Edit tour

Windows Analysis Report
z1MRforsteamDRUM-A1_pdf.exe

Overview

General Information

Sample name:	z1MRforsteamDRUM-A1_pdf.exe
Analysis ID:	1545084
MD5:	aaa6233ad5bf1fa876ad708b2af4d7d5
SHA1:	caa797aaac80a8c807e8e152f280188b8b4e8819
SHA256:	13d4f8ebe986653a6512cace310b4927b694a5127036d85c2d1c8840634537e4
Tags:	exeRedLineStealeruser-Porcupine
Infos:

Detection

PureLog Stealer, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Snake Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

PE file contains an invalid checksum

Queries the volume information (name, serial number etc) of a device

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

z1MRforsteamDRUM-A1_pdf.exe (PID: 3336 cmdline: "C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe" MD5: AAA6233AD5BF1FA876AD708B2AF4D7D5)

RegSvcs.exe (PID: 2476 cmdline: "C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7498931539:AAE8KHb70FueL6YmOOF6rhS3Z3o-F1rx6_A/sendMessage?chat_id=1178171552", "Token": "7498931539:AAE8KHb70FueL6YmOOF6rhS3Z3o-F1rx6_A", "Chat_id": "1178171552", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6532f:$a1: get_encryptedPassword 0x65303:$a2: get_encryptedUsername 0x653c7:$a3: get_timePasswordChanged 0x652df:$a4: get_passwordField 0x65345:$a5: set_encryptedPassword 0x65112:$a7: get_logins 0x61785:$a10: KeyLoggerEventArgs 0x61754:$a11: KeyLoggerEventArgsEventHandler 0x651e6:$a13: _encryptedPassword
00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x68586:$x1: $%SMTPDV$ 0x66f6a:$x2: $#TheHashHere%& 0x6852e:$x3: %FTPDV$ 0x66f0a:$x4: $%TelegramDv$ 0x61754:$x5: KeyLoggerEventArgs 0x61785:$x5: KeyLoggerEventArgs 0x68552:$m2: Clipboard Logs ID 0x68790:$m2: Screenshot Logs ID 0x688a0:$m2: keystroke Logs ID 0x68b7a:$m3: SnakePW 0x68768:$m4: \SnakeKeylogger\
00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x252c9:$a1: get_encryptedPassword 0x2529d:$a2: get_encryptedUsername 0x25361:$a3: get_timePasswordChanged 0x25279:$a4: get_passwordField 0x252df:$a5: set_encryptedPassword 0x250ac:$a7: get_logins 0x2171f:$a10: KeyLoggerEventArgs 0x216ee:$a11: KeyLoggerEventArgsEventHandler 0x25180:$a13: _encryptedPassword
00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2aeda:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2a10b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a53e:$a4: \Orbitum\User Data\Default\Login Data 0x2b57f:$a5: \Kometa\User Data\Default\Login Data
00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x23b8a:$s1: UnHook 0x23b26:$s2: SetHook 0x23b5f:$s3: CallNextHook 0x23aee:$s4: _hook
00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28520:$x1: $%SMTPDV$ 0x26f04:$x2: $#TheHashHere%& 0x284c8:$x3: %FTPDV$ 0x26ea4:$x4: $%TelegramDv$ 0x216ee:$x5: KeyLoggerEventArgs 0x2171f:$x5: KeyLoggerEventArgs 0x284ec:$m2: Clipboard Logs ID 0x2872a:$m2: Screenshot Logs ID 0x2883a:$m2: keystroke Logs ID 0x28b14:$m3: SnakePW 0x28702:$m4: \SnakeKeylogger\
00000004.00000002.2926733076.00000000030E5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 06 88 44 24 2B 88 44 24 2F B0 D6 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x29839:$a1: get_encryptedPassword 0x5cd71:$a1: get_encryptedPassword 0x2980d:$a2: get_encryptedUsername 0x5cd45:$a2: get_encryptedUsername 0x298d1:$a3: get_timePasswordChanged 0x5ce09:$a3: get_timePasswordChanged 0x297e9:$a4: get_passwordField 0x5cd21:$a4: get_passwordField 0x2984f:$a5: set_encryptedPassword 0x5cd87:$a5: set_encryptedPassword 0x2961c:$a7: get_logins 0x5cb54:$a7: get_logins 0x25c8f:$a10: KeyLoggerEventArgs 0x591c7:$a10: KeyLoggerEventArgs 0x25c5e:$a11: KeyLoggerEventArgsEventHandler 0x59196:$a11: KeyLoggerEventArgsEventHandler 0x296f0:$a13: _encryptedPassword 0x5cc28:$a13: _encryptedPassword
00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2ca90:$x1: $%SMTPDV$ 0x5ffc8:$x1: $%SMTPDV$ 0x2b474:$x2: $#TheHashHere%& 0x5e9ac:$x2: $#TheHashHere%& 0x2ca38:$x3: %FTPDV$ 0x5ff70:$x3: %FTPDV$ 0x2b414:$x4: $%TelegramDv$ 0x5e94c:$x4: $%TelegramDv$ 0x25c5e:$x5: KeyLoggerEventArgs 0x25c8f:$x5: KeyLoggerEventArgs 0x59196:$x5: KeyLoggerEventArgs 0x591c7:$x5: KeyLoggerEventArgs 0x2ca5c:$m2: Clipboard Logs ID 0x2cc9a:$m2: Screenshot Logs ID 0x2cdaa:$m2: keystroke Logs ID 0x5ff94:$m2: Clipboard Logs ID 0x601d2:$m2: Screenshot Logs ID 0x602e2:$m2: keystroke Logs ID 0x2d084:$m3: SnakePW 0x605bc:$m3: SnakePW 0x2cc72:$m4: \SnakeKeylogger\
00000004.00000002.2926733076.0000000002F19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x243e1:$a1: get_encryptedPassword 0x243b5:$a2: get_encryptedUsername 0x24479:$a3: get_timePasswordChanged 0x24391:$a4: get_passwordField 0x243f7:$a5: set_encryptedPassword 0x241c4:$a7: get_logins 0x20837:$a10: KeyLoggerEventArgs 0x20806:$a11: KeyLoggerEventArgsEventHandler 0x24298:$a13: _encryptedPassword
00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29ff2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29223:$a3: \Google\Chrome\User Data\Default\Login Data 0x29656:$a4: \Orbitum\User Data\Default\Login Data 0x2a697:$a5: \Kometa\User Data\Default\Login Data
00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x22ca2:$s1: UnHook 0x22c3e:$s2: SetHook 0x22c77:$s3: CallNextHook 0x22c06:$s4: _hook
00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x27638:$x1: $%SMTPDV$ 0x2601c:$x2: $#TheHashHere%& 0x275e0:$x3: %FTPDV$ 0x25fbc:$x4: $%TelegramDv$ 0x20806:$x5: KeyLoggerEventArgs 0x20837:$x5: KeyLoggerEventArgs 0x27604:$m2: Clipboard Logs ID 0x27842:$m2: Screenshot Logs ID 0x27952:$m2: keystroke Logs ID 0x27c2c:$m3: SnakePW 0x2781a:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 2476	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 2476	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 2476	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 2476	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfaa8:$a1: get_encryptedPassword 0x39a06:$a1: get_encryptedPassword 0x5b8c3:$a1: get_encryptedPassword 0x7ec69:$a1: get_encryptedPassword 0xfa7c:$a2: get_encryptedUsername 0x399da:$a2: get_encryptedUsername 0x5b897:$a2: get_encryptedUsername 0x7ec3d:$a2: get_encryptedUsername 0xfb40:$a3: get_timePasswordChanged 0x39a9e:$a3: get_timePasswordChanged 0x5b95b:$a3: get_timePasswordChanged 0x7ed01:$a3: get_timePasswordChanged 0xfa58:$a4: get_passwordField 0x399b6:$a4: get_passwordField 0x5b873:$a4: get_passwordField 0x7ec19:$a4: get_passwordField 0xfabe:$a5: set_encryptedPassword 0x39a1c:$a5: set_encryptedPassword 0x5b8d9:$a5: set_encryptedPassword 0x7ec7f:$a5: set_encryptedPassword 0xf894:$a7: get_logins
Process Memory Space: RegSvcs.exe PID: 2476	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xbdd2:$x5: KeyLoggerEventArgs 0xbe03:$x5: KeyLoggerEventArgs 0xbe43:$x5: KeyLoggerEventArgs 0xbe72:$x5: KeyLoggerEventArgs 0x35d30:$x5: KeyLoggerEventArgs 0x35d61:$x5: KeyLoggerEventArgs 0x35da1:$x5: KeyLoggerEventArgs 0x35dd0:$x5: KeyLoggerEventArgs 0x57bed:$x5: KeyLoggerEventArgs 0x57c1e:$x5: KeyLoggerEventArgs 0x57c5e:$x5: KeyLoggerEventArgs 0x57c8d:$x5: KeyLoggerEventArgs 0x7ae6e:$x5: KeyLoggerEventArgs 0x7ae9f:$x5: KeyLoggerEventArgs 0x7aedf:$x5: KeyLoggerEventArgs 0x7af0e:$x5: KeyLoggerEventArgs 0x1365b:$m2: Clipboard Logs ID 0x13760:$m2: Screenshot Logs ID 0x137e8:$m2: keystroke Logs ID 0x3d5b9:$m2: Clipboard Logs ID 0x3d6be:$m2: Screenshot Logs ID
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 06 88 44 24 2B 88 44 24 2F B0 D6 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
4.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 06 88 44 24 2B 88 44 24 2F B0 D6 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
4.2.RegSvcs.exe.3ee9990.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3ee9990.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3ee9990.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.3ee9990.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x225e1:$a1: get_encryptedPassword 0x225b5:$a2: get_encryptedUsername 0x22679:$a3: get_timePasswordChanged 0x22591:$a4: get_passwordField 0x225f7:$a5: set_encryptedPassword 0x223c4:$a7: get_logins 0x1ea37:$a10: KeyLoggerEventArgs 0x1ea06:$a11: KeyLoggerEventArgsEventHandler 0x22498:$a13: _encryptedPassword
4.2.RegSvcs.exe.3ee9990.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x281f2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x27423:$a3: \Google\Chrome\User Data\Default\Login Data 0x27856:$a4: \Orbitum\User Data\Default\Login Data 0x28897:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.3ee9990.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x20ea2:$s1: UnHook 0x20e3e:$s2: SetHook 0x20e77:$s3: CallNextHook 0x20e06:$s4: _hook
4.2.RegSvcs.exe.3ee9990.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x25838:$x1: $%SMTPDV$ 0x2421c:$x2: $#TheHashHere%& 0x257e0:$x3: %FTPDV$ 0x241bc:$x4: $%TelegramDv$ 0x1ea06:$x5: KeyLoggerEventArgs 0x1ea37:$x5: KeyLoggerEventArgs 0x25804:$m2: Clipboard Logs ID 0x25a42:$m2: Screenshot Logs ID 0x25b52:$m2: keystroke Logs ID 0x25e2c:$m3: SnakePW 0x25a1a:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.2a45066.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.2a45066.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.RegSvcs.exe.2a45066.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.2a45066.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.2a45066.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x252c9:$a1: get_encryptedPassword 0x2529d:$a2: get_encryptedUsername 0x25361:$a3: get_timePasswordChanged 0x25279:$a4: get_passwordField 0x252df:$a5: set_encryptedPassword 0x250ac:$a7: get_logins 0x2171f:$a10: KeyLoggerEventArgs 0x216ee:$a11: KeyLoggerEventArgsEventHandler 0x25180:$a13: _encryptedPassword
4.2.RegSvcs.exe.2a45f4e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.2a45f4e.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.RegSvcs.exe.2a45066.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2aeda:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2a10b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a53e:$a4: \Orbitum\User Data\Default\Login Data 0x2b57f:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.2a45f4e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.2a45f4e.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.2a45066.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x23b8a:$s1: UnHook 0x23b26:$s2: SetHook 0x23b5f:$s3: CallNextHook 0x23aee:$s4: _hook
4.2.RegSvcs.exe.2a45066.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28520:$x1: $%SMTPDV$ 0x26f04:$x2: $#TheHashHere%& 0x284c8:$x3: %FTPDV$ 0x26ea4:$x4: $%TelegramDv$ 0x216ee:$x5: KeyLoggerEventArgs 0x2171f:$x5: KeyLoggerEventArgs 0x284ec:$m2: Clipboard Logs ID 0x2872a:$m2: Screenshot Logs ID 0x2883a:$m2: keystroke Logs ID 0x28b14:$m3: SnakePW 0x28702:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.2a45f4e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x243e1:$a1: get_encryptedPassword 0x243b5:$a2: get_encryptedUsername 0x24479:$a3: get_timePasswordChanged 0x24391:$a4: get_passwordField 0x243f7:$a5: set_encryptedPassword 0x241c4:$a7: get_logins 0x20837:$a10: KeyLoggerEventArgs 0x20806:$a11: KeyLoggerEventArgsEventHandler 0x24298:$a13: _encryptedPassword
4.2.RegSvcs.exe.2a45f4e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29ff2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29223:$a3: \Google\Chrome\User Data\Default\Login Data 0x29656:$a4: \Orbitum\User Data\Default\Login Data 0x2a697:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.2a45f4e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x22ca2:$s1: UnHook 0x22c3e:$s2: SetHook 0x22c77:$s3: CallNextHook 0x22c06:$s4: _hook
4.2.RegSvcs.exe.2a45f4e.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x27638:$x1: $%SMTPDV$ 0x2601c:$x2: $#TheHashHere%& 0x275e0:$x3: %FTPDV$ 0x25fbc:$x4: $%TelegramDv$ 0x20806:$x5: KeyLoggerEventArgs 0x20837:$x5: KeyLoggerEventArgs 0x27604:$m2: Clipboard Logs ID 0x27842:$m2: Screenshot Logs ID 0x27952:$m2: keystroke Logs ID 0x27c2c:$m3: SnakePW 0x2781a:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.3eb5570.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3eb5570.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3eb5570.5.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.3eb5570.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x234c9:$a1: get_encryptedPassword 0x2349d:$a2: get_encryptedUsername 0x23561:$a3: get_timePasswordChanged 0x23479:$a4: get_passwordField 0x234df:$a5: set_encryptedPassword 0x232ac:$a7: get_logins 0x1f91f:$a10: KeyLoggerEventArgs 0x1f8ee:$a11: KeyLoggerEventArgsEventHandler 0x23380:$a13: _encryptedPassword
4.2.RegSvcs.exe.52f0000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.52f0000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.52f0000.6.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.52f0000.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x234c9:$a1: get_encryptedPassword 0x2349d:$a2: get_encryptedUsername 0x23561:$a3: get_timePasswordChanged 0x23479:$a4: get_passwordField 0x234df:$a5: set_encryptedPassword 0x232ac:$a7: get_logins 0x1f91f:$a10: KeyLoggerEventArgs 0x1f8ee:$a11: KeyLoggerEventArgsEventHandler 0x23380:$a13: _encryptedPassword
4.2.RegSvcs.exe.52f0000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x290da:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2830b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2873e:$a4: \Orbitum\User Data\Default\Login Data 0x2977f:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.3eb5570.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x290da:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2830b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2873e:$a4: \Orbitum\User Data\Default\Login Data 0x2977f:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.3eb5570.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x21d8a:$s1: UnHook 0x21d26:$s2: SetHook 0x21d5f:$s3: CallNextHook 0x21cee:$s4: _hook
4.2.RegSvcs.exe.3eb5570.5.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x26720:$x1: $%SMTPDV$ 0x25104:$x2: $#TheHashHere%& 0x266c8:$x3: %FTPDV$ 0x250a4:$x4: $%TelegramDv$ 0x1f8ee:$x5: KeyLoggerEventArgs 0x1f91f:$x5: KeyLoggerEventArgs 0x266ec:$m2: Clipboard Logs ID 0x2692a:$m2: Screenshot Logs ID 0x26a3a:$m2: keystroke Logs ID 0x26d14:$m3: SnakePW 0x26902:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.52f0000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x21d8a:$s1: UnHook 0x21d26:$s2: SetHook 0x21d5f:$s3: CallNextHook 0x21cee:$s4: _hook
4.2.RegSvcs.exe.52f0000.6.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x26720:$x1: $%SMTPDV$ 0x25104:$x2: $#TheHashHere%& 0x266c8:$x3: %FTPDV$ 0x250a4:$x4: $%TelegramDv$ 0x1f8ee:$x5: KeyLoggerEventArgs 0x1f91f:$x5: KeyLoggerEventArgs 0x266ec:$m2: Clipboard Logs ID 0x2692a:$m2: Screenshot Logs ID 0x26a3a:$m2: keystroke Logs ID 0x26d14:$m3: SnakePW 0x26902:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.53b0000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.53b0000.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.RegSvcs.exe.53b0000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.53b0000.8.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.53b0000.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x243e1:$a1: get_encryptedPassword 0x243b5:$a2: get_encryptedUsername 0x24479:$a3: get_timePasswordChanged 0x24391:$a4: get_passwordField 0x243f7:$a5: set_encryptedPassword 0x241c4:$a7: get_logins 0x20837:$a10: KeyLoggerEventArgs 0x20806:$a11: KeyLoggerEventArgsEventHandler 0x24298:$a13: _encryptedPassword
4.2.RegSvcs.exe.53b0000.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29ff2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29223:$a3: \Google\Chrome\User Data\Default\Login Data 0x29656:$a4: \Orbitum\User Data\Default\Login Data 0x2a697:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.53b0000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x22ca2:$s1: UnHook 0x22c3e:$s2: SetHook 0x22c77:$s3: CallNextHook 0x22c06:$s4: _hook
4.2.RegSvcs.exe.53b0000.8.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x27638:$x1: $%SMTPDV$ 0x2601c:$x2: $#TheHashHere%& 0x275e0:$x3: %FTPDV$ 0x25fbc:$x4: $%TelegramDv$ 0x20806:$x5: KeyLoggerEventArgs 0x20837:$x5: KeyLoggerEventArgs 0x27604:$m2: Clipboard Logs ID 0x27842:$m2: Screenshot Logs ID 0x27952:$m2: keystroke Logs ID 0x27c2c:$m3: SnakePW 0x2781a:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.53b0000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.53b0000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.53b0000.8.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.53b0000.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x225e1:$a1: get_encryptedPassword 0x225b5:$a2: get_encryptedUsername 0x22679:$a3: get_timePasswordChanged 0x22591:$a4: get_passwordField 0x225f7:$a5: set_encryptedPassword 0x223c4:$a7: get_logins 0x1ea37:$a10: KeyLoggerEventArgs 0x1ea06:$a11: KeyLoggerEventArgsEventHandler 0x22498:$a13: _encryptedPassword
4.2.RegSvcs.exe.53b0000.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x281f2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x27423:$a3: \Google\Chrome\User Data\Default\Login Data 0x27856:$a4: \Orbitum\User Data\Default\Login Data 0x28897:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.52f0ee8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.52f0ee8.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.52f0ee8.7.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.52f0ee8.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x225e1:$a1: get_encryptedPassword 0x225b5:$a2: get_encryptedUsername 0x22679:$a3: get_timePasswordChanged 0x22591:$a4: get_passwordField 0x225f7:$a5: set_encryptedPassword 0x223c4:$a7: get_logins 0x1ea37:$a10: KeyLoggerEventArgs 0x1ea06:$a11: KeyLoggerEventArgsEventHandler 0x22498:$a13: _encryptedPassword
4.2.RegSvcs.exe.52f0ee8.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x281f2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x27423:$a3: \Google\Chrome\User Data\Default\Login Data 0x27856:$a4: \Orbitum\User Data\Default\Login Data 0x28897:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.2a45066.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.2a45066.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.2a45066.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.2a45066.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x234c9:$a1: get_encryptedPassword 0x2349d:$a2: get_encryptedUsername 0x23561:$a3: get_timePasswordChanged 0x23479:$a4: get_passwordField 0x234df:$a5: set_encryptedPassword 0x232ac:$a7: get_logins 0x1f91f:$a10: KeyLoggerEventArgs 0x1f8ee:$a11: KeyLoggerEventArgsEventHandler 0x23380:$a13: _encryptedPassword
4.2.RegSvcs.exe.53b0000.8.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x20ea2:$s1: UnHook 0x20e3e:$s2: SetHook 0x20e77:$s3: CallNextHook 0x20e06:$s4: _hook
4.2.RegSvcs.exe.53b0000.8.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x25838:$x1: $%SMTPDV$ 0x2421c:$x2: $#TheHashHere%& 0x257e0:$x3: %FTPDV$ 0x241bc:$x4: $%TelegramDv$ 0x1ea06:$x5: KeyLoggerEventArgs 0x1ea37:$x5: KeyLoggerEventArgs 0x25804:$m2: Clipboard Logs ID 0x25a42:$m2: Screenshot Logs ID 0x25b52:$m2: keystroke Logs ID 0x25e2c:$m3: SnakePW 0x25a1a:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.2a45066.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x290da:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2830b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2873e:$a4: \Orbitum\User Data\Default\Login Data 0x2977f:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.52f0ee8.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x20ea2:$s1: UnHook 0x20e3e:$s2: SetHook 0x20e77:$s3: CallNextHook 0x20e06:$s4: _hook
4.2.RegSvcs.exe.52f0ee8.7.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x25838:$x1: $%SMTPDV$ 0x2421c:$x2: $#TheHashHere%& 0x257e0:$x3: %FTPDV$ 0x241bc:$x4: $%TelegramDv$ 0x1ea06:$x5: KeyLoggerEventArgs 0x1ea37:$x5: KeyLoggerEventArgs 0x25804:$m2: Clipboard Logs ID 0x25a42:$m2: Screenshot Logs ID 0x25b52:$m2: keystroke Logs ID 0x25e2c:$m3: SnakePW 0x25a1a:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.2a45066.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x21d8a:$s1: UnHook 0x21d26:$s2: SetHook 0x21d5f:$s3: CallNextHook 0x21cee:$s4: _hook
4.2.RegSvcs.exe.2a45066.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x26720:$x1: $%SMTPDV$ 0x25104:$x2: $#TheHashHere%& 0x266c8:$x3: %FTPDV$ 0x250a4:$x4: $%TelegramDv$ 0x1f8ee:$x5: KeyLoggerEventArgs 0x1f91f:$x5: KeyLoggerEventArgs 0x266ec:$m2: Clipboard Logs ID 0x2692a:$m2: Screenshot Logs ID 0x26a3a:$m2: keystroke Logs ID 0x26d14:$m3: SnakePW 0x26902:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.3eb6458.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3eb6458.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3eb6458.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.3eb6458.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x225e1:$a1: get_encryptedPassword 0x225b5:$a2: get_encryptedUsername 0x22679:$a3: get_timePasswordChanged 0x22591:$a4: get_passwordField 0x225f7:$a5: set_encryptedPassword 0x223c4:$a7: get_logins 0x1ea37:$a10: KeyLoggerEventArgs 0x1ea06:$a11: KeyLoggerEventArgsEventHandler 0x22498:$a13: _encryptedPassword
4.2.RegSvcs.exe.3eb6458.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x281f2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x27423:$a3: \Google\Chrome\User Data\Default\Login Data 0x27856:$a4: \Orbitum\User Data\Default\Login Data 0x28897:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.3eb6458.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x20ea2:$s1: UnHook 0x20e3e:$s2: SetHook 0x20e77:$s3: CallNextHook 0x20e06:$s4: _hook
4.2.RegSvcs.exe.3eb6458.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x25838:$x1: $%SMTPDV$ 0x2421c:$x2: $#TheHashHere%& 0x257e0:$x3: %FTPDV$ 0x241bc:$x4: $%TelegramDv$ 0x1ea06:$x5: KeyLoggerEventArgs 0x1ea37:$x5: KeyLoggerEventArgs 0x25804:$m2: Clipboard Logs ID 0x25a42:$m2: Screenshot Logs ID 0x25b52:$m2: keystroke Logs ID 0x25e2c:$m3: SnakePW 0x25a1a:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.52f0000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.52f0000.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.RegSvcs.exe.52f0000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.52f0000.6.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.52f0000.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x252c9:$a1: get_encryptedPassword 0x2529d:$a2: get_encryptedUsername 0x25361:$a3: get_timePasswordChanged 0x25279:$a4: get_passwordField 0x252df:$a5: set_encryptedPassword 0x250ac:$a7: get_logins 0x2171f:$a10: KeyLoggerEventArgs 0x216ee:$a11: KeyLoggerEventArgsEventHandler 0x25180:$a13: _encryptedPassword
4.2.RegSvcs.exe.52f0000.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2aeda:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2a10b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a53e:$a4: \Orbitum\User Data\Default\Login Data 0x2b57f:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.52f0000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x23b8a:$s1: UnHook 0x23b26:$s2: SetHook 0x23b5f:$s3: CallNextHook 0x23aee:$s4: _hook
4.2.RegSvcs.exe.52f0000.6.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28520:$x1: $%SMTPDV$ 0x26f04:$x2: $#TheHashHere%& 0x284c8:$x3: %FTPDV$ 0x26ea4:$x4: $%TelegramDv$ 0x216ee:$x5: KeyLoggerEventArgs 0x2171f:$x5: KeyLoggerEventArgs 0x284ec:$m2: Clipboard Logs ID 0x2872a:$m2: Screenshot Logs ID 0x2883a:$m2: keystroke Logs ID 0x28b14:$m3: SnakePW 0x28702:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.3ee9990.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3ee9990.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.RegSvcs.exe.3ee9990.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3ee9990.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.3ee9990.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x243e1:$a1: get_encryptedPassword 0x243b5:$a2: get_encryptedUsername 0x24479:$a3: get_timePasswordChanged 0x24391:$a4: get_passwordField 0x243f7:$a5: set_encryptedPassword 0x241c4:$a7: get_logins 0x20837:$a10: KeyLoggerEventArgs 0x20806:$a11: KeyLoggerEventArgsEventHandler 0x24298:$a13: _encryptedPassword
4.2.RegSvcs.exe.3ee9990.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29ff2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29223:$a3: \Google\Chrome\User Data\Default\Login Data 0x29656:$a4: \Orbitum\User Data\Default\Login Data 0x2a697:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.3ee9990.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x22ca2:$s1: UnHook 0x22c3e:$s2: SetHook 0x22c77:$s3: CallNextHook 0x22c06:$s4: _hook
4.2.RegSvcs.exe.3ee9990.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x27638:$x1: $%SMTPDV$ 0x2601c:$x2: $#TheHashHere%& 0x275e0:$x3: %FTPDV$ 0x25fbc:$x4: $%TelegramDv$ 0x20806:$x5: KeyLoggerEventArgs 0x20837:$x5: KeyLoggerEventArgs 0x27604:$m2: Clipboard Logs ID 0x27842:$m2: Screenshot Logs ID 0x27952:$m2: keystroke Logs ID 0x27c2c:$m3: SnakePW 0x2781a:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.2a45f4e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.2a45f4e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.2a45f4e.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.2a45f4e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x225e1:$a1: get_encryptedPassword 0x225b5:$a2: get_encryptedUsername 0x22679:$a3: get_timePasswordChanged 0x22591:$a4: get_passwordField 0x225f7:$a5: set_encryptedPassword 0x223c4:$a7: get_logins 0x1ea37:$a10: KeyLoggerEventArgs 0x1ea06:$a11: KeyLoggerEventArgsEventHandler 0x22498:$a13: _encryptedPassword
4.2.RegSvcs.exe.2a45f4e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x281f2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x27423:$a3: \Google\Chrome\User Data\Default\Login Data 0x27856:$a4: \Orbitum\User Data\Default\Login Data 0x28897:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.2a45f4e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x20ea2:$s1: UnHook 0x20e3e:$s2: SetHook 0x20e77:$s3: CallNextHook 0x20e06:$s4: _hook
4.2.RegSvcs.exe.2a45f4e.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x25838:$x1: $%SMTPDV$ 0x2421c:$x2: $#TheHashHere%& 0x257e0:$x3: %FTPDV$ 0x241bc:$x4: $%TelegramDv$ 0x1ea06:$x5: KeyLoggerEventArgs 0x1ea37:$x5: KeyLoggerEventArgs 0x25804:$m2: Clipboard Logs ID 0x25a42:$m2: Screenshot Logs ID 0x25b52:$m2: keystroke Logs ID 0x25e2c:$m3: SnakePW 0x25a1a:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.3eb6458.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3eb6458.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.RegSvcs.exe.52f0ee8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.52f0ee8.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.RegSvcs.exe.52f0ee8.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.52f0ee8.7.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.3eb6458.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3eb6458.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.52f0ee8.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x243e1:$a1: get_encryptedPassword 0x243b5:$a2: get_encryptedUsername 0x24479:$a3: get_timePasswordChanged 0x24391:$a4: get_passwordField 0x243f7:$a5: set_encryptedPassword 0x241c4:$a7: get_logins 0x20837:$a10: KeyLoggerEventArgs 0x20806:$a11: KeyLoggerEventArgsEventHandler 0x24298:$a13: _encryptedPassword
4.2.RegSvcs.exe.3eb6458.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x243e1:$a1: get_encryptedPassword 0x57919:$a1: get_encryptedPassword 0x243b5:$a2: get_encryptedUsername 0x578ed:$a2: get_encryptedUsername 0x24479:$a3: get_timePasswordChanged 0x579b1:$a3: get_timePasswordChanged 0x24391:$a4: get_passwordField 0x578c9:$a4: get_passwordField 0x243f7:$a5: set_encryptedPassword 0x5792f:$a5: set_encryptedPassword 0x241c4:$a7: get_logins 0x576fc:$a7: get_logins 0x20837:$a10: KeyLoggerEventArgs 0x53d6f:$a10: KeyLoggerEventArgs 0x20806:$a11: KeyLoggerEventArgsEventHandler 0x53d3e:$a11: KeyLoggerEventArgsEventHandler 0x24298:$a13: _encryptedPassword 0x577d0:$a13: _encryptedPassword
4.2.RegSvcs.exe.3eb5570.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3eb5570.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.RegSvcs.exe.3eb5570.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3eb5570.5.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.3eb5570.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x252c9:$a1: get_encryptedPassword 0x58801:$a1: get_encryptedPassword 0x2529d:$a2: get_encryptedUsername 0x587d5:$a2: get_encryptedUsername 0x25361:$a3: get_timePasswordChanged 0x58899:$a3: get_timePasswordChanged 0x25279:$a4: get_passwordField 0x587b1:$a4: get_passwordField 0x252df:$a5: set_encryptedPassword 0x58817:$a5: set_encryptedPassword 0x250ac:$a7: get_logins 0x585e4:$a7: get_logins 0x2171f:$a10: KeyLoggerEventArgs 0x54c57:$a10: KeyLoggerEventArgs 0x216ee:$a11: KeyLoggerEventArgsEventHandler 0x54c26:$a11: KeyLoggerEventArgsEventHandler 0x25180:$a13: _encryptedPassword 0x586b8:$a13: _encryptedPassword
4.2.RegSvcs.exe.52f0ee8.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29ff2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29223:$a3: \Google\Chrome\User Data\Default\Login Data 0x29656:$a4: \Orbitum\User Data\Default\Login Data 0x2a697:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.3eb6458.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29ff2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d52a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29223:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c75b:$a3: \Google\Chrome\User Data\Default\Login Data 0x29656:$a4: \Orbitum\User Data\Default\Login Data 0x5cb8e:$a4: \Orbitum\User Data\Default\Login Data 0x2a697:$a5: \Kometa\User Data\Default\Login Data 0x5dbcf:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.3eb5570.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2aeda:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5e412:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2a10b:$a3: \Google\Chrome\User Data\Default\Login Data 0x5d643:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a53e:$a4: \Orbitum\User Data\Default\Login Data 0x5da76:$a4: \Orbitum\User Data\Default\Login Data 0x2b57f:$a5: \Kometa\User Data\Default\Login Data 0x5eab7:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.52f0ee8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x22ca2:$s1: UnHook 0x22c3e:$s2: SetHook 0x22c77:$s3: CallNextHook 0x22c06:$s4: _hook
4.2.RegSvcs.exe.52f0ee8.7.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x27638:$x1: $%SMTPDV$ 0x2601c:$x2: $#TheHashHere%& 0x275e0:$x3: %FTPDV$ 0x25fbc:$x4: $%TelegramDv$ 0x20806:$x5: KeyLoggerEventArgs 0x20837:$x5: KeyLoggerEventArgs 0x27604:$m2: Clipboard Logs ID 0x27842:$m2: Screenshot Logs ID 0x27952:$m2: keystroke Logs ID 0x27c2c:$m3: SnakePW 0x2781a:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.3eb6458.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x22ca2:$s1: UnHook 0x561da:$s1: UnHook 0x22c3e:$s2: SetHook 0x56176:$s2: SetHook 0x22c77:$s3: CallNextHook 0x561af:$s3: CallNextHook 0x22c06:$s4: _hook 0x5613e:$s4: _hook
4.2.RegSvcs.exe.3eb5570.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x23b8a:$s1: UnHook 0x570c2:$s1: UnHook 0x23b26:$s2: SetHook 0x5705e:$s2: SetHook 0x23b5f:$s3: CallNextHook 0x57097:$s3: CallNextHook 0x23aee:$s4: _hook 0x57026:$s4: _hook
4.2.RegSvcs.exe.3eb6458.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x27638:$x1: $%SMTPDV$ 0x5ab70:$x1: $%SMTPDV$ 0x2601c:$x2: $#TheHashHere%& 0x59554:$x2: $#TheHashHere%& 0x275e0:$x3: %FTPDV$ 0x5ab18:$x3: %FTPDV$ 0x25fbc:$x4: $%TelegramDv$ 0x594f4:$x4: $%TelegramDv$ 0x20806:$x5: KeyLoggerEventArgs 0x20837:$x5: KeyLoggerEventArgs 0x53d3e:$x5: KeyLoggerEventArgs 0x53d6f:$x5: KeyLoggerEventArgs 0x27604:$m2: Clipboard Logs ID 0x27842:$m2: Screenshot Logs ID 0x27952:$m2: keystroke Logs ID 0x5ab3c:$m2: Clipboard Logs ID 0x5ad7a:$m2: Screenshot Logs ID 0x5ae8a:$m2: keystroke Logs ID 0x27c2c:$m3: SnakePW 0x5b164:$m3: SnakePW 0x2781a:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.3eb5570.5.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28520:$x1: $%SMTPDV$ 0x5ba58:$x1: $%SMTPDV$ 0x26f04:$x2: $#TheHashHere%& 0x5a43c:$x2: $#TheHashHere%& 0x284c8:$x3: %FTPDV$ 0x5ba00:$x3: %FTPDV$ 0x26ea4:$x4: $%TelegramDv$ 0x5a3dc:$x4: $%TelegramDv$ 0x216ee:$x5: KeyLoggerEventArgs 0x2171f:$x5: KeyLoggerEventArgs 0x54c26:$x5: KeyLoggerEventArgs 0x54c57:$x5: KeyLoggerEventArgs 0x284ec:$m2: Clipboard Logs ID 0x2872a:$m2: Screenshot Logs ID 0x2883a:$m2: keystroke Logs ID 0x5ba24:$m2: Clipboard Logs ID 0x5bc62:$m2: Screenshot Logs ID 0x5bd72:$m2: keystroke Logs ID 0x28b14:$m3: SnakePW 0x5c04c:$m3: SnakePW 0x28702:$m4: \SnakeKeylogger\
Click to see the 117 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T04:32:44.375300+0100	2803305	3	Unknown Traffic	192.168.2.4	49738	188.114.97.3	443	TCP
2024-10-30T04:32:45.993328+0100	2803305	3	Unknown Traffic	192.168.2.4	49740	188.114.97.3	443	TCP
2024-10-30T04:32:52.443002+0100	2803305	3	Unknown Traffic	192.168.2.4	49748	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T04:32:42.527534+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49736	193.122.6.168	80	TCP
2024-10-30T04:32:43.668151+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49736	193.122.6.168	80	TCP
2024-10-30T04:32:45.277511+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49739	193.122.6.168	80	TCP
2024-10-30T04:32:46.847095+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49741	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7498931539:AAE8KHb70FueL6YmOOF6rhS3Z3o-F1rx6_A/sendMessage?chat_id=1178171552", "Token": "7498931539:AAE8KHb70FueL6YmOOF6rhS3Z3o-F1rx6_A", "Chat_id": "1178171552", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: z1MRforsteamDRUM-A1_pdf.exe	Virustotal: Detection: 20%			Perma Link
Source: z1MRforsteamDRUM-A1_pdf.exe	ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: z1MRforsteamDRUM-A1_pdf.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: z1MRforsteamDRUM-A1_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.0

