuzzy Hash: FE81C674E00218DFDB14DFA9D988AADFBF2BF89310F14806AD459AB365DB749981CF10

Function 02A6BBD3 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f42956c69a7bd56cc4905af1710e1ead14111c0c26ff6e0e02c67744c57c9a
Instruction ID: d61f75edb96b163e53ff3f89e523ff31fd0cf53ec0f45a474358e4064c596730
Opcode Fuzzy Hash: c8f42956c69a7bd56cc4905af1710e1ead14111c0c26ff6e0e02c67744c57c9a
Instruction Fuzzy Hash: 7C81C374E00218DFDB18DFA9D988AADBBF2BF89304F148469D409BB365DB309981CF10

Function 02A6B4F3 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a65af102461164b1eb6a28d254ce0e548a44c9747a979d64f654c3cfb1384b
Instruction ID: d1edb0e87a88bc8a873f7e50f544ec56a2372ad78fa3915bd77d5246178fb149
Opcode Fuzzy Hash: 35a65af102461164b1eb6a28d254ce0e548a44c9747a979d64f654c3cfb1384b
Instruction Fuzzy Hash: 7D61C174E00608DFDB18DFAAD984AADBBF2BF89304F148569E419AB365EB345941CF10

Function 02A6215C Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25879240572d905add469c5730311cb45e8f30a15ef012463ec50317e0245f17
Instruction ID: bdc2f4816ec7ed41ce56ac4ea1c4b8973a498e1949b401198a35191c488c6f1e
Opcode Fuzzy Hash: 25879240572d905add469c5730311cb45e8f30a15ef012463ec50317e0245f17
Instruction Fuzzy Hash: 5A32FC5B8442890FFB760BB406DFBA5BF72EE4613475586ADCCC053D0ADE11998FAB02

Function 02A677F0 Relevance: .7, Instructions: 688COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0af689534df673b6856c5cbafa29974fa1f8809a78fcc0e0b25f3218598959
Instruction ID: 8a57df9cf72aea97f78a648f300ad133217f8804a6178c2f1368e19f82df51f8
Opcode Fuzzy Hash: 4d0af689534df673b6856c5cbafa29974fa1f8809a78fcc0e0b25f3218598959
Instruction Fuzzy Hash: D9521F74A00219CFEB149BE4C864BAEBB76FF84300F1081A9D21A6B395DF359E85DF51

Function 02A69540 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78a7bf15fcc428c0c84a7734de45d6b0426b70f6913afd9b0e81f506ccb6a02
Instruction ID: 380df40d199b320bf640f7465b6c488a9ff22ed66d165991c14f1ccfeed9a345
Opcode Fuzzy Hash: b78a7bf15fcc428c0c84a7734de45d6b0426b70f6913afd9b0e81f506ccb6a02
Instruction Fuzzy Hash: 6422A274A0024ACFCB15CF69C888ABEBBF6FF88304F15856AD405DB251DB35E956CB90

Function 02A66E58 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5310c3d371676b5ac4aa5bad29b6836bf24f61dcc86549d1eb9421925728b0f4
Instruction ID: 8cb1edc0b931cebb0abfe8ea5d79e3159d8279dd5a6760e0a3f906ce48e953ce
Opcode Fuzzy Hash: 5310c3d371676b5ac4aa5bad29b6836bf24f61dcc86549d1eb9421925728b0f4
Instruction Fuzzy Hash: 73123A30A10209DFCB14DF69D988AAEBBF6FF88718F158599E9059B261DB30ED41CB50

Function 02A69C41 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c8f798d3e647b54a5d1525e108576cb7894ce77894a2bc0ee87557d85f0c78
Instruction ID: 3958ceeb8b694b863121c2e53c5750b88479c5ca9e0eea3e11cc4eaea208902e
Opcode Fuzzy Hash: 21c8f798d3e647b54a5d1525e108576cb7894ce77894a2bc0ee87557d85f0c78
Instruction Fuzzy Hash: C5125131A00209DFCB15DF68C988A7EB7F2FF88314F168555E406AB296DB34ED85CB51

Function 02A6A818 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ebe822c544dfb57a9a8da126330905389afaa9acaed2a37be283fde67f3e342
Instruction ID: 01c7052468a0918185496a31ded881f52895134f168acdf17701014c29aad182
Opcode Fuzzy Hash: 0ebe822c544dfb57a9a8da126330905389afaa9acaed2a37be283fde67f3e342
Instruction Fuzzy Hash: D1F12C75A006158FCB14CFADC988AADBBF2FF88714B1A8159E515EB362CB31EC41CB50