Source:

Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	4_2_02AFE2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0537F399h	4_2_0537F0E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0537E5AEh	4_2_0537E3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0537EF38h	4_2_0537E3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0537F7F9h	4_2_0537F548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0537FC59h	4_2_0537F9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_0537E0F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_0537D8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595B7B9h	4_2_0595B510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595F031h	4_2_0595ED88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595C069h	4_2_0595BDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595F489h	4_2_0595F1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05950D4Dh	4_2_05950930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595EBD9h	4_2_0595E930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05950D4Dh	4_2_05950921
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595BC11h	4_2_0595B968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595E329h	4_2_0595E080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595B361h	4_2_0595B0B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05950751h	4_2_059504A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595E781h	4_2_0595E4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595AAB1h	4_2_0595A808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595DED1h	4_2_0595DC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 059502F1h	4_2_05950040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05950D4Dh	4_2_05950C7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595AF09h	4_2_0595AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595DA79h	4_2_0595D7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595D1C9h	4_2_0595CF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595D621h	4_2_0595D378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595FD39h	4_2_0595FA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595CD71h	4_2_0595CAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595C4C1h	4_2_0595C218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595F8E1h	4_2_0595F638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0595C919h	4_2_0595C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067958B9h	4_2_06795610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06797C35h	4_2_067978F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06798772h	4_2_067986C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06798772h	4_2_067986C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06796169h	4_2_06795EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_067926A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_0679269B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06796A41h	4_2_06796798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06797749h	4_2_067974A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06794731h	4_2_06794488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06795009h	4_2_06794D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06795D11h	4_2_06795A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067965EAh	4_2_06796340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06796E99h	4_2_06796BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067972F1h	4_2_06797048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067902E9h	4_2_06790040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06794BB1h	4_2_06794908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06795461h	4_2_067951B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	4_2_067AF7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	4_2_067ABCB4