Function 02A60C93 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaa054627c2176685fd08894643f6bf1144842f8772975daec0c5749cadf8fe8
Instruction ID: 8919ed3227022a7cae52da75c566f64698bf03a93c261fbe1fa6d64d0971c948
Opcode Fuzzy Hash: aaa054627c2176685fd08894643f6bf1144842f8772975daec0c5749cadf8fe8
Instruction Fuzzy Hash: 0422A174A1021ACFDB54EF64E894B9DBBB2FF88301F1096A9D409A7358DB706E85CF50

Function 02A60CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e27cb47bfb74bcad4c7e4822ebbc267218d4b1490ac4451c38d2fb180fcd8a6
Instruction ID: 2e69bdcbe3ade37d1f9d0605e375a63137bf69908e559789bae4ed248cf3b6a9
Opcode Fuzzy Hash: 8e27cb47bfb74bcad4c7e4822ebbc267218d4b1490ac4451c38d2fb180fcd8a6
Instruction Fuzzy Hash: E3229F74A1021ACFDB54EF64E894B9DBBB2FF88301F1096A9D409A7358DB706E85CF50

Function 02A687E9 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513aa7b95333dcceed261b5cb81aafb50adea37111d3a991c1ac58ac6b219d2b
Instruction ID: 79015e9840385de5989dad9c8447261c90c8e03d1ef0fe0e3f5a690ae51e44cf
Opcode Fuzzy Hash: 513aa7b95333dcceed261b5cb81aafb50adea37111d3a991c1ac58ac6b219d2b
Instruction Fuzzy Hash: F7B14DB07501028FDB259B2DC99CB3D36AEEF85644F15446AE602CB3A1EF6DCC4AC742

Function 02A656A8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84161ae80a2ed7b11c38454189b67686c796244fdf37a04826e9534c7b9cb59b
Instruction ID: 7c937c3a8e41dd7989e87379793c7b858bd27c6587b9f58e3fcc335ec894a976
Opcode Fuzzy Hash: 84161ae80a2ed7b11c38454189b67686c796244fdf37a04826e9534c7b9cb59b
Instruction Fuzzy Hash: DC91BD31B04214CFDB259F68C898B3E7BE2BBC8304F598969E4068B391DF759C05DBA1

Function 02A65C08 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6049ac3126cfee8d2b082a76c98200acb0240d9d602c015e55e77d6da7a16103
Instruction ID: 3c6e1570a93008824ba0e21373de152b2096071333583c44cf7d73d1a3484017
Opcode Fuzzy Hash: 6049ac3126cfee8d2b082a76c98200acb0240d9d602c015e55e77d6da7a16103
Instruction Fuzzy Hash: 24813A35E00605DFCB14DFA9C88CABAB7B2BF89214B958169D405DB3A5DF31E841CF91

Function 02A69170 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2f8efc18958686291f237e9cdb71ae409c89fb85498181c274cb741ead4e49
Instruction ID: cc4eef23b747cb849cd1d7950437f496d7f4a970a23125a41a4788edbe965137
Opcode Fuzzy Hash: ae2f8efc18958686291f237e9cdb71ae409c89fb85498181c274cb741ead4e49
Instruction Fuzzy Hash: 25810331900606DFC710CF68C888ABBF7B5FF85324F55866AD85887355DB31E916CBA0

Function 02A67438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53846753cbd2fd61cfdc54452a49b841883f7b637111383aee6d488b75b67838
Instruction ID: 9e2b203b70cd46159750ce7039a0e0f4259509f081dd6bcc216193f64a9b8cc2
Opcode Fuzzy Hash: 53846753cbd2fd61cfdc54452a49b841883f7b637111383aee6d488b75b67838
Instruction Fuzzy Hash: CA71F6347202458FCB15DF28C898ABABBE6EF49618F1540A9E806CB3B1DF74DC51CB91

Function 02A69530 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a40b838381288eab301301e59285f4766090247f17ecc983d596240d9eae3f
Instruction ID: 7c75b66cb7d1c0867be55481435665483da0bcbcfcfe0bc8c241e35ebe6798d1
Opcode Fuzzy Hash: 24a40b838381288eab301301e59285f4766090247f17ecc983d596240d9eae3f
Instruction Fuzzy Hash: 5F519E74B042468FDB14DF69C998ABFB7BAAF88300F148869E502DB355DF39D8458B90