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.RegSvcs.exe.2a45066.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49741 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49736 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49738 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49748 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49740 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000004.00000002.2926733076.000000000306E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000309B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000308D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000004.00000002.2926733076.000000000306E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000309B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000308D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003022000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000002FCD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000004.00000002.2926733076.0000000002F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000004.00000002.2926733076.000000000306E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000309B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000002FF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000308D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000004.00000002.2926733076.0000000002F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000004.00000002.2926733076.000000000306E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000309B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000308D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003022000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000004.00000002.2926733076.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.78
Source: RegSvcs.exe, 00000004.00000002.2926733076.000000000306E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000309B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000308D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003022000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.78$
Source: RegSvcs.exe, 00000004.00000002.2926733076.0000000003080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.78x

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.3ee9990.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3ee9990.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.3ee9990.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.3ee9990.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.2a45066.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.2a45066.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.2a45066.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.2a45066.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.3eb5570.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.52f0000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.52f0000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.3eb5570.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.3eb5570.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.3eb5570.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.52f0000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.52f0000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.53b0000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.53b0000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.52f0ee8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.52f0ee8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.2a45066.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.53b0000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.53b0000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.2a45066.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.52f0ee8.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.52f0ee8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.2a45066.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.2a45066.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.3eb6458.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3eb6458.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.3eb6458.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.3eb6458.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.2a45f4e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.2a45f4e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.2a45f4e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.2a45f4e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3eb5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.3eb5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.3eb5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.3eb5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 2476, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 2476, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: z1MRforsteamDRUM-A1_pdf.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00408C60	4_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040DC11	4_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00407C3F	4_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418CCC	4_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00406CA0	4_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004028B0	4_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041A4BE	4_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00408C60	4_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418244	4_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00401650	4_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402F20	4_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004193C4	4_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418788	4_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402F89	4_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402B90	4_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004073A0	4_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02AF12B0	4_2_02AF12B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02AF12C0	4_2_02AF12C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02AF1560	4_2_02AF1560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02AF1550	4_2_02AF1550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05375429	4_2_05375429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05378F18	4_2_05378F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0537AE00	4_2_0537AE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0537A658	4_2_0537A658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0537B6D0	4_2_0537B6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_053739E0	4_2_053739E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0537B9C1	4_2_0537B9C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0537B0F0	4_2_0537B0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0537F0E8	4_2_0537F0E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0537AB10	4_2_0537AB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05375BB0	4_2_05375BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0537B3E0	4_2_0537B3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0537E3D0	4_2_0537E3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0537F538	4_2_0537F538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0537F548	4_2_0537F548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0537F9A8	4_2_0537F9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0537F998	4_2_0537F998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0537A820	4_2_0537A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0537D8E0	4_2_0537D8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0537D8D1	4_2_0537D8D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0537F0D8	4_2_0537F0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0537E3C0	4_2_0537E3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595B510	4_2_0595B510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_059570B0	4_2_059570B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05952B90	4_2_05952B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05957780	4_2_05957780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595ED88	4_2_0595ED88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595BDB1	4_2_0595BDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595F1D0	4_2_0595F1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595BDC0	4_2_0595BDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595F1E0	4_2_0595F1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595B501	4_2_0595B501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595E930	4_2_0595E930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595E922	4_2_0595E922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595B959	4_2_0595B959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595ED78	4_2_0595ED78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595B968	4_2_0595B968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05950491	4_2_05950491
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595E080	4_2_0595E080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595B0B8	4_2_0595B0B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_059504A0	4_2_059504A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595B0A8	4_2_0595B0A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595E4D8	4_2_0595E4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595E4C8	4_2_0595E4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595DC18	4_2_0595DC18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05950006	4_2_05950006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595A808	4_2_0595A808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595DC28	4_2_0595DC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595AC51	4_2_0595AC51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05950040	4_2_05950040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595E071	4_2_0595E071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595AC60	4_2_0595AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05952B80	4_2_05952B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595D7D0	4_2_0595D7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595D7C0	4_2_0595D7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595A7F7	4_2_0595A7F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595CF14	4_2_0595CF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05956708	4_2_05956708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595CF20	4_2_0595CF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595D378	4_2_0595D378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595D36A	4_2_0595D36A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05956E90	4_2_05956E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595FA90	4_2_0595FA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595FA80	4_2_0595FA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595CAB9	4_2_0595CAB9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595CAC8	4_2_0595CAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_059566FA	4_2_059566FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595C218	4_2_0595C218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595C208	4_2_0595C208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595F638	4_2_0595F638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595F629	4_2_0595F629
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595C670	4_2_0595C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0595C662	4_2_0595C662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06799E40	4_2_06799E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0679BE38	4_2_0679BE38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06795610	4_2_06795610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06797F50	4_2_06797F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_067997D8	4_2_067997D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0679B7D0	4_2_0679B7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0679A4A0	4_2_0679A4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0679C4A0	4_2_0679C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06790498	4_2_06790498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0679CB00	4_2_0679CB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0679AB00	4_2_0679AB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_067978F8	4_2_067978F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0679B168	4_2_0679B168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06799E32	4_2_06799E32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0679BE27	4_2_0679BE27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06795601	4_2_06795601
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06795EC0	4_2_06795EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06795EB3	4_2_06795EB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_067926A8	4_2_067926A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0679269B	4_2_0679269B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06797F4D	4_2_06797F4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06793720	4_2_06793720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_067997C8	4_2_067997C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0679B7C0	4_2_0679B7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06796798	4_2_06796798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06796789	4_2_06796789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06794478	4_2_06794478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_067974A0	4_2_067974A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06797491	4_2_06797491
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0679A490	4_2_0679A490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0679C490	4_2_0679C490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06794488	4_2_06794488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06794D60	4_2_06794D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06794D51	4_2_06794D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06795A68	4_2_06795A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06795A58	4_2_06795A58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06792A20	4_2_06792A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0679AAF0	4_2_0679AAF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0679CAF0	4_2_0679CAF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06796340	4_2_06796340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06796330	4_2_06796330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06791B08	4_2_06791B08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06796308	4_2_06796308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06796BF0	4_2_06796BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06796BE0	4_2_06796BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06797048	4_2_06797048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06790040	4_2_06790040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06797039	4_2_06797039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0679003D	4_2_0679003D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_067948FB	4_2_067948FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_067978E8	4_2_067978E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0679B159	4_2_0679B159
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06794908	4_2_06794908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_067951B8	4_2_067951B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_067951AB	4_2_067951AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_067A9FC8	4_2_067A9FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_067ACD60	4_2_067ACD60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_067A9B9C	4_2_067A9B9C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: String function: 0040E1D8 appears 43 times

Source: z1MRforsteamDRUM-A1_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.3ee9990.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3ee9990.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3ee9990.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.3ee9990.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.2a45066.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.2a45066.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.2a45066.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.2a45066.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.3eb5570.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.52f0000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.52f0000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3eb5570.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3eb5570.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.3eb5570.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.52f0000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.52f0000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.53b0000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.53b0000.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.52f0ee8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.52f0ee8.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.2a45066.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.53b0000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.53b0000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.2a45066.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.52f0ee8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.52f0ee8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.2a45066.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.2a45066.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.3eb6458.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3eb6458.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3eb6458.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.3eb6458.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.2a45f4e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.2a45f4e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.2a45f4e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.2a45f4e.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3eb5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3eb5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.3eb5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.3eb5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 2476, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 2476, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, ----.cs	Base64 encoded string: 'YS0zk+GmTw1pqk4OrEwTuiw7TrwJDU/jtRfkWkJyFAQAVw4DgPkLupVRGU1l6Nd2'
Source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, ----.cs	Base64 encoded string: 'YS0zk+GmTw1pqk4OrEwTuiw7TrwJDU/jtRfkWkJyFAQAVw4DgPkLupVRGU1l6Nd2'
Source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, ----.cs	Base64 encoded string: 'YS0zk+GmTw1pqk4OrEwTuiw7TrwJDU/jtRfkWkJyFAQAVw4DgPkLupVRGU1l6Nd2'
Source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, ----.cs	Base64 encoded string: 'YS0zk+GmTw1pqk4OrEwTuiw7TrwJDU/jtRfkWkJyFAQAVw4DgPkLupVRGU1l6Nd2'
Source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, ----.cs	Base64 encoded string: 'YS0zk+GmTw1pqk4OrEwTuiw7TrwJDU/jtRfkWkJyFAQAVw4DgPkLupVRGU1l6Nd2'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

4_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

4_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\batchers

Jump to behavior

Source: z1MRforsteamDRUM-A1_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.2926733076.0000000003159000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003149000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003167000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: z1MRforsteamDRUM-A1_pdf.exe	Virustotal: Detection: 20%
Source: z1MRforsteamDRUM-A1_pdf.exe	ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe

File read: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe "C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe"
Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe"
Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: z1MRforsteamDRUM-A1_pdf.exe

Static file information: File size 1182343 > 1048576

Source:

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

4_2_004019F0

Source: z1MRforsteamDRUM-A1_pdf.exe

Static PE information: real checksum: 0xa2135 should be: 0x12ff86

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C40C push cs; iretd	4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00423149 push eax; ret	4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C50E push cs; iretd	4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004231C8 push eax; ret	4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040E21D push ecx; ret	4_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C6BE push ebx; ret	4_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040BB97 push dword ptr [ecx-75h]; iretd	4_2_0040BBA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_053749C0 push esp; retf	4_2_05374B19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06797F0F push es; iretd	4_2_06797F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_067A5F21 push es; ret	4_2_067A5F30

Source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'TCEnmsuQhqcm2', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'TCEnmsuQhqcm2', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'TCEnmsuQhqcm2', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'TCEnmsuQhqcm2', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'TCEnmsuQhqcm2', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegSvcs.exe PID: 2476, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe

API/Special instruction interceptor: Address: 3F86D2C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

4_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599082	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598924	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598798	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594221	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593922	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7699			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2097			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599082	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598924	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598798	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594221	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593922	Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.2925587528.0000000000FCA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

graph_4-56017

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_0040CE09

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

4_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

4_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4_2_0040ADB0 GetProcessHeap,HeapFree,

4_2_0040ADB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004123F1 SetUnhandledExceptionFilter,	4_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: BA5008

Jump to behavior

Source: C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe"

Jump to behavior

Source: z1MRforsteamDRUM-A1_pdf.exe

Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

4_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_00412A15

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.RegSvcs.exe.3ee9990.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45066.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.53b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45066.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45f4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.RegSvcs.exe.3ee9990.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45066.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.53b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45066.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45f4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2926733076.00000000030E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2926733076.0000000002F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2476, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 4.2.RegSvcs.exe.3ee9990.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45066.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.53b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45066.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45f4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2476, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.RegSvcs.exe.3ee9990.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45066.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.53b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45066.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45f4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.RegSvcs.exe.3ee9990.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45066.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45f4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.53b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.53b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45066.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ee9990.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2a45f4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.52f0ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3eb5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2926733076.00000000030E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2926733076.0000000002F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2476, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	212 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	212 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	124 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
z1MRforsteamDRUM-A1_pdf.exe	21%	Virustotal	Browse
z1MRforsteamDRUM-A1_pdf.exe	18%	ReversingLabs
z1MRforsteamDRUM-A1_pdf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
reallyfreegeoip.org	0%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.com	193.122.6.168	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/173.254.250.78	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000004.00000002.2926733076.000000000306E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000309B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000308D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003022000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003080000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/173.254.250.78$	RegSvcs.exe, 00000004.00000002.2926733076.000000000306E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000309B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000308D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003022000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003080000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org	RegSvcs.exe, 00000004.00000002.2926733076.000000000306E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000309B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000308D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003022000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000002FCD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003080000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	RegSvcs.exe, 00000004.00000002.2926733076.000000000306E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000309B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000308D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003080000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000004.00000002.2926733076.0000000002F19000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	RegSvcs.exe, 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/173.254.250.78x	RegSvcs.exe, 00000004.00000002.2926733076.0000000003080000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://reallyfreegeoip.org	RegSvcs.exe, 00000004.00000002.2926733076.000000000306E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000309B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000002FF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.000000000308D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000003080000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2926733076.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545084
Start date and time:	2024-10-30 04:31:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	z1MRforsteamDRUM-A1_pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 133 Number of non-executed functions: 123
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:32:42	API Interceptor	351214x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	zxalphamn.doc	Get hash	malicious	Lokibot	Browse	touxzw.ir/alpha2/five/fre.php
	rPO-000172483.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/2b9b/
	rPO_28102400.exe	Get hash	malicious	Lokibot	Browse	ghcopz.shop/ClarkB/PWS/fre.php
	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	windowsxp.top/ExternaltoPhppollcpuupdateTrafficpublic.php
	SR3JZpolPo.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	5Z1WFRMTOXRH6X21Z8NU8.exe	Get hash	malicious	Unknown	Browse	artvisions-autoinsider.com/8bkjdSdfjCe/index.php
	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/4hfb/
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/cDXpxO66/download
	Instruction_1928.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	WBCDZ4Z3M2667YBDZ5K4.bin.exe	Get hash	malicious	Unknown	Browse	tech-tribune.shop/pLQvfD4d5/index.php
193.122.6.168	INVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	mnobizxv.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Factura 1-014685.pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	z6INVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	Ndnownts.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	INVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	z59IKE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	Documentos.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	PAGO FRAS PENDIENTES.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	rShippingDocuments240384.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	M2AB8BeHc4.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Bill Of Lading.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
checkip.dyndns.com	z6INVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	Ndnownts.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	INVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	z59IKE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	Documentos.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	PAGO FRAS PENDIENTES.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	rShippingDocuments240384.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	M2AB8BeHc4.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Bill Of Lading.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	z6INVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	Ndnownts.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	INVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	Documentos.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	PAGO FRAS PENDIENTES.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	M2AB8BeHc4.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	z74fBF2ObiS1g87mbS.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
CLOUDFLARENETUS	https://eot.lps-china.com/f/a/pQ-JA2nitAQtMB92xwUcGg~~/AAAHUQA~/RgRpAabzP4QTAWh0dHBzOi8vYmVyZW5pY2UuZW9tYWlsOC5jb20vdW5zdWJzY3JpYmU_ZXA9MiZsPTVlNmE0MDU2LWVhZTMtMTFlZS1hNzNjLWM1NDU2ZDI0OGQ3OCZsYz0zMmVlMmQ3Yy0zMjA4LTExZWYtYTFiZS1lYjMwYzAwY2FlZDgmcD05NDM1NjNkYy05Mzc2LTExZWYtYTdkMi00NTk0MDQ5OWMzNTYmcHQ9Y2FtcGFpZ24mcHY9NCZzcGE9MTczMDA5MzQ0NCZ0PTE3MzAwOTM1NTUmcz1mNWE2NDYwZWE1NTFlYzYxZDFiNjJhZTBhNTI2NGFhNjdmYWMxN2I1MzRkNWI4MzdhNTA0MDAwM2ZhNmZmMGUwVwVzcGNldUIKZw7zIR9n2KUgilIeZ2VtbWEubG9yZW56b0BkdWJhaWhvbGRpbmcuY29tWAQAAAL5	Get hash	malicious	Unknown	Browse	172.67.132.160
	Uviv7rEtnt.exe	Get hash	malicious	Stealc, Vidar	Browse	172.67.179.207
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://www.google.im/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s/creditodigitalelmo.com.br/solo/i2975ufuy18zkhauvhibzzxy/YWRzQGJldHdlZW4udXM=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	z6INVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	https://alcatrazpackages.com/elchapo.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Ndnownts.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.43.145

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	z6INVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Ndnownts.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	INVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	z59IKE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Documentos.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	PAGO FRAS PENDIENTES.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	https://docs.google.com/drawings/d/1OzqwiA1nI8GUoiKob_qJY5xL1HmGK6VrRXlYUDuD68w/preview?pli=1JXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrl	Get hash	malicious	Mamba2FA	Browse	188.114.97.3
	rShippingDocuments240384.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	M2AB8BeHc4.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3

Process:	C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	229888
Entropy (8bit):	7.879449048926833
Encrypted:	false
SSDEEP:	6144:jDIunQ16nHMoZnhs9Ry3Fy9s0H9U8eLrmf:5EepZhQc3FKdFQu
MD5:	927D82DACDB1C51D94B0466D7C5475E0
SHA1:	2F186746B05C4580756344212305EE77F7D75317
SHA-256:	12922248D011339578F915589A59CA28C103DB7B6700D48A1756052AB6C4A1F7
SHA-512:	B5941EAAF3F4F1A312962117D6C0A1E5A61BC4EE3900D68228398452D09E2DFA0280C2C3448CCD22D8AA341CEB2CEAF1660F3FEB68FAA5BCB4EA0E3C9B9EC23C
Malicious:	false
Reputation:	low
Preview:	.h.NZOK1^9UP..FI.HMW15RZrKNYOK1Z9UPLRFI0HMW15RZ2KNYOK1Z9UPLR.I0HCH.;R.;.o.N..{m=9?r6;_/?6\.1;\%!-o)TzK >l;(it..w\Z6?.FCSkK1Z9UPL:V..d<.O.#.Lg?.1y.%Gj!.,M..6f&.K~+.5.(.5.yW+L=.8{.!3.@.,h.00t>.O.P68`#.70HMW15RZ2KNYOK1Z.x.RFI0..W1yS^2?.Y.K1Z9UPLR.I.IFV85R.3KN.NK1Z9U..RFI HMW.4RZ2.NY_K1Z;UPIRFI0HMW45RZ2KNYO.2Z9QPL.}K0JMW.5RJ2K^YOK1J9U@LRFI0H]W15RZ2KNYOK.O;U.LRFIPJM[P4RZ2KNYOK1Z9UPLRFI0HMW15RZ..OYSK1Z9UPLRFI0HMW15RZ2KNYOK1Z9.]NR.I0HMW15RZ2KN.NK.[9UPLRFI0HMW15RZ2KNYOK1Z9UPb&#1DHMW).SZ2[NYO.0Z9QPLRFI0HMW15RZ2kNY/eC>X!1LR.$0HM.05R42KN.NK1Z9UPLRFI0HM.15.tV:8OK1..UPLrDI0^MW1?PZ2KNYOK1Z9UPL.FI.f?$CVRZ2G/XOKQX9U2MRFi2HMW15RZ2KNYOKqZ9.PLRFI0HMW15RZ2KNYOK1Z9UPLRFI0HMW15RZ2KNYOK1Z9UPLRFI0HMW15RZ2KNYOK1Z9UPLRFI0HMW15RZ2KNYOK1Z9UPLRFI0HMW15RZ2KNYOK1Z9UPLRFI0HMW15RZ2KNYOK1Z9UPLRFI0HMW15RZ2KNYOK1Z9UPLRFI0HMW15RZ2KNYOK1Z9UPLRFI0HMW15RZ2KNYOK1Z9UPLRFI0HMW15RZ2KNYOK1Z9UPLRFI0HMW15RZ2KNYOK1Z9UPLRFI0HMW15RZ2KNYOK1Z9UPLRFI0HMW15RZ2KNYOK1Z9UPLRFI0HMW15RZ2KNYOK1Z9UPLRFI0HMW15RZ2KNYOK1Z9UPLRFI0HMW15RZ2KNYOK1Z9U