Function 02A6CEC7 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0887dd44e6589b8356bfd4520e148a76c6f5d970ee80f17204c0f82aef1a1e
Instruction ID: 442972b1282a63f7971cefe0fd04c8c71d906ae1e97bf0f31034b3ba91cc73bb
Opcode Fuzzy Hash: 6b0887dd44e6589b8356bfd4520e148a76c6f5d970ee80f17204c0f82aef1a1e
Instruction Fuzzy Hash: A451C3708B17478FD3242F20E6AC22A7BB5FB2F7277566E04B00F81025CFB054A9DA52

Function 02A6CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb14367d3c539aa0cdf479ca3a3625cdc5a6872c163b0b82171053a212c11478
Instruction ID: 7bf9c04157a5a79c8d2680cc22b77ab2db39a17d1595a5125473691a1154ccb4
Opcode Fuzzy Hash: fb14367d3c539aa0cdf479ca3a3625cdc5a6872c163b0b82171053a212c11478
Instruction Fuzzy Hash: 4851A0748B1707CFD3642F20E6AC22A7BB5FB2F7277566E00B10F810258FB054A9DA52

Function 02A6CD10 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57583f157f6739d8d8db4482a1281423fd2f37903dabeef5bcc623e134151a48
Instruction ID: d7c60ecaef1ff958c54e65c8779085140b5561e2d080682c142d73f836c47647
Opcode Fuzzy Hash: 57583f157f6739d8d8db4482a1281423fd2f37903dabeef5bcc623e134151a48
Instruction Fuzzy Hash: FE51A474E01208DFDB44DFA9D9849DDBBF2BF89300F24816AE819AB365DB30A945CF50

Function 02A63908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33b88856e5ecb5dabb23ab5281e126fa6eec08038f06b37f8a367a28b298557
Instruction ID: 6d656ecee5eabbdde1d34d0067023c81040e01e5d0c2e7ce91d89d408cde7b8c
Opcode Fuzzy Hash: c33b88856e5ecb5dabb23ab5281e126fa6eec08038f06b37f8a367a28b298557
Instruction Fuzzy Hash: 0B518274E01248CFCB48DFA9D59499DBBF6FF89300B209469E809AB364DB35AD46CF50

Function 02A69A63 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8706758d382f4d66c95bb5db17375e0a9b954d04f41bb049411c989d7f54688
Instruction ID: 5ebac2fd53163afb32626e0f1d1334ab59dca35400272ca85be7429850169df2
Opcode Fuzzy Hash: b8706758d382f4d66c95bb5db17375e0a9b954d04f41bb049411c989d7f54688
Instruction Fuzzy Hash: 4041E331A0024ADFCF11CFA8C888BAEBBF2FF49314F008555E815AB295DB35E915CB90

Function 02A63428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff45e1e3b4d9829226daed7f2f9506b8acf7a0242baf668ac974860c39d0d07c
Instruction ID: 9ef288b9aabdeb12758455c98c51c49c09ead48d83e081d51f0833a27f2bd660
Opcode Fuzzy Hash: ff45e1e3b4d9829226daed7f2f9506b8acf7a0242baf668ac974860c39d0d07c
Instruction Fuzzy Hash: BA31F531B003248BDF194AAA49DC37EB5EAABC4A11F1445BDD916C3784DFB4CC4687A1

Function 02A66730 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9997e72550a69efe04fb56e928bb6493240f98450ad9159100036176c0f8c225
Instruction ID: f33f9bb7d93cf41d31a5783bfaec678b279bf4fe5b6f2b2db32feb307001ca62
Opcode Fuzzy Hash: 9997e72550a69efe04fb56e928bb6493240f98450ad9159100036176c0f8c225
Instruction Fuzzy Hash: 70418E31A00208DFDB14DF64C848BBABBFAEB84704F05842AE41597251DB79DD55DF91

Function 02A6A1F8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845493baf8d893efbe5fd00cca8ed51747d678194a40b9177338b19644f31437
Instruction ID: 92afba3934e829aa5425ab8c2f0ed0e99ba98db736b28cac73ec597914ddaf5e
Opcode Fuzzy Hash: 845493baf8d893efbe5fd00cca8ed51747d678194a40b9177338b19644f31437
Instruction Fuzzy Hash: 62414A756402058FCB15DF68D888B7EBBB5BB48310F150469E916DB3B2CB32DD94CBA0