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.415290133364872
TrID:	Win32 Executable (generic) a (10002005/4) 95.11% AutoIt3 compiled script executable (510682/80) 4.86% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	z1MRforsteamDRUM-A1_pdf.exe
File size:	1'182'343 bytes
MD5:	aaa6233ad5bf1fa876ad708b2af4d7d5
SHA1:	caa797aaac80a8c807e8e152f280188b8b4e8819
SHA256:	13d4f8ebe986653a6512cace310b4927b694a5127036d85c2d1c8840634537e4
SHA512:	5cab1d39f1af187bc34073052e1672cee1aa131272abae98053f2273afc9f57b573517358e110dd6b56f4653ead9ab653828c80bb408f3456f3451db901a257e
SSDEEP:	24576:ffmMv6Ckr7Mny5QLI2klYKlUhypdA0IJF/iog:f3v+7/5QLbkl/Uhad7I9g
TLSH:	C245E122F7D680B6D9A33971197BE327EB3576194327C4CBA7E02E768F111009B36762
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

File Icon


Icon Hash:	1733312925935517

Static PE Info

General

Entrypoint:	0x416310
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	aaaa8913c89c8aa4a5d93f06853894da

Entrypoint Preview

Instruction
call 00007F84B51AD46Ch
jmp 00007F84B51A123Eh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F84B51A13CAh
cmp edi, eax
jc 00007F84B51A156Ah
cmp ecx, 00000100h
jc 00007F84B51A13E1h
cmp dword ptr [004A94E0h], 00000000h
je 00007F84B51A13D8h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007F84B51A13CAh
pop esi
pop edi
pop ebp
jmp 00007F84B51A182Ah
test edi, 00000003h
jne 00007F84B51A13D7h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007F84B51A13ECh
rep movsd
jmp dword ptr [00416494h+edx*4]
nop
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007F84B51A13CEh
and eax, 03h
add ecx, eax
jmp dword ptr [004163A8h+eax*4]
jmp dword ptr [004164A4h+ecx*4]
nop
jmp dword ptr [00416428h+ecx*4]
nop
mov eax, E4004163h
arpl word ptr [ecx+00h], ax
or byte ptr [ecx+eax*2+00h], ah
and edx, ecx
mov al, byte ptr [esi]
mov byte ptr [edi], al
mov al, byte ptr [esi+01h]
mov byte ptr [edi+01h], al
mov al, byte ptr [esi+02h]
shr ecx, 02h
mov byte ptr [edi+02h], al
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007F84B51A138Eh

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[ASM] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8cd3c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x9298	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x840	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x80017	0x80200	6c20c6bf686768b6f134f5bd508171bc	False	0.5602991615853659	data	6.634688230255595	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xd95c	0xda00	f979966509a93083729d23cdfd2a6f2d	False	0.36256450688073394	data	4.880040824124099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a518	0x6800	e5d77411f751d28c6eee48a743606795	False	0.1600060096153846	data	2.2017649896261107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x9298	0x9400	f6be76de0ef2c68f397158bf01bdef3e	False	0.4896801097972973	data	5.530303089784181	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab5c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab6f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab818	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab940	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	Great Britain	0.48109756097560974
RT_ICON	0xabfa8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	Great Britain	0.5672043010752689
RT_ICON	0xac290	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	Great Britain	0.6418918918918919
RT_ICON	0xac3b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	Great Britain	0.7044243070362474
RT_ICON	0xad260	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	Great Britain	0.8077617328519856
RT_ICON	0xadb08	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	Great Britain	0.5903179190751445
RT_ICON	0xae070	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.5503112033195021
RT_ICON	0xb0618	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.6050656660412758
RT_ICON	0xb16c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.7553191489361702
RT_MENU	0xb1b28	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xb1b78	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xb1c78	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xb21a8	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xb2838	0x43a	data	English	Great Britain	0.3733826247689464
RT_STRING	0xb2c78	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xb3278	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xb38d8	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xb3c60	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xb3db8	0x84	data	English	Great Britain	0.6439393939393939
RT_GROUP_ICON	0xb3e40	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xb3e58	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xb3e70	0x14	data	English	Great Britain	1.25
RT_VERSION	0xb3e88	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xb4028	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
GDI32.dll	DeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
OLEAUT32.dll	SafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-30T04:32:42.527534+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49736	193.122.6.168	80	TCP
2024-10-30T04:32:43.668151+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49736	193.122.6.168	80	TCP
2024-10-30T04:32:44.375300+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49738	188.114.97.3	443	TCP
2024-10-30T04:32:45.277511+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49739	193.122.6.168	80	TCP
2024-10-30T04:32:45.993328+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49740	188.114.97.3	443	TCP
2024-10-30T04:32:46.847095+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49741	193.122.6.168	80	TCP
2024-10-30T04:32:52.443002+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49748	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 04:32:41.367888927 CET	49736	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:41.373328924 CET	80	49736	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:41.373400927 CET	49736	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:41.373577118 CET	49736	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:41.378940105 CET	80	49736	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:42.203922033 CET	80	49736	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:42.229240894 CET	49736	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:42.234610081 CET	80	49736	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:42.473540068 CET	80	49736	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:42.522185087 CET	49737	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:42.522239923 CET	443	49737	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:42.522294044 CET	49737	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:42.527534008 CET	49736	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:42.531284094 CET	49737	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:42.531295061 CET	443	49737	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:43.147303104 CET	443	49737	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:43.147459030 CET	49737	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:43.153899908 CET	49737	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:43.153911114 CET	443	49737	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:43.154146910 CET	443	49737	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:43.194616079 CET	49737	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:43.239337921 CET	443	49737	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:43.339759111 CET	443	49737	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:43.339804888 CET	443	49737	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:43.339848042 CET	49737	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:43.356573105 CET	49737	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:43.359549046 CET	49736	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:43.364986897 CET	80	49736	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:43.614059925 CET	80	49736	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:43.615839005 CET	49738	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:43.615884066 CET	443	49738	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:43.615962982 CET	49738	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:43.616230011 CET	49738	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:43.616244078 CET	443	49738	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:43.668150902 CET	49736	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:44.226819038 CET	443	49738	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:44.229126930 CET	49738	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:44.229160070 CET	443	49738	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:44.375308990 CET	443	49738	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:44.375360012 CET	443	49738	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:44.375407934 CET	49738	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:44.375808001 CET	49738	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:44.378690958 CET	49736	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:44.379523039 CET	49739	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:44.384557962 CET	80	49736	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:44.384639025 CET	49736	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:44.384857893 CET	80	49739	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:44.384932995 CET	49739	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:44.385029078 CET	49739	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:44.390441895 CET	80	49739	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:45.223033905 CET	80	49739	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:45.224514008 CET	49740	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:45.224616051 CET	443	49740	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:45.224713087 CET	49740	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:45.225101948 CET	49740	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:45.225138903 CET	443	49740	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:45.277510881 CET	49739	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:45.843683958 CET	443	49740	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:45.847155094 CET	49740	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:45.847203970 CET	443	49740	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:45.993329048 CET	443	49740	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:45.993535995 CET	443	49740	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:45.993699074 CET	49740	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:45.994421959 CET	49740	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:46.000303030 CET	49739	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:46.001991987 CET	49741	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:46.006149054 CET	80	49739	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:46.006237030 CET	49739	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:46.007355928 CET	80	49741	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:46.007427931 CET	49741	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:46.007523060 CET	49741	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:46.012855053 CET	80	49741	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:46.846882105 CET	80	49741	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:46.847095013 CET	49741	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:46.848126888 CET	49742	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:46.848201036 CET	443	49742	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:46.848289013 CET	49742	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:46.848522902 CET	49742	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:46.848548889 CET	443	49742	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:46.852900028 CET	80	49741	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:46.852966070 CET	49741	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:47.455534935 CET	443	49742	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:47.457178116 CET	49742	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:47.457222939 CET	443	49742	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:47.602557898 CET	443	49742	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:47.602617979 CET	443	49742	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:47.602756977 CET	49742	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:47.603187084 CET	49742	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:47.607439041 CET	49743	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:47.612932920 CET	80	49743	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:47.613027096 CET	49743	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:47.613120079 CET	49743	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:47.618419886 CET	80	49743	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:48.455347061 CET	80	49743	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:48.456481934 CET	49744	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:48.456537008 CET	443	49744	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:48.456602097 CET	49744	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:48.456825972 CET	49744	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:48.456839085 CET	443	49744	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:48.496268988 CET	49743	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:49.063349962 CET	443	49744	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:49.065187931 CET	49744	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:49.065218925 CET	443	49744	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:49.219433069 CET	443	49744	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:49.219484091 CET	443	49744	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:49.219561100 CET	49744	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:49.220071077 CET	49744	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:49.223090887 CET	49743	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:49.224020958 CET	49745	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:49.228764057 CET	80	49743	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:49.229424000 CET	80	49745	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:49.229479074 CET	49743	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:49.229511023 CET	49745	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:49.229610920 CET	49745	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:49.234992981 CET	80	49745	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:50.057008982 CET	80	49745	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:50.058295012 CET	49746	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:50.058346987 CET	443	49746	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:50.058439970 CET	49746	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:50.058681011 CET	49746	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:50.058693886 CET	443	49746	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:50.105618954 CET	49745	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:50.669615030 CET	443	49746	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:50.670896053 CET	49746	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:50.670919895 CET	443	49746	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:50.819704056 CET	443	49746	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:50.819771051 CET	443	49746	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:50.819839954 CET	49746	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:50.820188046 CET	49746	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:50.822983027 CET	49745	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:50.824007034 CET	49747	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:50.828610897 CET	80	49745	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:50.828696966 CET	49745	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:50.829365015 CET	80	49747	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:50.829446077 CET	49747	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:50.829521894 CET	49747	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:50.834804058 CET	80	49747	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:51.676323891 CET	80	49747	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:51.677356958 CET	49748	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:51.677429914 CET	443	49748	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:51.677508116 CET	49748	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:51.677728891 CET	49748	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:51.677762985 CET	443	49748	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:51.730597973 CET	49747	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:52.285962105 CET	443	49748	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:52.299365044 CET	49748	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:52.299420118 CET	443	49748	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:52.443025112 CET	443	49748	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:52.443115950 CET	443	49748	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:52.443186998 CET	49748	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:52.453516960 CET	49748	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:52.511307955 CET	49747	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:52.514189005 CET	49749	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:52.518197060 CET	80	49747	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:52.518320084 CET	49747	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:52.520628929 CET	80	49749	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:52.520730019 CET	49749	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:52.520904064 CET	49749	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:52.527653933 CET	80	49749	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:53.373404026 CET	80	49749	193.122.6.168	192.168.2.4
Oct 30, 2024 04:32:53.374481916 CET	49750	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:53.374540091 CET	443	49750	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:53.374607086 CET	49750	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:53.374869108 CET	49750	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:53.374901056 CET	443	49750	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:53.418082952 CET	49749	80	192.168.2.4	193.122.6.168
Oct 30, 2024 04:32:53.977689981 CET	443	49750	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:53.979964018 CET	49750	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:53.980009079 CET	443	49750	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:54.122324944 CET	443	49750	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:54.122395039 CET	443	49750	188.114.97.3	192.168.2.4
Oct 30, 2024 04:32:54.122488022 CET	49750	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:32:54.123389959 CET	49750	443	192.168.2.4	188.114.97.3
Oct 30, 2024 04:33:58.484622002 CET	80	49749	193.122.6.168	192.168.2.4
Oct 30, 2024 04:33:58.488357067 CET	49749	80	192.168.2.4	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 04:32:41.345304012 CET	61134	53	192.168.2.4	1.1.1.1
Oct 30, 2024 04:32:41.353334904 CET	53	61134	1.1.1.1	192.168.2.4
Oct 30, 2024 04:32:42.514166117 CET	50307	53	192.168.2.4	1.1.1.1
Oct 30, 2024 04:32:42.521648884 CET	53	50307	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 30, 2024 04:32:41.345304012 CET	192.168.2.4	1.1.1.1	0x5f31	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:32:42.514166117 CET	192.168.2.4	1.1.1.1	0xe1a8	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 04:32:41.353334904 CET	1.1.1.1	192.168.2.4	0x5f31	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:32:41.353334904 CET	1.1.1.1	192.168.2.4	0x5f31	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:32:41.353334904 CET	1.1.1.1	192.168.2.4	0x5f31	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:32:41.353334904 CET	1.1.1.1	192.168.2.4	0x5f31	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:32:41.353334904 CET	1.1.1.1	192.168.2.4	0x5f31	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:32:41.353334904 CET	1.1.1.1	192.168.2.4	0x5f31	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:32:42.521648884 CET	1.1.1.1	192.168.2.4	0xe1a8	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:32:42.521648884 CET	1.1.1.1	192.168.2.4	0xe1a8	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	193.122.6.168	80	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 04:32:41.373577118 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 30, 2024 04:32:42.203922033 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 03:32:42 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b81eae04fbc4c7ff306d2170f4e4441c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>
Oct 30, 2024 04:32:42.229240894 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 30, 2024 04:32:42.473540068 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 03:32:42 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a4ad547f1dcedf926ed0039d3237b4ed Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>
Oct 30, 2024 04:32:43.359549046 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 30, 2024 04:32:43.614059925 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 03:32:43 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 93545e476bb3647ca324ea5a0bd2bcff Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	193.122.6.168	80	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 04:32:44.385029078 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 30, 2024 04:32:45.223033905 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 03:32:45 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1cea20f28457d6e405c75cdc37acccd7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	193.122.6.168	80	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 04:32:46.007523060 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 30, 2024 04:32:46.846882105 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 03:32:46 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6dd84de9db3eec85fac03b967bc7b961 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49743	193.122.6.168	80	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 04:32:47.613120079 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 30, 2024 04:32:48.455347061 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 03:32:48 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6c7d08b90f37750709e65b8c455702e8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49745	193.122.6.168	80	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 04:32:49.229610920 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 30, 2024 04:32:50.057008982 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 03:32:49 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 16804ed9acf30d208e3046111c50e351 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49747	193.122.6.168	80	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 04:32:50.829521894 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 30, 2024 04:32:51.676323891 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 03:32:51 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f90593f6bd3e66c4644c6073aec7edfe Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49749	193.122.6.168	80	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 04:32:52.520904064 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 30, 2024 04:32:53.373404026 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 03:32:53 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d2455dd5d9df44e3bfeb3b2d81cc0875 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	188.114.97.3	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 03:32:43 UTC	87	OUT	GET /xml/173.254.250.78 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-30 03:32:43 UTC	896	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 03:32:43 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AcLvmhW3vHcESEw= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 7186 Last-Modified: Wed, 30 Oct 2024 01:32:57 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BqrhYXx0VKn37%2Flho%2B3hbrNv%2BWcLEkymzTYDgO0Bepy7rEwzv5mMblSoYPlkMldZikkgSbGXEtm1cR%2F%2F%2Ba%2B%2BRNTw7hipIQmLDC83jx6yxe2N1ZO2QcW%2Be25jYC8DREpybgFRIXLl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da856fa7fbc3ac5-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1338&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2305732&cwnd=235&unsent_bytes=0&cid=6fc3e8930594f43c&ts=202&x=0"
2024-10-30 03:32:43 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.78</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	188.114.97.3	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 03:32:44 UTC	63	OUT	GET /xml/173.254.250.78 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-30 03:32:44 UTC	888	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 03:32:44 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AcLvmhW3vHcESEw= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 7187 Last-Modified: Wed, 30 Oct 2024 01:32:57 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0hBcLxHUgeFspFpQyenI3oyeByftpNc5iYphj7xgWgSnJ7rz6Z17d1Q3QvbW%2Bcmma0UPIOjXOZ%2BjuJDPDYTtoI8yAC7rDe3%2F0u2%2FnHZJc8AEuBwvblstFmz%2BEpQCOKJkc53n2nu8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da85700e80f2ca5-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1148&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2464680&cwnd=251&unsent_bytes=0&cid=fe049635f76ca463&ts=154&x=0"
2024-10-30 03:32:44 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.78</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	188.114.97.3	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 03:32:45 UTC	63	OUT	GET /xml/173.254.250.78 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-30 03:32:45 UTC	882	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 03:32:45 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AcLvmhW3vHcESEw= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 7188 Last-Modified: Wed, 30 Oct 2024 01:32:57 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oZO1P4OTwui5OYkStCePxe7WfAhEsux7RBVsSZSAqPZKNs5LEN5cK1OnC2UOiKT7ROh%2FwCkbZifOcyluNX20G6hbZcj89D7ePk%2FKoA94YTYSR0rRJker3TBB9sgiSVszUrJS1HpD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da8570b082745ee-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1843&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1613370&cwnd=237&unsent_bytes=0&cid=57ae790206bc1193&ts=154&x=0"
2024-10-30 03:32:45 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.78</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	188.114.97.3	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 03:32:47 UTC	87	OUT	GET /xml/173.254.250.78 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-30 03:32:47 UTC	894	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 03:32:47 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AcLvmhW3vHcESEw= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 7190 Last-Modified: Wed, 30 Oct 2024 01:32:57 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EJ4Ux7%2Bzzn8a%2Bm%2BHqEL6oUrV6Z%2BVodGicwmskJ0Yqb6md8qZjWc6V4Xc%2F6Q0Ov3khZHoduE1XDQcXXDOYtdTs07uHmSwfY%2FPKSZBs22Lq5Lr4nQbjYQ%2Bjtnpl9K%2FX8p72CjpN8cF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da857151af96c39-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1075&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2574222&cwnd=235&unsent_bytes=0&cid=9db2adedbf34c9ec&ts=153&x=0"
2024-10-30 03:32:47 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.78</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	188.114.97.3	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 03:32:49 UTC	87	OUT	GET /xml/173.254.250.78 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-30 03:32:49 UTC	888	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 03:32:49 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AcLvmhW3vHcESEw= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 7192 Last-Modified: Wed, 30 Oct 2024 01:32:57 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UXPwM80EnBxCJDGAtQxnKvZXaovf0%2BNudWBgc2ahwOnjdHGIFPfbgcvRFLvFGicqs6GxrRrOLVWDyn7NgqTY%2Fp2ivZKzm4KlHZkgpLsW%2FIAEOoHkO4cSuS7vnQDtg8Ji%2F3LGt%2FGs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da8571f2fd24677-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1094&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2571936&cwnd=247&unsent_bytes=0&cid=eb213d64d331eb59&ts=162&x=0"
2024-10-30 03:32:49 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.78</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49746	188.114.97.3	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 03:32:50 UTC	87	OUT	GET /xml/173.254.250.78 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-30 03:32:50 UTC	890	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 03:32:50 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AcLvmhW3vHcESEw= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 7193 Last-Modified: Wed, 30 Oct 2024 01:32:57 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pRzYRJjqQ066GLZVx%2FdfCKzoCZr5OxzFm1oL8JmVG3XI8vTxiveyT9Rdl%2FYH%2FV%2FAHWo%2BmGx0b7vs%2FqGB9HBYs9kmCuvkY61GGDwrNzEN7yira9n1BVpfoD34DMIRQAZSQ9wgpCMC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da85729380e28e0-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1957&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1509906&cwnd=251&unsent_bytes=0&cid=682b28aee4584220&ts=157&x=0"
2024-10-30 03:32:50 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.78</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49748	188.114.97.3	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 03:32:52 UTC	63	OUT	GET /xml/173.254.250.78 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-30 03:32:52 UTC	880	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 03:32:52 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AcLvmhW3vHcESEw= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 7195 Last-Modified: Wed, 30 Oct 2024 01:32:57 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1BdDyrJunaUJ3KCKeKHOvA5OqlYuQrKqzxXQ7JGD2azxpPeJiqh6ZIYZbQBzl6SqTGITC5y9KnvbGflaxpcG6BAX9u1fBTsCg%2F2hu6edFEnKADx8vkUdniAX9Dz0tHHSU4EBgEf1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da8573359753593-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1233&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2337368&cwnd=251&unsent_bytes=0&cid=c841b9a8ec5a0776&ts=162&x=0"
2024-10-30 03:32:52 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.78</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49750	188.114.97.3	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 03:32:53 UTC	87	OUT	GET /xml/173.254.250.78 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-30 03:32:54 UTC	890	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 03:32:54 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AcLvmhW3vHcESEw= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 7197 Last-Modified: Wed, 30 Oct 2024 01:32:57 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XFWOs1gqazjy%2Fm9H5J%2Fk8KzsTJC7joAzQ%2BrYo60FjJaySRL8uXv1CYPUMxBFarN58uTMbbFrMi5U7f350njrpFKFvDRhqHKAUOCYMa%2Baq7ohnUvoz2xoEOdog8TsLWy30w%2B1m%2Fpt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da8573ddb1f7d5d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1830&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=1478305&cwnd=252&unsent_bytes=0&cid=558697632fe8ba45&ts=151&x=0"
2024-10-30 03:32:54 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.78</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Target ID:	0
Start time:	23:31:55
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe"
Imagebase:	0x400000
File size:	1'182'343 bytes
MD5 hash:	AAA6233AD5BF1FA876AD708B2AF4D7D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:32:39
Start date:	29/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z1MRforsteamDRUM-A1_pdf.exe"
Imagebase:	0x870000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.2926392112.0000000002A05000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.2928277151.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2926733076.00000000030E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.2928049659.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2926733076.0000000002F19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.2928542926.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	50.6%
Signature Coverage:	13.6%
Total number of Nodes:	330
Total number of Limit Nodes:	26

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
CloseHandle.KERNELBASE(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

v, xrefs: 0040206A
{, xrefs: 0040205B
x, xrefs: 00402088
%, xrefs: 004020FA
o, xrefs: 00401B8D
*, xrefs: 00401A1F
V, xrefs: 00401E19
', xrefs: 00401AF6
x, xrefs: 00401B78
!, xrefs: 00401B1E
h, xrefs: 00401A6F
., xrefs: 00401B0A
8, xrefs: 00401BA9
[, xrefs: 00402047
v, xrefs: 00401B5A
V, xrefs: 00402038
{, xrefs: 00401E3C
{, xrefs: 00401B4B
), xrefs: 0040202E
___, xrefs: 0040227D
W, xrefs: 00402033
W, xrefs: 00401B14
6, xrefs: 004020C5
[, xrefs: 00401B37
0, xrefs: 00401BBD
4, xrefs: 00402136
", xrefs: 00401B0F
v, xrefs: 00401E4B
x, xrefs: 00401E69
5, xrefs: 00402109
D, xrefs: 00401DFB
', xrefs: 00402006
x, xrefs: 0040214A
W, xrefs: 004020E6
{, xrefs: 0040211D
W, xrefs: 00401B23
o, xrefs: 00402159
!, xrefs: 0040201A
o, xrefs: 00402097
_._, xrefs: 00402257
U, xrefs: 004020F5
4, xrefs: 00402074
v, xrefs: 0040212C
!, xrefs: 004020CF
*, xrefs: 004020E1
4, xrefs: 00401B64
E, xrefs: 00401E0F
:, xrefs: 00401B28
., xrefs: 0040201F

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 1430744539-2962942730
Opcode ID: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 0537A658 Relevance: 6.6, Strings: 5, Instructions: 352
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oAp, xrefs: 0537A8A1
LjAp, xrefs: 0537AA0E
PH^q, xrefs: 0537AA97
LjAp, xrefs: 0537AA24
PH^q, xrefs: 0537AA86

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 7aea5363926591a4f096bcaaef32f68c953849662792174e508f61a8de0a6c3c
Instruction ID: 7d51e54816c2c063fa63f1b1a06d5cc6cc44151fb31f7287ec99edd21191886e
Opcode Fuzzy Hash: 7aea5363926591a4f096bcaaef32f68c953849662792174e508f61a8de0a6c3c
Instruction Fuzzy Hash: 53E10C75E04258DFDB24CFA9C584A9DBBF2FF88310F1580A9E819AB361DB75A841CF50

Function 053739E0 Relevance: 6.4, Strings: 5, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 05373BE5
PH^q, xrefs: 05373C47
PH^q, xrefs: 05373C58
LjAp, xrefs: 05373BCF
0oAp, xrefs: 05373A61

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 020796baf3027620426bbf3cf8f0850693b8e260a868a34e8d6551b5c10b983f
Instruction ID: 4a060e533b74c0bb3afeaf0dd56cc0522a4a783295831037136c5660f5c8516e
Opcode Fuzzy Hash: 020796baf3027620426bbf3cf8f0850693b8e260a868a34e8d6551b5c10b983f
Instruction Fuzzy Hash: 5381B574E00218CFDB14DFAAD984A9DBBF2BF89300F14C469E819AB365DB749985DF10

Function 0537B0F0 Relevance: 6.4, Strings: 5, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 0537B356
PH^q, xrefs: 0537B367
0oAp, xrefs: 0537B171
LjAp, xrefs: 0537B2F4
LjAp, xrefs: 0537B2DE

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 81ee91e2e285484dfa4d00a30ffebb707413fb72bab01aa3d482ea2dcdc2db8f
Instruction ID: 937435945e1a757755287f7a8490ced1d03716166e64eb1bbf08d7b6e766079a
Opcode Fuzzy Hash: 81ee91e2e285484dfa4d00a30ffebb707413fb72bab01aa3d482ea2dcdc2db8f
Instruction Fuzzy Hash: A281A174E00218DFDB14DFAAD994A9DFBF2BF89300F14C069E419AB265EB749885CF10

Function 0537AB10 Relevance: 6.4, Strings: 5, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 0537AD14
LjAp, xrefs: 0537ACFE
PH^q, xrefs: 0537AD76
0oAp, xrefs: 0537AB91
PH^q, xrefs: 0537AD87

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 812854b03729e33f966555cefe2e997f4c685d8f9fce9a072bca61652598fec4
Instruction ID: 5435f0202809114b499efe4d56f4562cb0bfb0ed5545cfbafa536a1d803521dc
Opcode Fuzzy Hash: 812854b03729e33f966555cefe2e997f4c685d8f9fce9a072bca61652598fec4
Instruction Fuzzy Hash: 8F81A174E00218DFDB24DFAAD994A9DBBF2BF89300F14C069E419AB365DB749985CF10

Function 0537B3E0 Relevance: 6.4, Strings: 5, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 0537B646
PH^q, xrefs: 0537B657
0oAp, xrefs: 0537B461
LjAp, xrefs: 0537B5E4
LjAp, xrefs: 0537B5CE

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: a08ad866d6f5af344160ab84b26c1f4dda3505f5c367fbeebc4776b475f1b696
Instruction ID: 7e7058277844fbe4cda7a30a2d98378a7afead49e01828563fbb7efb2e32afe9
Opcode Fuzzy Hash: a08ad866d6f5af344160ab84b26c1f4dda3505f5c367fbeebc4776b475f1b696
Instruction Fuzzy Hash: 33819074E002189FDB14DFAAD994A9DFBF2BF88310F14C069E419AB365EB749985CF10

Function 0537B6D0 Relevance: 6.4, Strings: 5, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 0537B936
LjAp, xrefs: 0537B8D4
LjAp, xrefs: 0537B8BE
0oAp, xrefs: 0537B751
PH^q, xrefs: 0537B947

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 1974fac61226d1785a18b6c0f06e5f667483be3a1d1c67b48b2871c874e3443a
Instruction ID: f92e71b924722a0f0b567c236651f0328d736fa1c5e7d107693f8e28e6559a6b
Opcode Fuzzy Hash: 1974fac61226d1785a18b6c0f06e5f667483be3a1d1c67b48b2871c874e3443a
Instruction Fuzzy Hash: 0481A374E002189FDB14DFAAD994A9DFBF2BF88310F14C069E419AB365EB749985CF10

Function 0537AE00 Relevance: 6.4, Strings: 5, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 0537B077
LjAp, xrefs: 0537B004
LjAp, xrefs: 0537AFEE
PH^q, xrefs: 0537B066
0oAp, xrefs: 0537AE81

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 3fa646be9db7f385062fd389c375c2f4dacd3c70625540527c4f55be8c720425
Instruction ID: 2aaea35df811ae4b3da05a0762218655412d3d45153cbde864892aa851a73b7f
Opcode Fuzzy Hash: 3fa646be9db7f385062fd389c375c2f4dacd3c70625540527c4f55be8c720425
Instruction Fuzzy Hash: 2781B274E00218CFDB14DFAAD994A9DBBF2BF88300F14C069E419AB365EB759985CF50

Function 0537B9C1 Relevance: 6.4, Strings: 5, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 0537BBC4
LjAp, xrefs: 0537BBAE
0oAp, xrefs: 0537BA41
PH^q, xrefs: 0537BC26
PH^q, xrefs: 0537BC37

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 034fafd64c8991f8cbc272601dfb07a9c7d6708849961233500d4f62d923af04
Instruction ID: db9ba4e6b6e0ae0599b8c74821049f2aaf5a8677d44c421b210ad07a9a608cf2
Opcode Fuzzy Hash: 034fafd64c8991f8cbc272601dfb07a9c7d6708849961233500d4f62d923af04
Instruction Fuzzy Hash: 2B819374E002189FDB14DFAAD994A9DFBF2BF88310F14C069E409AB265EB749985CF50

Function 05375BB0 Relevance: 5.3, Strings: 4, Instructions: 330COMMON

Download Yara Rule

Strings

,bq, xrefs: 05375D30
(o^q, xrefs: 05375CB8
(o^q, xrefs: 05375CAA
,bq, xrefs: 05375D22

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: a9b0b6aef6ac06c49c0f9d7d1a824e0e2649c1ad574684d2897fa64a096ffff4
Instruction ID: 5b66470799c723505604dcce2e6a0d52fd551991a610b575590bfef92ea52b4b
Opcode Fuzzy Hash: a9b0b6aef6ac06c49c0f9d7d1a824e0e2649c1ad574684d2897fa64a096ffff4
Instruction Fuzzy Hash: 69D11B31E04109DFCB28CF69D888AADBBF6BF89300F558166E415AB260DB74D941CB51

Function 05952B90 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 05955F70

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: f96bcae14a86bbb57637520a657c1d403f1cbd86a21d07c6e9acaf6511460bae
Instruction ID: 888ef328db74110ff8f661cd5bd19fb38f6a878ecdc046b1867f290aeb37365e
Opcode Fuzzy Hash: f96bcae14a86bbb57637520a657c1d403f1cbd86a21d07c6e9acaf6511460bae
Instruction Fuzzy Hash: B573E631D1075A8ECB11EF68C854A99FBB1FF99310F11D69AE44877221EB70AAD4CF41

Function 0537A820 Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

0oAp, xrefs: 0537A8A1
PH^q, xrefs: 0537AA97
PH^q, xrefs: 0537AA86

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0oAp$PH^q$PH^q
API String ID: 0-4194141968
Opcode ID: 758303b045ac708f202ccb13eda9d9e598d57c049a6929a8f04efcf4705b26a1
Instruction ID: f8ee189f55b5a08bfa4b5670aa2e89eb2bf1aecad1ba9dfc428a6ddcfe0a154e
Opcode Fuzzy Hash: 758303b045ac708f202ccb13eda9d9e598d57c049a6929a8f04efcf4705b26a1
Instruction Fuzzy Hash: F861C274E0021C9FDB18DFAAD984A9EBBF2BF88300F14C169E418AB365DB359845CF50

Function 05957780 Relevance: 3.5, Strings: 1, Instructions: 2260COMMON

Download Yara Rule

Strings

K, xrefs: 05959E53

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 03577d996ce370b9aa7d6f3413f198da88d0e2a6f9cf5e10d141bc4e5424cd66
Instruction ID: 1ba8bb57fe10382195794820ce07e2be372654c6a1818f8c35c6505c557b4112
Opcode Fuzzy Hash: 03577d996ce370b9aa7d6f3413f198da88d0e2a6f9cf5e10d141bc4e5424cd66
Instruction Fuzzy Hash: 9A33E430D146198EDB11EF68C894A9DFBB1FF99310F10D69AE45877221EB70AAD4CF81

Function 05378F18 Relevance: 3.4, Strings: 2, Instructions: 896COMMON

Download Yara Rule

Strings

4'^q, xrefs: 053799A3
(o^q, xrefs: 053793A8

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: a5783d2ef4406234139ca2aab1c96244ef0fcddf4ce1a5c59a9eaf48191cb36f
Instruction ID: decbe46460fa900cff6c23a6425635431e326541d6cd880fc8023b351539f642
Opcode Fuzzy Hash: a5783d2ef4406234139ca2aab1c96244ef0fcddf4ce1a5c59a9eaf48191cb36f
Instruction Fuzzy Hash: 7E825A36A0420DDFCB25CF68C984AAEBBF2FF89310F158659E416DB261D778E851CB50

Function 05375429 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

(o^q, xrefs: 0537596E
Hbq, xrefs: 0537583A

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: 63c514b106abaa66a9658c7d1e98c676f99fec113a9e4d63052333beaed001c2
Instruction ID: dd3c7125226c37d7bb74b34edb062cf392db5098212ef301593decd325e7d817
Opcode Fuzzy Hash: 63c514b106abaa66a9658c7d1e98c676f99fec113a9e4d63052333beaed001c2
Instruction Fuzzy Hash: 1D127174E002199FCB29DF69C894AAEBBF6BF88300F148569E405DB391EB34DD45CB90

Function 06797F50 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0679818A
PH^q, xrefs: 0679819B

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: c90a20bf29b49486ad04f537883f2f0ca78c5256f13172dc00f490530bd4d84f
Instruction ID: 748e322f9b3fb1d6df90a5e48b633a47ea11e8f12d911823d640b2fefeb8b65c
Opcode Fuzzy Hash: c90a20bf29b49486ad04f537883f2f0ca78c5256f13172dc00f490530bd4d84f
Instruction Fuzzy Hash: 0481CD74E00218CFDB58CFAAD994BADBBF2BF89300F20846AD419AB354DB355985CF51

Function 06790498 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428c7d51f740eb78fc1bef364585f51cc96276347d733078a1f4803112859a3f
Instruction ID: 13d784770b8b6315d3a0ad55c173f5c971bb4097b71631b38e2e864a6e6d7769
Opcode Fuzzy Hash: 428c7d51f740eb78fc1bef364585f51cc96276347d733078a1f4803112859a3f
Instruction Fuzzy Hash: 16826E74E012288FDB64DF69D998BDDBBB2BF89300F1081EA940DA7265DB315E85CF50

Function 0537E3D0 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32f63d04b16b7d44f7cd1d3e24442a78d09f65b07aa1912c10dc7e95fde4bb9b
Instruction ID: 08ec83aa125e177a4a8b46f65cf1401b101542a25d460754220889feb23ca40b
Opcode Fuzzy Hash: 32f63d04b16b7d44f7cd1d3e24442a78d09f65b07aa1912c10dc7e95fde4bb9b
Instruction Fuzzy Hash: D972D074E052298FDB64DF69C884BEDBBB6BB49300F1091E9E409A7355DB34AE81CF50

Function 067A9FC8 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929241668.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b0fa959022d0e7d85935faa8365935859b8a5f92bb51e21b71686f8598c230
Instruction ID: 13589d70be1cb7fdc8120a7e2f582a9bf94811132fc650f62454eead35cd867f
Opcode Fuzzy Hash: b7b0fa959022d0e7d85935faa8365935859b8a5f92bb51e21b71686f8598c230
Instruction Fuzzy Hash: B3527A31A00719CFCB55CF68C880AAEB7B6FF85300F1589A9E955AB291D771ED85CF80

Function 059570B0 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf8e063986e63f9d8aa1572fb6b57f9ccbeccf62958b6d29c105f15d35dc075
Instruction ID: 785a4fa6b6f464296b108e730bc351a4c06432d4ae1ce61bccb90ec6a5e1c809
Opcode Fuzzy Hash: cdf8e063986e63f9d8aa1572fb6b57f9ccbeccf62958b6d29c105f15d35dc075
Instruction Fuzzy Hash: 8EF1E374E01218DFDB14DFA9D884B9DBBB2FF88314F5091A9E808AB355DB309A85CF50

Function 067978F8 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c5d9645284d70efbe46c91dd03b929bf9ab46f843418a35c3a2d3532956dc9e
Instruction ID: 8a4be5b58b7c3aac5ce0ab171d9bf1d9fcb6dbbc170a6e187c87114583a568b8
Opcode Fuzzy Hash: 0c5d9645284d70efbe46c91dd03b929bf9ab46f843418a35c3a2d3532956dc9e
Instruction Fuzzy Hash: 15E1CF74E01218CFEB64DFA5D994B9DBBB2BF89300F2081A9D408A7394DB355E85CF50

Function 0537F0E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee819ee69890523399047cda39d649e1ff1af6241ce0803f7764178554a13314
Instruction ID: 47ad0818d7499cc90a0aaaca8a92a04c67e5a99484ea7681d1b7aaf5a912404b
Opcode Fuzzy Hash: ee819ee69890523399047cda39d649e1ff1af6241ce0803f7764178554a13314
Instruction Fuzzy Hash: 7EC19074E00218CFDB54DFA5D994B9DBBB2FF88300F2085A9E809A7355DB359A85CF50

Function 0595B510 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 014fde2120bc97f382d24bf415fb3d7e8d315b2a36a23f47750cd529385aac8d
Instruction ID: 66bac584efe31be58d22f35c8def9064c845fc82bb207d979577481a2a36abd1
Opcode Fuzzy Hash: 014fde2120bc97f382d24bf415fb3d7e8d315b2a36a23f47750cd529385aac8d
Instruction Fuzzy Hash: 9BC1A174E00218CFDB54DFA5C994B9DBBB2BF89310F2081A9D809AB365DB359E85CF50