Function 02A69390 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1dfe712fef4588e2a9fbc42d2709b0a405592504aa6ab1fd8c7a517973f973
Instruction ID: 61d0ac43f1666eb3591c7c63e57ba7ad2efc2000bb78235ebc6a1dd9fde0ef1a
Opcode Fuzzy Hash: 7a1dfe712fef4588e2a9fbc42d2709b0a405592504aa6ab1fd8c7a517973f973
Instruction Fuzzy Hash: E7314930A002568FDB01CF68C888B6F7BA6EB88314F54C566E908CB295EB71DD45CB51

Function 02A64DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efa0b6774358c50299781ca2dae91b36386676fca79e8d1435ecae77f863be28
Instruction ID: 755b3a23854ce58c1fc1d94b0e252eeb4f4d8c6d1bd9ce3348b3d04e87c2f1f3
Opcode Fuzzy Hash: efa0b6774358c50299781ca2dae91b36386676fca79e8d1435ecae77f863be28
Instruction Fuzzy Hash: 7E3180716002199FCB259FA4D898BBF7BA2EB48300F104414F9158B250CF35DD69DFA0

Function 02A6A65B Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b381347522a9f8d2768d81b7b5e0ee745e1f577574f3e6fa52a416bfdfb5e24
Instruction ID: ff66d6551021fa371a2b7e224293fdb63d68c2c693cc3c74f5cffc8e5434d1fb
Opcode Fuzzy Hash: 2b381347522a9f8d2768d81b7b5e0ee745e1f577574f3e6fa52a416bfdfb5e24
Instruction Fuzzy Hash: 6A31DE36B002049FCB18AB64D8687AE7BF3BFC8210F258429E506E7391CF349C15CBA0

Function 02A676E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7adbd507039554b3767d81b9089f268809908f86ca7d59fdfc09246a0194a7b2
Instruction ID: 82b2dbacb825dbf1deb0d09e5b5e88cd19a9ed26afc81e17a5382d14bb4936fc
Opcode Fuzzy Hash: 7adbd507039554b3767d81b9089f268809908f86ca7d59fdfc09246a0194a7b2
Instruction Fuzzy Hash: 8E219D347202158BEB245B258C98B3EB69BEFC861CF144078D606CB798EF65CC86E380

Function 02A6A809 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c1d9260a01a06f23dfc919d3d232874ca599f8ce28683d6246da1e70138c13
Instruction ID: a97001b5a6289095715ff6945c28e7ccf2a0b5221de503fa164cca74e76d7e8e
Opcode Fuzzy Hash: 94c1d9260a01a06f23dfc919d3d232874ca599f8ce28683d6246da1e70138c13
Instruction Fuzzy Hash: C2316171F005058FCB04CF69C888AAEB7F6FF89354F268159E515A73A6CB349D52CB90

Function 02A62060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf6e679d8ffe76cc792949db31f9d70316a2c861390ac271fa72f372f2316cf
Instruction ID: 166c59e168e81c64914fb7e12062c1cf7abcf5870e32149c0d8100057c9fabeb
Opcode Fuzzy Hash: fcf6e679d8ffe76cc792949db31f9d70316a2c861390ac271fa72f372f2316cf
Instruction Fuzzy Hash: 6E21E035A002069FCB14DB24D884ABE77A5EB98350B51C459EC0A9B384DF31EE46CBD1

Function 00F6D404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2225685426.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f6d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a4c9dd5e57fb0720cdea7c72015e96604dc6a2d1121ef9179abfbe9d65d8ee
Instruction ID: 3d468be36ca257270aea55a22590790f03370adad62c927885cd7aec9ea7f9f5
Opcode Fuzzy Hash: f8a4c9dd5e57fb0720cdea7c72015e96604dc6a2d1121ef9179abfbe9d65d8ee
Instruction Fuzzy Hash: AB212872A04244EFDB14DF14D9C0F26BF65FB94324F24C169D9090B256C736EC56DBA1

Function 02A65A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f9ce97b69efb555d060e8ed4f976a12e54ce2bd3923349cadaa4eae28940e5
Instruction ID: a4355f57efafb2c96cbcf74eac5049b3824a85a9a1d8f1fe1480ede1e865b36a
Opcode Fuzzy Hash: 67f9ce97b69efb555d060e8ed4f976a12e54ce2bd3923349cadaa4eae28940e5
Instruction Fuzzy Hash: 4321A131B01A228FC7299B25C89C63BB3A2FB887517554568E906DB354DF31DC06C7C0