Function 06795610 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb55e5e790c20ffca0f0c37c4b92d04a9f6acd8af6d09ec9280618ae9dc23fed
Instruction ID: 4461d29cb62cd8f12cc39677341d502b42416280086ace68b43b5de33f5ff4bd
Opcode Fuzzy Hash: fb55e5e790c20ffca0f0c37c4b92d04a9f6acd8af6d09ec9280618ae9dc23fed
Instruction Fuzzy Hash: 3DC1A274E00218CFDB55DFA5D994B9DBBB2BF89300F2081A9D809AB364DB359E85CF50

Function 0679BE38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e83c7f06ed44a93ac6e71a8d913f6d3c2c6609c1e9ff3ff048c1af8443496f2
Instruction ID: f0cf526dae9f7b3afc3e7967c2d506ad773863f463294eb4c42ce7b91d9fa4bc
Opcode Fuzzy Hash: 8e83c7f06ed44a93ac6e71a8d913f6d3c2c6609c1e9ff3ff048c1af8443496f2
Instruction Fuzzy Hash: 71A1A5B4E012188FEB58CF6AD944B9DFBF2AF89300F14C1AAD40DA7255DB305A85CF51

Function 067997D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d230809a360fda8a96078e3e2500c7d7bf5e8ed2fd9fd261bc15780da9dca85
Instruction ID: 43e748cdcbde126874ef9bd1f3aee3b066b4b15c865b896fd09c751709458615
Opcode Fuzzy Hash: 2d230809a360fda8a96078e3e2500c7d7bf5e8ed2fd9fd261bc15780da9dca85
Instruction Fuzzy Hash: 1FA1B374E01218CFEB68CF6AD944B9DBBF2AF89300F14C1AAD50CA7255DB345A85CF61

Function 0679B7D0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107df867d6b03b5843b99fffba87e77ed3600aa4ac8762c827e6db56c5cb14c0
Instruction ID: d8de44a1797571a4d89fa483ee0e56ef712afd5a8df3cc8a8e495cd2fa649d1b
Opcode Fuzzy Hash: 107df867d6b03b5843b99fffba87e77ed3600aa4ac8762c827e6db56c5cb14c0
Instruction Fuzzy Hash: 8BA19374E01218CFEB68CF6AD944B9EBBF2AF89300F14D1AAD40DA7255DB305A85CF51

Function 0679AB00 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec8f155a0c1c2ca1b19302fedba6a7e6259677853409089ad81dc86e4dc031a
Instruction ID: 9a91fb07e828e85362e46ccb260518c85ca84c4bce303533fc17f475ddfe9356
Opcode Fuzzy Hash: 1ec8f155a0c1c2ca1b19302fedba6a7e6259677853409089ad81dc86e4dc031a
Instruction Fuzzy Hash: 8BA19474E012188FEB68CF6AD944B9DFBF2AF89300F14C1AAD40DA7255DB345A85CF61

Function 0679CB00 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27619f0a1c2e63a989ddef683a64e81d6694fe1fd4bcedf3b7fa4e9af58689fa
Instruction ID: e475a12e5c0da4ef2580cc24248b7215a9693c8309e4af32e42a50a3346c1e9c
Opcode Fuzzy Hash: 27619f0a1c2e63a989ddef683a64e81d6694fe1fd4bcedf3b7fa4e9af58689fa
Instruction Fuzzy Hash: 73A1A475E016188FEB68CF6AD944B9DFBF2AF89300F14C1AAD40DA7255DB305A85CF60

Function 0679B168 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1ee1049b3ef9faea2a6cff662272ab1ce9cb813f412c712a6f69536fe82a52
Instruction ID: 4abfa7aab20d37e423c20c849073b105825f4f856216fa63fcd3101787ebf571
Opcode Fuzzy Hash: ef1ee1049b3ef9faea2a6cff662272ab1ce9cb813f412c712a6f69536fe82a52
Instruction Fuzzy Hash: A4A19474E01218CFEB68CF6AD944B9EBBF2AF89300F14C1AAD40DA7255DB345A85CF51

Function 06799E40 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d3cca788ccb3d8836f2ca8d2afee1f671d18cf47539d7d8d3d88bfb6a6ac9e
Instruction ID: c2d1de65dca435488937757d77760a2c49d1f594ef053dfebe249a069c3bd0ad
Opcode Fuzzy Hash: f9d3cca788ccb3d8836f2ca8d2afee1f671d18cf47539d7d8d3d88bfb6a6ac9e
Instruction Fuzzy Hash: 9AA1A374E012188FEB68CF6AD944B9DFBF2AF89300F14C0AAD409A7255DB345A85CF61

Function 0679A4A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 600ae845ab28a69160620d1d17d37520cacc3150e4142267aa9b7cb009333d20
Instruction ID: 48a0b074723039e800a40f528711f026a86cdd905c530e524ff74ea4954a6b8c
Opcode Fuzzy Hash: 600ae845ab28a69160620d1d17d37520cacc3150e4142267aa9b7cb009333d20
Instruction Fuzzy Hash: D1A1A474E012288FEB68CF6AD944B9DFBF2AF89300F14C1AAD40DA7255DB345A85CF51

Function 0679C4A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f3c591b98d82bc90a45f6b9817cba1948086b6f351e579b64ace5a75ce2b311
Instruction ID: 29a785604b460ef05600a9e8f1ddd11fd29e21fb92f1a5ed6fcc38cf46fd4029
Opcode Fuzzy Hash: 8f3c591b98d82bc90a45f6b9817cba1948086b6f351e579b64ace5a75ce2b311
Instruction Fuzzy Hash: EEA1A371E012188FEB68CF6AD944B9DBBF2AF89300F14D0AAD408A7255DB305A85CF61

Function 0537E3C0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458eb05829a1cfb8631f377e080b66fd844c00558998ab8a531c1eb9fe5d1844
Instruction ID: c94c31a1a2b81df9bea1cd48335887e02b4ef23589133094d0b448636cd8cb3f
Opcode Fuzzy Hash: 458eb05829a1cfb8631f377e080b66fd844c00558998ab8a531c1eb9fe5d1844
Instruction Fuzzy Hash: DF71A175D01228CFDB28DF66C9846DDBBB6AF89301F1491EAD409A7264DB349A86CF10

Function 06799E32 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c766bae0f6844a58d5c5bff91e8d9526174f56c5924e8305a419b03068ebf7
Instruction ID: 3814da94bd934291c2ef1d2702f843bb1dd0057de5bfd6dad782ade92ea50fb6
Opcode Fuzzy Hash: 09c766bae0f6844a58d5c5bff91e8d9526174f56c5924e8305a419b03068ebf7
Instruction Fuzzy Hash: BD719771E016288FEB68CF6AD944B9DFBF2AF89300F14C4AAD50DA7254DB305A85CF51

Function 0679A490 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc66caa2dd96382e0634e95de3fe730b4828ff77f2637a0b71d7119266e0b36
Instruction ID: 207e1ba2fb3eb5c912735fdf6e020a255ad3287e82a2bdf6bf3363993fecd766
Opcode Fuzzy Hash: 3fc66caa2dd96382e0634e95de3fe730b4828ff77f2637a0b71d7119266e0b36
Instruction Fuzzy Hash: 6171A771E016188FEB68CF6AD944B9EFBF2AF88300F14C0AAD40DA7254DB304A85CF51

Function 0679C490 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c99df1383220c1d522365be1e1d132c605d30734bed665f4b0a5e9b5a725cf08
Instruction ID: b87098e96fa0556968faffd45c026933673931901079284296c1039bc3fad9b2
Opcode Fuzzy Hash: c99df1383220c1d522365be1e1d132c605d30734bed665f4b0a5e9b5a725cf08
Instruction Fuzzy Hash: CD719671E01618CFEB68CF6AD944B9DFAF2AF89300F14C1AAD40DA7255DB305A85CF51

Function 067978E8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a1766f8b3a6cf2c5963a345ebb03c67f7ec342c67078fe590b7af0136588dc
Instruction ID: 7d1d06ab2bafd68ddeb475452afde4faa15cddbd192d57769cf6cb1e951216b4
Opcode Fuzzy Hash: 05a1766f8b3a6cf2c5963a345ebb03c67f7ec342c67078fe590b7af0136588dc
Instruction Fuzzy Hash: C741F3B0E002088BEB58CFAAD9547DEBBF2BF89300F14C16AC418BB254DB355946CF64

Function 067AF7F0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929241668.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b66d9cf5bc64f411b0b049cd17b05c5fe6bf1094e899af8e366df1ee1b56cb3
Instruction ID: f01015d05ffefc6dfc3849684d296eff8966fb5f5b7a0c8e9c9b20954960df90
Opcode Fuzzy Hash: 9b66d9cf5bc64f411b0b049cd17b05c5fe6bf1094e899af8e366df1ee1b56cb3
Instruction Fuzzy Hash: 584111B5D052489FCB11CFA9EA80ADDBBF0EF99310F24802AE458BB210D3399945CF54

Function 0679CAF0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79844251b906159ba2395455419b629acb77468508ed541a80d90f00564529a
Instruction ID: 42f9b9d3944cacb91ce97280dbf2fe3c21b3a62254a2c4108845c2d6d1a34fda
Opcode Fuzzy Hash: c79844251b906159ba2395455419b629acb77468508ed541a80d90f00564529a
Instruction Fuzzy Hash: 805159B1D016188BEB58CF6BDD4579AFAF3AFC9300F14C1AAD50CA6254EB740A858F51

Function 0679AAF0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccee48e9dfe205465bdf04777429b37b19486ef485000668e26b0fb7efb2402
Instruction ID: 03bdcadafd0ef12f5d4bebaabf2359305dac310f01fcc878f7c885a9196b7f67
Opcode Fuzzy Hash: 4ccee48e9dfe205465bdf04777429b37b19486ef485000668e26b0fb7efb2402
Instruction Fuzzy Hash: 41416BB1E016188BEB58CF6BD9457D9FAF3AFC8304F14C1AAC54CA6264EB3409858F51

Function 0679B7C0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc52caab2aeffa91b03344e1980688750465e520abd61c7730a43b48c2dced0
Instruction ID: e72c3d311c64ef6ae976eeb4a1e74f68832769c03b4a13705c68753aba131922
Opcode Fuzzy Hash: adc52caab2aeffa91b03344e1980688750465e520abd61c7730a43b48c2dced0
Instruction Fuzzy Hash: 0F416A71D016188BEB58CF6BD9457CAFAF3AFC8304F14C1AAC50CA6254EB740A85CF55

Function 0679BE27 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d3f639e1833d7190d01ec60a5a27773a5b701ea0189ed60e305ff52163de58
Instruction ID: 264a3784049c5ad4737a69c5088836434dd3d16fe8c6f01f073bd9e5457dc95a
Opcode Fuzzy Hash: 01d3f639e1833d7190d01ec60a5a27773a5b701ea0189ed60e305ff52163de58
Instruction Fuzzy Hash: A14168B1E016188BEB58CF6BD9457DAFAF3AFC9304F14C1AAD50CA6264DB340A85CF51

Function 067997C8 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd48839f326e74d50a1aa76fcfffc46eadf0bd85dcf9509bc549e36d171cea3
Instruction ID: 9422226dd6bbde4a40834806908df9e74172df9d3dcbd4e54db00b07033d29c5
Opcode Fuzzy Hash: 3fd48839f326e74d50a1aa76fcfffc46eadf0bd85dcf9509bc549e36d171cea3
Instruction Fuzzy Hash: 0A4159B1D016188BEB58CF6BD9457DAFAF3AFC9310F14C1AAD50CA6254EB340A85CF51

Function 0679B159 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c309014520d4b4f9895dc5eade6e259c592a84275f7341ad8445ff2c8c835bd7
Instruction ID: 5e32fdbaa608c2ca6b6edde3a6373693828d609d9bd80e782b972623395331b6
Opcode Fuzzy Hash: c309014520d4b4f9895dc5eade6e259c592a84275f7341ad8445ff2c8c835bd7
Instruction Fuzzy Hash: 3A4169B1E016188BEB58CF6BD9457DEFAF3AFC8314F04C1AAC50CA6264DB340A858F51

Function 0537F0D8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec1df8f49b4e09c0239e1eda27700e4d8cab01ed7817d15b1731e8a3f4d7979
Instruction ID: ac7051691acc4a348f0e2dfcc6ca8cbff8886337c1f7c0368dee3b8159e4f4d9
Opcode Fuzzy Hash: 4ec1df8f49b4e09c0239e1eda27700e4d8cab01ed7817d15b1731e8a3f4d7979
Instruction Fuzzy Hash: 8B41D274E0124CCBDB18DFAAD9446EEBBF2BF88300F24D12AD419AB254DB385946CF54

Function 06795601 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc307eaa392973813757410728a3965b72bfd72051ebf9ed7fb496d0e1a64680
Instruction ID: e54032ee966b1cf42305778dae81e76dad2ee01b4f3c5d983aa316f0277de455
Opcode Fuzzy Hash: cc307eaa392973813757410728a3965b72bfd72051ebf9ed7fb496d0e1a64680
Instruction Fuzzy Hash: CE41F570E00258CBEF18DFBAD9546AEFBF2AF88300F24D12AC418AB255EB345945CF50

Function 0595B501 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e445a163b81fed2e9a12dfe85f12290471feea660a6bc3c7eae47b8ffb669b
Instruction ID: 73317c135170fa41377c25eb2ce000ce7cd492fceea10b8c98e68662ec5e97b6
Opcode Fuzzy Hash: 85e445a163b81fed2e9a12dfe85f12290471feea660a6bc3c7eae47b8ffb669b
Instruction Fuzzy Hash: F641E4B1E01208CBDB18DFAAD9546EEBBF2AF88310F20D12AC419BB255DB345946CF40

Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fast_error_exit.LIBCMT ref: 0040CC41
__mtinit.LIBCMT ref: 0040CC47
_fast_error_exit.LIBCMT ref: 0040CC52
__RTC_Initialize.LIBCMT ref: 0040CC58
__ioinit.LIBCMT ref: 0040CC61
__amsg_exit.LIBCMT ref: 0040CC6C
GetCommandLineA.KERNEL32 ref: 0040CC72
___crtGetEnvironmentStringsA.LIBCMT ref: 0040CC7D
__setargv.LIBCMT ref: 0040CC87
__amsg_exit.LIBCMT ref: 0040CC92
__setenvp.LIBCMT ref: 0040CC98
__amsg_exit.LIBCMT ref: 0040CCA3
__cinit.LIBCMT ref: 0040CCAB
__amsg_exit.LIBCMT ref: 0040CCB6

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp
String ID:
API String ID: 2598563909-0
Opcode ID: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction ID: 67c2b95978a5c3de314e94e7eee78366e8702871eb07600154e5c77a41a3d030
Opcode Fuzzy Hash: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction Fuzzy Hash: 5321E770A05304DAFB207BB3E98676932B46F00309F00453FE508B62D2EB7C89918A5C

Function 0537618A Relevance: 10.5, Strings: 8, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 053761C6
,bq, xrefs: 05376638
,bq, xrefs: 05376628
(o^q, xrefs: 05376281
(o^q, xrefs: 053762AD
(o^q, xrefs: 053766A7
(o^q, xrefs: 05376697
(o^q, xrefs: 0537634A

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 3a9643fa0f7e2a8e9e098c1c62f824ac9db6c70892e3417609f44260fd0d1e7f
Instruction ID: 7e51ee9cdeb37d3d7da54086bfad3217c39cfa7678079faae127e5954468831a
Opcode Fuzzy Hash: 3a9643fa0f7e2a8e9e098c1c62f824ac9db6c70892e3417609f44260fd0d1e7f
Instruction Fuzzy Hash: 7B126C30A00A48DFCB24CF68C595AAEBBF2FF48314F148569E40AEB265DB74EC45CB50

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 05377B30 Relevance: 4.2, Strings: 3, Instructions: 495COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05377B49
4'^q, xrefs: 05377B6F
;^q, xrefs: 05377F64

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$;^q
API String ID: 0-799016360
Opcode ID: cbffd2c7ad12dddf963a49eafe01d5ff901cee65d2ff80deed539a39075e360f
Instruction ID: b1413b8c4633145a552ce98d3bb82ab922a7abb07dfa8a73f24d2c19fc74a9fd
Opcode Fuzzy Hash: cbffd2c7ad12dddf963a49eafe01d5ff901cee65d2ff80deed539a39075e360f
Instruction Fuzzy Hash: CCF18F30B042098FDB389A39C458B397BAAFF85604F1944AAE507CF7A5DA6DCC82C751

Function 05376F28 Relevance: 3.2, Strings: 2, Instructions: 692COMMON

Download Yara Rule

Strings

$^q, xrefs: 05377A6F
$^q, xrefs: 05377A4C

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 7679a03d519a64cfcb7f0a0f4b20db567b5abc7d7a7d494bdee6c10d75b71a27
Instruction ID: 84ba66a2792f8d74fc1e2dea0d17969904acae2d17300100c13e45b740a1cb7c
Opcode Fuzzy Hash: 7679a03d519a64cfcb7f0a0f4b20db567b5abc7d7a7d494bdee6c10d75b71a27
Instruction Fuzzy Hash: F8521274A0021CCFEB64DBA4C894B9EBB77EF94300F1081A9C10A6B3A5DE359D85DF51

Function 067916C0 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06791819
LR^q, xrefs: 067916EC

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID: LR^q$LR^q
API String ID: 0-4089051495
Opcode ID: 64ace89f153408c2a310d4f415cc5583c4decb5595796d56421bb27cfe51b6d6
Instruction ID: 32b21fdd36160b355dd45ea3fca43bf70a22aec612ae47798ab52e834ba45fa6
Opcode Fuzzy Hash: 64ace89f153408c2a310d4f415cc5583c4decb5595796d56421bb27cfe51b6d6
Instruction Fuzzy Hash: A781C034B101068FCB48DF79D854A6E7BF6FF89614B5581A9E506DB3A1DB30EC02CBA1

Function 05374F10 Relevance: 2.7, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

,bq, xrefs: 05374FF6
,bq, xrefs: 05375000

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 7d0487dff2dee43b9da2b6fa461d38ac8d9fcc5496d041fa5e8ae275cd2d2947
Instruction ID: 6fdaca488e90c84cc15408c63393fc0d3f4215623f94732cc2d0c37e94c86ce7
Opcode Fuzzy Hash: 7d0487dff2dee43b9da2b6fa461d38ac8d9fcc5496d041fa5e8ae275cd2d2947
Instruction Fuzzy Hash: 6081A134F04109CFCB28DF69C89496ABBF6BF89305F1581A9D416EB361EB35E841CB91

Function 06798878 Relevance: 2.7, Strings: 2, Instructions: 223COMMON

Download Yara Rule

Strings

(&^q, xrefs: 06798993
(bq, xrefs: 06798A52

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID: (&^q$(bq
API String ID: 0-1294341849
Opcode ID: e32ffeb5271f1bb9bfc5236c8ea833eaa8f3bd3549c19b26e426319c5f0cb9aa
Instruction ID: c87c007c0c4503e4084a126f11d7c3f039f38a19386312ebe790b8adb3dbed81
Opcode Fuzzy Hash: e32ffeb5271f1bb9bfc5236c8ea833eaa8f3bd3549c19b26e426319c5f0cb9aa
Instruction Fuzzy Hash: D3717D31F002199BCB55DFB9D8506EEBBF6EFC9740B148529E405AB380DE309D42CBA6

Function 05378A2D Relevance: 2.7, Strings: 2, Instructions: 210COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05378BFD
4'^q, xrefs: 05378C14

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 80f0592895165e09549da6dc749d12d7f1e32d119ff7c0e377dc9847dc709c69
Instruction ID: faed32515ecf48370744566fab96d5580c43b386ab9de4005eaf086a6ffac00f
Opcode Fuzzy Hash: 80f0592895165e09549da6dc749d12d7f1e32d119ff7c0e377dc9847dc709c69
Instruction Fuzzy Hash: F071B471B002099FDB25DF68C888BBABBE6FF88310F148466E905CB355DB75D852CB91

Function 053749C0 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

Hbq, xrefs: 05374ADE
Hbq, xrefs: 05374AAB

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: d4ee3dbf9ce6e4040800267c12864b5be200f16ee1ad5428e7a19ef87d3ce88d
Instruction ID: 953be632c1e56274de0c649b021fdb4a21ef25196c6712995b44feca7012f788
Opcode Fuzzy Hash: d4ee3dbf9ce6e4040800267c12864b5be200f16ee1ad5428e7a19ef87d3ce88d
Instruction Fuzzy Hash: 0241BB35B046589FCF618F24D844B6F7BF6FB88300F058918E8069B280DB78E811CBA5

Function 05372B28 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xbq, xrefs: 05372B5E
Xbq, xrefs: 05372B35

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: 98dff14e3a314abe8a86237f8892833907803c2679ecf04a4677f8bcbd653e5f
Instruction ID: a0c6a5002529eea216f835d15c03ac3aa28fa60cfc93662f95d80b29a9c5fd78
Opcode Fuzzy Hash: 98dff14e3a314abe8a86237f8892833907803c2679ecf04a4677f8bcbd653e5f
Instruction Fuzzy Hash: E831C439F0422E8BDB3C9E7A49D427B65DBBBC4250F14483AF807C7394DBB8C84586A1

Function 067AE830 Relevance: 1.8, APIs: 1, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929241668.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3fc9994d8b50d643852424c80ad736057e6f5cc04ec621890879593483aa26
Instruction ID: 75cf642763c4c0bc1405b863f7105bec9760241168cc04e50d6c98a4678faea2
Opcode Fuzzy Hash: 3f3fc9994d8b50d643852424c80ad736057e6f5cc04ec621890879593483aa26
Instruction Fuzzy Hash: F6A1F1B5C053489FDF51CFA9C980ADDBFB1BF4A300F1491AAE448AB262D7309985DF51

Function 067AC590 Relevance: 1.7, APIs: 1, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929241668.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67a0000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: aa5a3fcd229c828c3875439ee0d73ee7ad2129bafd7191d433ecf95daa0184b8
Instruction ID: 1561177cb1e030e39c2baa1b46389fff4c53aad19e82b3cbfccb8aa9b4342ea4
Opcode Fuzzy Hash: aa5a3fcd229c828c3875439ee0d73ee7ad2129bafd7191d433ecf95daa0184b8
Instruction Fuzzy Hash: 73912370A007089FDB65CF69D584AAABBF1BF88300F108A29D44AE7750E770E845CB95

Function 067ABC1C Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 067AEAB1

Memory Dump Source

Source File: 00000004.00000002.2929241668.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67a0000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 69bb5e225640a280c05380ab9c2425f0da5f12ff670fa7c18ad11315c183dd90
Instruction ID: 2699871b615ed4b5b5710b471150faed8cfb1e62b50207ec4a746fc4d6b9b0a8
Opcode Fuzzy Hash: 69bb5e225640a280c05380ab9c2425f0da5f12ff670fa7c18ad11315c183dd90
Instruction Fuzzy Hash: DC7169B4D00318DFDB60CFA9C984ADDBBF1BB49304F1491AAE858A7211D770AA85CF45

Function 05370006 Relevance: 1.7, Strings: 1, Instructions: 419COMMON

Download Yara Rule

Strings

LR^q, xrefs: 05370208

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 443ff81424ee2d2448ca8e74f5a021065b1312c8859b39a9b7750e79cca94910
Instruction ID: dd42777397647b88e293c00a6e31d8abc9622d5c42c7d0ba5f86e35de5c46b17
Opcode Fuzzy Hash: 443ff81424ee2d2448ca8e74f5a021065b1312c8859b39a9b7750e79cca94910
Instruction Fuzzy Hash: 7822E538D41219CFCB55EF65E994A8EBBB1FB49300F108BA5D509A7368EB306E85CF50

Function 05370040 Relevance: 1.6, Strings: 1, Instructions: 397COMMON

Download Yara Rule

Strings

LR^q, xrefs: 05370208

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 77458915962d93c7d96630a04ea02e7f47e6277b89a8a42063926f2bf957a823
Instruction ID: f9706fa3346167d83fb7bc4e6c866732e4bd9abd1f3e6b2b45efedb7b7855b6a
Opcode Fuzzy Hash: 77458915962d93c7d96630a04ea02e7f47e6277b89a8a42063926f2bf957a823
Instruction Fuzzy Hash: 5C22E638D41229CFCB55EF65E984A9EBBB1FB49300F108B65D509A7368EB306E85CF50

Function 067A3D98 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 067A3E6B

Memory Dump Source

Source File: 00000004.00000002.2929241668.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67a0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 67dc6d59e9b118323535f6c6e59271e1e6bd049d79fd793d7ebe7cbfe35edc44
Instruction ID: 9291834c369a97d6d874ad41c7c36a8087194559128337d693eb984e705fee34
Opcode Fuzzy Hash: 67dc6d59e9b118323535f6c6e59271e1e6bd049d79fd793d7ebe7cbfe35edc44
Instruction Fuzzy Hash: 024166B9D002589FCB10CFA9D984ADEFBF5BB49310F14942AE918BB320D335A945CF94

Function 067A38AC Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 067A3E6B

Memory Dump Source

Source File: 00000004.00000002.2929241668.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67a0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a514e79f339c3d8a754baa877710c92439389880a35868597433e9950d7c7744
Instruction ID: 487ecbca56f0fa1c23cfd8eca0a04924a6e709d654b71074f8cbc526690b380e
Opcode Fuzzy Hash: a514e79f339c3d8a754baa877710c92439389880a35868597433e9950d7c7744
Instruction Fuzzy Hash: 004156B9D042589FCB10CFA9D984ADEFBF4BB49320F14906AE918BB310D335A945CF94

Function 02AFF4D8 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02AFF57C

Memory Dump Source

Source File: 00000004.00000002.2926487998.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2af0000_RegSvcs.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 79c509a56af937f65545c504b5883b4ac079d8295ae34f25af7827ffa73495e2
Instruction ID: 05e7e697d4e225774cf2efb09ab8ba57297be20b0d71d426ebdfc25c20590528
Opcode Fuzzy Hash: 79c509a56af937f65545c504b5883b4ac079d8295ae34f25af7827ffa73495e2
Instruction Fuzzy Hash: 073197B5D012589FCB14CFE9D984ADEFBF0AB49310F24942AE819B7210D735A945CF58

Function 067ABA64 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 067AC812

Memory Dump Source

Source File: 00000004.00000002.2929241668.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67a0000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fbff2cd6c7aeb0047e1ba521e224921df55991aada4f9f22250fdca8c34fe62d
Instruction ID: 5419acc5d3a2d91955215a510990712647623949609e2fcbfd8bfe1e5d2a4f9f
Opcode Fuzzy Hash: fbff2cd6c7aeb0047e1ba521e224921df55991aada4f9f22250fdca8c34fe62d
Instruction Fuzzy Hash: E231AAB4D00258DFCB14CFAAD584AEEFBF5AB49310F14906AE818B7320D774A945CFA4

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 05379D80 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

(o^q, xrefs: 05379F09

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: b6448c96e5387360a16dceb58a6901b9258068bbdf7b40f009c236c4e63c31db
Instruction ID: 2100c352d9a87f63f9a8e4608ac9fe8d35ac2b61a61c1619463e6cc179761a67
Opcode Fuzzy Hash: b6448c96e5387360a16dceb58a6901b9258068bbdf7b40f009c236c4e63c31db
Instruction Fuzzy Hash: 5141BD36B402089FCB14AB69D858BAF7BF7FBC8610F144569E906D7780DE749C02CBA0

Function 05375A60 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

(o^q, xrefs: 05375FD5

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 44566970b6ec36b04f322fb4828add2a27b66ebdf03103c1dae13bdcee58ebb3
Instruction ID: bf510e4be2fa40040534e808020bc3ee322a02d8066a6158f983f0699fecb717
Opcode Fuzzy Hash: 44566970b6ec36b04f322fb4828add2a27b66ebdf03103c1dae13bdcee58ebb3
Instruction Fuzzy Hash: F241B230A00248DFCB29DF65C884BBABBF6FF49300F04846AE8559B251DB78DC55CB91

Function 02AFF7A8 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 02AFF826

Memory Dump Source

Source File: 00000004.00000002.2926487998.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2af0000_RegSvcs.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fcd3f0cd4c079df3bac16260b3b683da49643bdbfe374626c2972282e6e67d82
Instruction ID: 2c99cef778af5282374251b2e4669432be0ea2b9e1401ad71b4d0c6bd2f797eb
Opcode Fuzzy Hash: fcd3f0cd4c079df3bac16260b3b683da49643bdbfe374626c2972282e6e67d82
Instruction Fuzzy Hash: E531AAB4D012189FCB14CFAAD984ADEFBF4AB49310F20942AE815B7350CB34A941CF98

Function 05379F48 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 990f90fe0dca49b8d6157ca347cb62da64c3b1974234aa496e2a2f0d609e2b9e
Instruction ID: cd32f553c84dcf93bb682531acb90619834a1c84b86f92842b47341cfad36734
Opcode Fuzzy Hash: 990f90fe0dca49b8d6157ca347cb62da64c3b1974234aa496e2a2f0d609e2b9e
Instruction Fuzzy Hash: BAF10A75E005189FDB14CFA8D488AAEBBF6FF88310B158599E415EB3A1CB79EC41CB50

Function 05376768 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692389164e43caa4ab2b0e5274f9d761a52eab060d71f928a4bc9d56cb204b56
Instruction ID: 4db84598deb1ab1947d30ec0961613bc4fa8d6d47c68ea3f8294e67b4326d7bb
Opcode Fuzzy Hash: 692389164e43caa4ab2b0e5274f9d761a52eab060d71f928a4bc9d56cb204b56
Instruction Fuzzy Hash: DA712C34B04A098FCB25DF29C8A9B6E7BE6BF49600F1940A9E406DB371DB78DC41CB51

Function 0537C397 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60eb707bea2f62cd0231d1f8b3a771ef1ec7d5245d8e10c15b1ae55a38498ae5
Instruction ID: dfe867334f0ab3d63fb22354391a1e7bbb6e4e2e0a5e165f0ebe7e2a711b83ed
Opcode Fuzzy Hash: 60eb707bea2f62cd0231d1f8b3a771ef1ec7d5245d8e10c15b1ae55a38498ae5
Instruction Fuzzy Hash: 0651F0388B464A8FD3582FA4AAAE6EB7FB0FB4F3537007E41F41A85045DF741598CA50

Function 06790488 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c5a6da161a4d3931f376524355acb3cf295f1c332465401f4a85366a53fc9a
Instruction ID: 1ccc1c9585cfdb5e0965dadaa6683ff3b5c2f467db7601d60d2fb3767093b195
Opcode Fuzzy Hash: 58c5a6da161a4d3931f376524355acb3cf295f1c332465401f4a85366a53fc9a
Instruction Fuzzy Hash: 5481AF74E412298FDB65DF29D890BDDBBF2AF89300F1081EAD848A7254DB715E81CF40

Function 0537C3D8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d92b0db7662089ee08ca983ca531ea43d2112bf5d50ba5b5d767de239d0a5c
Instruction ID: 4b0cfd87709da336aff8f763fcbfe7033ca11a71a5d14c25108a123c617587a0
Opcode Fuzzy Hash: 39d92b0db7662089ee08ca983ca531ea43d2112bf5d50ba5b5d767de239d0a5c
Instruction Fuzzy Hash: D4519C388B060A8F93582FB0AAAE6AB7EB5FB4F3537007E01F51E91044DF7415A8DE55

Function 05374B22 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb5df37fcb4c24011cfbd42657442ac5f23f065a8b7372bfd8eb6c315f83c9b
Instruction ID: a4ef08b830fce7cc9876a962999747141bd8b0aa41d2cfc82f2edde4f3325e61
Opcode Fuzzy Hash: 0cb5df37fcb4c24011cfbd42657442ac5f23f065a8b7372bfd8eb6c315f83c9b
Instruction Fuzzy Hash: 7651EF34B042499FCB299F388494B3E7BE7BBC8204B148969D546CB7A1DE79DC42C791

Function 0537D6A0 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b2164439d39248462fbcbae85833aba219db64463d6fef560b3fe4757a4b49
Instruction ID: b08b31c6467ab1b928495ec39a2ee2e4c828f6a4ea1167ae5fc30276455aaf00
Opcode Fuzzy Hash: f5b2164439d39248462fbcbae85833aba219db64463d6fef560b3fe4757a4b49
Instruction Fuzzy Hash: 3B51E134D0121CDFDB15DFA5D994AAEBBB2FF88300F608529E409AB398DB759946CF40

Function 0537BCB0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15dfe23af5a293634337e615686480e9fbeba72e6f18c726cfc21ed596e01e54
Instruction ID: 2ad15525a1d3cfeb184cf46fa96eedf5261e9046a9406693fb82bea781d2d076
Opcode Fuzzy Hash: 15dfe23af5a293634337e615686480e9fbeba72e6f18c726cfc21ed596e01e54
Instruction Fuzzy Hash: 0A519474E01208DFDB54DFAAD584A9DBBF2FF89300F248169E409AB364DB31A945CF54

Function 05373008 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25611da8af2823f567c01889088ca77f3292ad27b60ad855166eb7bd766cdcaa
Instruction ID: 3f72d4e005d2aa7dcba4c4d5fb9981b69c408cfc83d354122baa04e7ea54c4d5
Opcode Fuzzy Hash: 25611da8af2823f567c01889088ca77f3292ad27b60ad855166eb7bd766cdcaa
Instruction Fuzzy Hash: 5D51C875E01218CFCB19DFAAD58499EBBF2FF89300F209569E405AB364DB35A846CF10

Function 0679D168 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4988b44614fe6e39609c682f7a6f3431325b67a5f3d15010944f4f707f11bd63
Instruction ID: d253df1451f63c5682e75e4fd69e0928d43f8163f49bc8e800030f357900c172
Opcode Fuzzy Hash: 4988b44614fe6e39609c682f7a6f3431325b67a5f3d15010944f4f707f11bd63
Instruction Fuzzy Hash: D7411B35D4121ACFDB04AFB1D56CBEE7AF5EB8A346F005A64E10662290CB781A44CBA5

Function 0537E4A1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a71620089686c549318207f9680df29a791d893ef0e9ef087f54d7db6ab7685
Instruction ID: 89e558a1da8741b6be26072609faf8e87d2249bfdc481a91292856f4b0c7c547
Opcode Fuzzy Hash: 6a71620089686c549318207f9680df29a791d893ef0e9ef087f54d7db6ab7685
Instruction Fuzzy Hash: 4851AD74E01228CFCB24DF64D984BEDBBB6BB89311F1055EAE409A7350D739AA81DF10

Function 0537145C Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309a2e074b424728f8924900cf99b160a51d9e240f381a28c6043f7136484731
Instruction ID: cb4202b83573146216998a4e42c25cb1e7f2f76389f2f2f47775bce63fff4795
Opcode Fuzzy Hash: 309a2e074b424728f8924900cf99b160a51d9e240f381a28c6043f7136484731
Instruction Fuzzy Hash: D7417E37E0824E8BCB26DBB8A8544FEFB70FF85230B188996C562F7155D6185916C3D1

Function 05379193 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3caf4d4bb18419786c3c5cfb6d2af4fd8b01c4df6628145dcbc947a59685b759
Instruction ID: b8d6317114bdb9dcdf4671f4a6661f97a32ec7be2789d4535a7763348b3fc769
Opcode Fuzzy Hash: 3caf4d4bb18419786c3c5cfb6d2af4fd8b01c4df6628145dcbc947a59685b759
Instruction Fuzzy Hash: 93416C36A0424DDFDF21CFA5C844BAEBBB2FF49310F048255E815AB291D778D924CB50

Function 06798868 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad14a1e78239364762e19d54c4e17ab295b805462a87011345e2e26ad4b9bcd6
Instruction ID: 9c79e845e1ab8fb6fe67aaa2a10e6f59dab35553aebf18c3c43c3e5eabedce1c
Opcode Fuzzy Hash: ad14a1e78239364762e19d54c4e17ab295b805462a87011345e2e26ad4b9bcd6
Instruction Fuzzy Hash: BB415331E002199BDF14DFA5D890AEEBBF5EF89700F148529E405B7350DB70AD46CBA2

Function 06798640 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d570976b482ce9356d2e7f47611775a7264465e75db20fcad26f07b024d78ce
Instruction ID: e1f65357259deee41b8915953d30043cafc94ef46b3148193812042402f3b6fe
Opcode Fuzzy Hash: 7d570976b482ce9356d2e7f47611775a7264465e75db20fcad26f07b024d78ce
Instruction Fuzzy Hash: F9416BB9D042589FCF10CFA9D584ADEFBF0AB1A310F14941AE914B7310D335A951CF65

Function 0537CB76 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a849c93d0a4d9e6865393e905ab9d698007d46d306a2e73bcd2352fb22fcda
Instruction ID: edbbd6811c1d01be8e38b863d4522e5a444a57aa059a6c0600615131f408e68c
Opcode Fuzzy Hash: 73a849c93d0a4d9e6865393e905ab9d698007d46d306a2e73bcd2352fb22fcda
Instruction Fuzzy Hash: 45414974E1560CCFCB24DFA8E494AEDBBB6FB49301F60A169E016AB244DB799C41CF14

Function 06798E39 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ecac823a8142ccd48a3e530f3dd22065412ef3d2aa6565a89c3ac4686a59452
Instruction ID: 43b1d6ba1a47448d67548b9e3a66636f37d7ecf015f16f00fb91a4ae97912fae
Opcode Fuzzy Hash: 8ecac823a8142ccd48a3e530f3dd22065412ef3d2aa6565a89c3ac4686a59452
Instruction Fuzzy Hash: 6B41EE78E002188FDB44DFA9E5947EEBBF2BF49304F10952AE415A7294DB345A4ACF50