Function 02A6D11F Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed4bc7b214ae1b64074368664d3f0377139cab2bc5c581d10238d627afe8a19
Instruction ID: 892536d33ed57547a408f6b9476e47912a86075e2616f6bd9a15d92e897b101f
Opcode Fuzzy Hash: 8ed4bc7b214ae1b64074368664d3f0377139cab2bc5c581d10238d627afe8a19
Instruction Fuzzy Hash: CB211431D11659DECB00EFE8E8446ECBBB0FF4A301F409625E918B7254EB706A99CB81

Function 02A64DBB Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8216831457c6cad778d935c98e6930c8d0b0c823e8d0287800ef9d3796fea53
Instruction ID: 1630fd590863bb2e5c83634b9e6a87cd49379aaa261e0cd91a7d51b4c43dfd89
Opcode Fuzzy Hash: a8216831457c6cad778d935c98e6930c8d0b0c823e8d0287800ef9d3796fea53
Instruction Fuzzy Hash: 7721A271A04259DFDB25AFA4D888BBB7BA6EB48714F004428F9058B340CF38DD59DBE0

Function 02A6D218 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bca4d121f7236beb2f9dfc1e190a0fb38b43fd0f9675116fe4c08e95d362305
Instruction ID: 0251323ee44f89b58476373155d6eae1b260d1b04b8794a8572e226e9039d247
Opcode Fuzzy Hash: 6bca4d121f7236beb2f9dfc1e190a0fb38b43fd0f9675116fe4c08e95d362305
Instruction Fuzzy Hash: 5021F735A012089FDB08EFB4E950AEDB7B2FF89304F106469D416773A4CB359A85CF55

Function 02A68EC1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd8d42504e8d8f75ec42513f80f7b199786a6b6de13da971c935b351e28ea9e
Instruction ID: e6bec14aad6e2cc7e0c2d0c0b38e74b965176aeb1f6b8711f5d41a4b927cfaf4
Opcode Fuzzy Hash: ecd8d42504e8d8f75ec42513f80f7b199786a6b6de13da971c935b351e28ea9e
Instruction Fuzzy Hash: A1215770E00248DFDB15CFA5E594AEEBFBAAF48304F24806AE411F6290DB359A45DF60

Function 02A6D228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5135585bfe99f21dbd187d4095ab764a468769f914f143e58ce292805f32e984
Instruction ID: 4ebc5edaf09c5ceaae623e523058e0745b40052e38b414d2dd13d32bb3180cf4
Opcode Fuzzy Hash: 5135585bfe99f21dbd187d4095ab764a468769f914f143e58ce292805f32e984
Instruction Fuzzy Hash: DC210334A012089BDB08EFB4E850AEEB7B2FB8A300F106429D40573394CB359E81CE64

Function 02A65B50 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3aa91c2dfc16c9182ccd1a16285df2c536cad2e68a6e24592dc94b361f3712
Instruction ID: 22258de5d1d5b5ddea104cba62dfd013b9f49855abc7b5760b9a807429a1d069
Opcode Fuzzy Hash: cf3aa91c2dfc16c9182ccd1a16285df2c536cad2e68a6e24592dc94b361f3712
Instruction Fuzzy Hash: 2D1161B07002069FC344AB6AD498A2AB7E5FF89B54754447EE60ACB361EF71DC05C760

Function 00F6D3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2225685426.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f6d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: ea4480c70c0d748cb35659d6445b508a6a97cf249957d22942bb4118f7ae4f9a
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: FA11E676904284DFCB15CF10D5C4B16BF71FB94324F24C6A9DC090B656C33AE856DBA1

Function 02A61F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96f366d3db4e1a9b65bdcbd5146b9d7eca56aeedad5fbde3cc609c8d18fde21
Instruction ID: 78ccd5eaeed083744d82bc3a1c278211f44e01fe79cdc2f7ff5b4e8b9660ba46
Opcode Fuzzy Hash: a96f366d3db4e1a9b65bdcbd5146b9d7eca56aeedad5fbde3cc609c8d18fde21
Instruction Fuzzy Hash: 232122B5C002098FCB11EFA8D8845EEBFB0BF49304F1542AAD805B7254EB316A85CBA1

Function 02A65607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248e1f250dfb4f7636731f24db215a5c3fbbb2fd092a701f0ab01d429f97369e
Instruction ID: 188a76da88a388f32e3d7c0a14caa433ad56dc9eb15353025257650e0c78f482
Opcode Fuzzy Hash: 248e1f250dfb4f7636731f24db215a5c3fbbb2fd092a701f0ab01d429f97369e
Instruction Fuzzy Hash: EE01F172A000146FCB029E69D804BBF3BABDFC8750F188029F905D7280CF36881ADBA0

Function 02A61F63 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d69b6a0114a86251887323c45cb4a34f5bf7257d3c297f4e838ee2df2630e78
Instruction ID: ac9931f3b50be0e8c51cbe74b1fd95245626e02469ad7301f6afaf0373bc939a
Opcode Fuzzy Hash: 3d69b6a0114a86251887323c45cb4a34f5bf7257d3c297f4e838ee2df2630e78
Instruction Fuzzy Hash: 4D2126B4C1564A8FCB11DFA8D9545EEBFF0FF0A300F1446AAD805B7261EB301A95CBA1

Function 02A694B9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662bf255fc67c6caab8483277a819d5c93407b96098e5051e35fd06ad8cac183
Instruction ID: ca2b78f6b36fc75796481dc5b3b69b3011cd647bccd4e9381c0067ae6ff61acd
Opcode Fuzzy Hash: 662bf255fc67c6caab8483277a819d5c93407b96098e5051e35fd06ad8cac183
Instruction Fuzzy Hash: AFF0C8353011046FDB181AA9989497F7B9FEFCC3E0B084529BA09C7340DF75CC0457A1

Function 02A62020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c30edb4de209973dea31d2e1fbcb749d240af632f1a42ed225cf4c1ca43e7c4
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: 1c30edb4de209973dea31d2e1fbcb749d240af632f1a42ed225cf4c1ca43e7c4
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 02A6201B Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e806bd660aaa1e67fc9f25de9558196dd79330b96dfde048c31728dbcc5269e
Instruction ID: 506c26400ee68711c949eeac704a7004a99886184ce458a4561e2e7a85db2629
Opcode Fuzzy Hash: 8e806bd660aaa1e67fc9f25de9558196dd79330b96dfde048c31728dbcc5269e
Instruction Fuzzy Hash: 63E0C231D2026786CB01ABA0B8444EEFB34AED6220B54466AE92032040EB30165ACAA0

Function 02A68258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 0063cb145b7fb0f19c796f9e62f474d957c80b1bc8598e430e24e02f2c64de88
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 59C08C7320C1282EA635108F7C88EB3BB8CC7C13F4A290177FA2CE3200AE469C8441F9

Function 02A6A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a20abbb9191cfba7cb608f106afae96cdd479acc2716641d622d8c87e8a46f
Instruction ID: ab31d3ad39ed22500c073213983d5916c12acdfa09b816c774c16df6b2494d1d
Opcode Fuzzy Hash: 53a20abbb9191cfba7cb608f106afae96cdd479acc2716641d622d8c87e8a46f
Instruction Fuzzy Hash: 46D0677BB511089FCB14DF98E8409DDB7B6FB9C221B048526E915A3260C6319925DB50

Function 02A65EAB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9623be4f7c8e4fe63a27c2402f2566798f0b4361aed212dd2e3b754cf14d045
Instruction ID: 5b8da2c85df169baef4c3552a180c2dcc635ab8f7b25431d087b884375b990c3
Opcode Fuzzy Hash: d9623be4f7c8e4fe63a27c2402f2566798f0b4361aed212dd2e3b754cf14d045
Instruction Fuzzy Hash: 34D0A730950306CBD204F735EF057153755E7C0301F406A28F1059A105DFBE2D8A4791

Function 02A65EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2226108835.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a77be7e9a3076f517f2a8ca042e29dae49effb863fe48431292259e0a1546b5
Instruction ID: fa17ceb14282adc79a8b25b0d96dd14fa57a7ef6139a055dd6a9d8563f20b5d9
Opcode Fuzzy Hash: 3a77be7e9a3076f517f2a8ca042e29dae49effb863fe48431292259e0a1546b5
Instruction Fuzzy Hash: 63C0123051030AC7D509F775EF457153B5AA7C0300F406A18B10959119DFFC2DC95691

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report j6OUc3S2uP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Exploits

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_j6OUc3S2uP.exe_ec5336e1243d7bf75db30977b6a261e84eea9ad_ad983b20_5cee530d-8701-4278-8562-3cfde6cd09e4\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC43.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD9C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBDDB.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
j6OUc3S2uP.exe

Function 00007FFD3469418C Relevance: 5.5, Strings: 4, Instructions: 464
COMMON

Function 00007FFD3469B43A Relevance: 4.4, Strings: 3, Instructions: 665
COMMON

Function 00007FFD34760402 Relevance: 2.9, Strings: 1, Instructions: 1648
COMMON