Function 06798D00 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94b587d38e6267015a555f51ae2f7a2d3b6c03f5a8f33458342a1ad64e14688
Instruction ID: 010923b0a2c95b81c6f24c5f4927291dd97451c179eb40bab80842ded12bfa77
Opcode Fuzzy Hash: b94b587d38e6267015a555f51ae2f7a2d3b6c03f5a8f33458342a1ad64e14688
Instruction Fuzzy Hash: 494179B9D002589FCF00CFA9D584AEEFBF0BB19310F14A42AE914BB250D335A951CF68

Function 06798E48 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539eb5b68a1cbcc5fb42f0c60c970ef7dc9c4d7eb0790b3001eea4434734266e
Instruction ID: 3df2a88e12370924c7ce8ddc9d06b08a2190e1f75c4073bea6273f67e2ee4e07
Opcode Fuzzy Hash: 539eb5b68a1cbcc5fb42f0c60c970ef7dc9c4d7eb0790b3001eea4434734266e
Instruction Fuzzy Hash: D541C078E0021CCFDB44DFA9D5946EEBBF2BF49304F10952AE415A7294EB346A4ACF50

Function 0537CB16 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68f47e9bbfcbb66e32d4b683bb24612ee46c08a0bf88a7f8105d922f9f58304
Instruction ID: ecaf6464f6743e9d7977467bb84a2330b209068a067adcbdd603b544f8b5b33b
Opcode Fuzzy Hash: f68f47e9bbfcbb66e32d4b683bb24612ee46c08a0bf88a7f8105d922f9f58304
Instruction Fuzzy Hash: 6F410270D1560CCFDB24DFA8E584AEDBBB6FB49301F20A169E405A7280DB799C81CF64

Function 0537C9C8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813454e561c4991b3b4570bd180ff4b32f0fad06a6bec68f4ac66357cf85fe63
Instruction ID: da71fb8f6c8157731c7dce464a6be5fdac4c87585e22ce2783961d8d3f400be4
Opcode Fuzzy Hash: 813454e561c4991b3b4570bd180ff4b32f0fad06a6bec68f4ac66357cf85fe63
Instruction Fuzzy Hash: 11413870D1160C8BDB24DFAAD444AEEBBF6BB89301F14E125E404B7254DB799C41CF64

Function 053740E0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ffadd34fb418dcd69c4bd900c4797b316ffa63992bd69c19a41b70a471299b
Instruction ID: bd2b4cdacaf8453b79d0f247eedee549381ad5687ca8d68ade04f543d661e34d
Opcode Fuzzy Hash: 09ffadd34fb418dcd69c4bd900c4797b316ffa63992bd69c19a41b70a471299b
Instruction Fuzzy Hash: 39316035B0514D9FCF15AF68E854AAF7BA7FB88300F008059F9199B294CB78D961CB90

Function 0679D158 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480bce78c93f2610985afce5a4ce5b546f4a68af2b7cccbb6ab972a8ba6efe4c
Instruction ID: 872ea24d21f77069f8a9545c6f71814ef205b8f6a00352b953711ac0ad5fe273
Opcode Fuzzy Hash: 480bce78c93f2610985afce5a4ce5b546f4a68af2b7cccbb6ab972a8ba6efe4c
Instruction Fuzzy Hash: F5315C35D40219DFDB44AFA5D86CBEF7BF5EB4A306F009A24E10567280CB781A44CFA1

Function 053740B0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f2c28d2ffb598f9cce3cea8fa22598bc948f9075145bfce29ce393792ef8eb6
Instruction ID: 4a03f0f0d13f8fb268be09375a84acc036c86147baded70da15ee1ab6d577e82
Opcode Fuzzy Hash: 8f2c28d2ffb598f9cce3cea8fa22598bc948f9075145bfce29ce393792ef8eb6
Instruction Fuzzy Hash: 65314D31B0919D4FDB11AF2CD8547AB3FA6EF86304F0040AAE445CB255CB78D959CB91

Function 05376A10 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe8b6fb59fcafc1560def02aadd3cf676523f9b626acebb01a761de47580660
Instruction ID: 0f7c81faeaa51e09be743c74eebc236bcbba34906d2f2058a70a34921550a085
Opcode Fuzzy Hash: fbe8b6fb59fcafc1560def02aadd3cf676523f9b626acebb01a761de47580660
Instruction Fuzzy Hash: B0210370B04E1D4BDB345626C466A3E6A9BAFC5758F24C038D406CB795EEADCC42C781

Function 05376A01 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278be6c08e1a9182347fa57840c6c38bf03bb17a3251e527e105b750df7c4bd1
Instruction ID: 33919e370cd2f91ccbecab483e521fac504f6459cb809b826076f73ce7201e1c
Opcode Fuzzy Hash: 278be6c08e1a9182347fa57840c6c38bf03bb17a3251e527e105b750df7c4bd1
Instruction Fuzzy Hash: 29210671B08E194BCB345739C86AA3E6A97AFC56587288079D40ACB396EE6DC802D741

Function 05379F37 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46fdf0ba7165806f636d48fbe241d5f6a6d56cad61eb6e2d6928b126d16a6d5e
Instruction ID: 36e56b43a257f768ece1ac3771bf7e5fe126d8b3506f59b156b23a40665e20f4
Opcode Fuzzy Hash: 46fdf0ba7165806f636d48fbe241d5f6a6d56cad61eb6e2d6928b126d16a6d5e
Instruction Fuzzy Hash: AC316D71E001098FCB14DF68C884AAFBBB6FF89350B15865AE515E73A1CB399C42CB90

Function 0537D690 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4419392200a83ec8c512a142b2ed01716e1ef2f7e5b1b23b2b99ba5aa7468825
Instruction ID: e27955d40d8586b6ad28e8422350306bc6bff29c9c54694ff65959ac414212e5
Opcode Fuzzy Hash: 4419392200a83ec8c512a142b2ed01716e1ef2f7e5b1b23b2b99ba5aa7468825
Instruction Fuzzy Hash: 62312270D0221DDEDB15CFA5C4847EDBBB2BF49304F548829D409BB284DB785546CF51

Function 05371360 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a77405ad0b353792660d3c3a5afe4f7858121575a54aea3e44dd9292d443fc7
Instruction ID: ca78e60eef0b149c1ab3dba2d7bb2331c301dfb62b50132162dcfcdd7168731e
Opcode Fuzzy Hash: 3a77405ad0b353792660d3c3a5afe4f7858121575a54aea3e44dd9292d443fc7
Instruction Fuzzy Hash: 4B21B276E002199FCB24DF64C4409AF37B9FF89254B50C529D84E9B240EB38EA06CBD2

Function 0290D338 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2925977643.000000000290D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0290D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_290d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9385ce148f2b740e39dd7ab2bd390b1f74215e0779ad43adb022df4997980830
Instruction ID: d64bded94f65095de6db5ab504e42aa03f98f8bc7f7df7d3f2c33d622aed672f
Opcode Fuzzy Hash: 9385ce148f2b740e39dd7ab2bd390b1f74215e0779ad43adb022df4997980830
Instruction Fuzzy Hash: 1521D372504208DFDB05DF94D9C4B2ABF69FB88318F24C569E9094B296C336D456CBB1

Function 05374D88 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b11fed39598c7a88f30f699588dc9d7a62ff92a8349fb65e6822f8cee71302
Instruction ID: 8eee830763905ced4603d6f0f7ab8bd6741bcd770183a1e4bb0c0ac6d183cc2b
Opcode Fuzzy Hash: f1b11fed39598c7a88f30f699588dc9d7a62ff92a8349fb65e6822f8cee71302
Instruction Fuzzy Hash: 7221F034B056198FCB359A29E458A2FB3A7BBC9751715816AE90BDB750CF74EC02CB80

Function 0291D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2926107460.000000000291D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0291D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_291d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 058cb2e47d22c69ecf6660a1848b7134b54824d3b97629fa9133ba0e97920fd7
Instruction ID: 8dda6731104cd19095fa76fedeb2dc2cc50e75302785a337011e33bbe7926df9
Opcode Fuzzy Hash: 058cb2e47d22c69ecf6660a1848b7134b54824d3b97629fa9133ba0e97920fd7
Instruction Fuzzy Hash: A32126B1504208DFDB14DF25C9C4B26BBA5FB88314F20CAADE84A4B351C73AD846CA71

Function 06798A5A Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1873967a5b6c6358a4896505b21e03d107f8a4453f23ea02c3200d1af2f704
Instruction ID: bd93a5e797337c2074f29acecf58942a3101060d5141d718b4319887fbd2b18b
Opcode Fuzzy Hash: 8b1873967a5b6c6358a4896505b21e03d107f8a4453f23ea02c3200d1af2f704
Instruction Fuzzy Hash: 9D1134317082586FCB466F7898245EE3FB7EFC9240725486AE405DB381DE348E1187A6

Function 05378500 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba8d56d9582f8f4823563613e698cec4070dcf1b4281386e2ca72018ab46fa8c
Instruction ID: cf35f8e927309655e11140127566df4284719f664f62b013a89ee6c8a8fba168
Opcode Fuzzy Hash: ba8d56d9582f8f4823563613e698cec4070dcf1b4281386e2ca72018ab46fa8c
Instruction Fuzzy Hash: 9D216870E0425DDBDB28DFA0DA68BAEBFB6BF44304F104129E401BB294DB799941CB90

Function 05374D77 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650b5b01fa5e6d4f7830f03cac31b50c99272173e827e2e2596dc18c63dd86b5
Instruction ID: b109285832aa8d6b67388f56c58c285549df887d27c0335d75927ad620d0cb9b
Opcode Fuzzy Hash: 650b5b01fa5e6d4f7830f03cac31b50c99272173e827e2e2596dc18c63dd86b5
Instruction Fuzzy Hash: 44115B34B056159FCB359B29D464A2A7BE6FFC671031904BDD446CB751CF64EC12CB80

Function 05957494 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e0946baf341667a3744900d0b0824cb6c53c9aaf4ba83747cc8e432390370e
Instruction ID: 10760da609328df21b262249a734d5694bf5dd11403c0639059fd5f408985ef7
Opcode Fuzzy Hash: 08e0946baf341667a3744900d0b0824cb6c53c9aaf4ba83747cc8e432390370e
Instruction Fuzzy Hash: 7D115CB4E051099FDB04CFE8E484EADBBB6FB88314F14D565ED04E7241DB30AA46CB60

Function 0537D5A2 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 050cb2d6cba35cd1f53216a4d6eae4efe043d0b27105b9c3e0502d5c1f1e1877
Instruction ID: e1ac1946de91afe8b90c714018f4d98a58bae75d4649e92f53d6c7ab7a0b9270
Opcode Fuzzy Hash: 050cb2d6cba35cd1f53216a4d6eae4efe043d0b27105b9c3e0502d5c1f1e1877
Instruction Fuzzy Hash: 24213B70D401099FDB41EFB9D98079EBBF2EB44304F1086A9D154AB364EB745A498F81

Function 0679D568 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c1223c8d7a5ddf2d5aacf32451499cdbc5e67db95966863362631f0909c59c
Instruction ID: 19001f13b0b8bb9badd2f6edc70047fa3c093e4ccef584ea6ce9a5e1a654c937
Opcode Fuzzy Hash: e3c1223c8d7a5ddf2d5aacf32451499cdbc5e67db95966863362631f0909c59c
Instruction Fuzzy Hash: 8E110835706244AFDB052A7A9C5866BBFEBDFCD250B548877A506C3396DD35CC0583B0

Function 0537C9B8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97033f7361e5c38eb63d947cb4c6810e325da54e758747837936d88e681c2310
Instruction ID: 063fa8d628d8a752444f5d43ecb20ca25ec9c5dff3fdcca62b3037949fd826e2
Opcode Fuzzy Hash: 97033f7361e5c38eb63d947cb4c6810e325da54e758747837936d88e681c2310
Instruction Fuzzy Hash: 41113A71D0060D8BDB18CFAAD9456EEBBF2BB89311F08E529D414B7264EB744905CF61

Function 05371250 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e31f90b0674af9a3b20cecf994cc5d7f6ccb2bd1241e2c047b5d831f1c434bb
Instruction ID: 9620de987bf610c0d992194666b6083d706cfce503fe7b5680a988c2be535ad8
Opcode Fuzzy Hash: 4e31f90b0674af9a3b20cecf994cc5d7f6ccb2bd1241e2c047b5d831f1c434bb
Instruction Fuzzy Hash: FA2104B4D0420D8FCB01EFA9C8442EEBBF1FF09300F10556AD849B7250EB305A59CBA1

Function 0290D333 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2925977643.000000000290D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0290D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_290d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7f8b7e770ae4cd2155b9e62d57b008416f11b96e0295358949b824588ba942
Instruction ID: f193f97abc9aa9c72462cfd53ae66de25179c937e1cce55fece4a33553f22e80
Opcode Fuzzy Hash: 4c7f8b7e770ae4cd2155b9e62d57b008416f11b96e0295358949b824588ba942
Instruction Fuzzy Hash: A621B176504244DFCB16CF50D9C4B16BF72FB84314F24C5AADD090B696C33AD42ACBA1

Function 0537D5B0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f80217aa624a832d93ea812c9faed652d25a20cf5373e13b8e898d70ca7c39fe
Instruction ID: 4f511e17746eade46cf8ab6efde633b62ff87d2c1d2f4a48dcd516f0d4d648f3
Opcode Fuzzy Hash: f80217aa624a832d93ea812c9faed652d25a20cf5373e13b8e898d70ca7c39fe
Instruction Fuzzy Hash: D5211A70D001099FDB45EFB9D58069EBBF2EF44300F108AA9D158AB369EB705A498F81

Function 053784F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22079fca124ed3aabc02dfeeaffc1b86fdea1b7eaa1031aa35114b61b8fd6753
Instruction ID: 8cee0ffe8479ef75340ce2e100e7546a6c1ab700bb858b16e53e46ee3acff4cd
Opcode Fuzzy Hash: 22079fca124ed3aabc02dfeeaffc1b86fdea1b7eaa1031aa35114b61b8fd6753
Instruction Fuzzy Hash: B2118E70E1425D9FDB18DF65E9697AEBBF2BF84304F148529E802AB394DB788801CB40

Function 067981B1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3b32cadad15d4bb1d674f44d2659dac454b4b60fd64fd9791d0a54ee5e4b49
Instruction ID: 76b1585f406ea9483361a7072cf817919354447c58371769f098d0f508e8e548
Opcode Fuzzy Hash: 0d3b32cadad15d4bb1d674f44d2659dac454b4b60fd64fd9791d0a54ee5e4b49
Instruction Fuzzy Hash: 34112E34F005498FDF00DFE8E850B9EBBF6AB4A311F00D465E908E7345EA3099418F61

Function 0291D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2926107460.000000000291D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0291D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_291d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021c8d7180bca40b1b4a0da321e6e5f783d7625571517dbbd39f1422581fcb41
Instruction ID: 8c9e38f7f14720feb9aa9db81f599b8ca8cdb263e46b2a6821240b47c3c563d9
Opcode Fuzzy Hash: 021c8d7180bca40b1b4a0da321e6e5f783d7625571517dbbd39f1422581fcb41
Instruction Fuzzy Hash: C1119075504244DFDB15CF14D5C4B15BFA1FB44314F24C6A9D8494B656C33AD44ACF61

Function 05374920 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ac5873174b2b3fed290c4ff2865ebd887a41c9757865ee7d75b9b20d5066f1
Instruction ID: 227720f5324631a5b2f6eb5a7162a8430f0c9a6048abade6703b401298138363
Opcode Fuzzy Hash: 58ac5873174b2b3fed290c4ff2865ebd887a41c9757865ee7d75b9b20d5066f1
Instruction Fuzzy Hash: C601F532F041986FCB119F649810AAF7BEBEBCA650B14806AF515C7280DA74DC1297A0

Function 06791960 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f303f3785d285312d3ec2171788c3674c2f00512f95aecc47e8bd18c5b41382a
Instruction ID: 1807551b33aaf3277bd3976a8decc839b10cad05e1d490cd2fd02fd3d8126b35
Opcode Fuzzy Hash: f303f3785d285312d3ec2171788c3674c2f00512f95aecc47e8bd18c5b41382a
Instruction Fuzzy Hash: 3B0169B5A001159FCB50AB78E408A6A7BF9FF4863470546A5E809E7310EA30DC11CBA0

Function 0290D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2925977643.000000000290D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0290D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_290d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b8872d2823bc448842802a43c62ecd404bd2db428708a149eed3e391a0dea56
Instruction ID: 6a291beda60c3e7f9fbbaf4023d3baf7ed085f1aa3e2ea199516dcc2f2fe45e0
Opcode Fuzzy Hash: 8b8872d2823bc448842802a43c62ecd404bd2db428708a149eed3e391a0dea56
Instruction Fuzzy Hash: E201F2714093489EE7108A6AC9C4F67BFECEF41324F08C82AEC4C0B2C6C3799881C6B1

Function 0290D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2925977643.000000000290D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0290D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_290d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d0edf83f39208d37149e29000c7f13b1171a4979989aad1b3f96125e1f0ba0
Instruction ID: e94e29a1f01b46f017a67c8c290dbce6b25e02ea4785824d2312881c4f90792f
Opcode Fuzzy Hash: a1d0edf83f39208d37149e29000c7f13b1171a4979989aad1b3f96125e1f0ba0
Instruction Fuzzy Hash: C2015E7240E3C49ED7128B258894B52BFB8EF43224F1DC0DBD8888F1E7C2699849C772

Function 067918D8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5af278c656e81d2a39c221925b33083927703567bb75f893df78edfafeb43b
Instruction ID: c9b333d13c8f522c0f79a2470553eea7d0a80835f6c80b0c417319e194c80902
Opcode Fuzzy Hash: 7c5af278c656e81d2a39c221925b33083927703567bb75f893df78edfafeb43b
Instruction Fuzzy Hash: DF01E470E0021A9FCF44EFB9D9546EEBBF5BF88210F008629D419F7250E73899128BA0

Function 06798AC8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043db760000a5af98d61a199c22ebdfbda14a076188fef8432c51c7dbad476c4
Instruction ID: c5cac419e804fbd03f25bd4ed9fa1c71f7dae87dd29a6ff3e67882af0cfda7ff
Opcode Fuzzy Hash: 043db760000a5af98d61a199c22ebdfbda14a076188fef8432c51c7dbad476c4
Instruction Fuzzy Hash: 6CF0823230021D7F8F059EA9AC449EF7FBBEBC8260B50442AFA09C7250DF31891197A6

Function 0537C948 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae680a08e74f3aec9ac61f9a632d4b2efb7fe83b765ac2d04e32a8176537a3d
Instruction ID: 48d6f560df26c0a9468baea00ded866b98d1b6b9abe877d3053a162d4e7730f8
Opcode Fuzzy Hash: fae680a08e74f3aec9ac61f9a632d4b2efb7fe83b765ac2d04e32a8176537a3d
Instruction Fuzzy Hash: 0EE02234D44148CBDB40DBA9EC083FAFBF1AB8B300F04A96AD104A2151CB394529CF52

Function 05371310 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bcd984c0fdadfa3f8fd8f90c76afe402ddc9b6092149c59414356619c005b2f
Instruction ID: ed27547c857e0e713f855c997dc1a3881f8ccc6e7983395503a4a9866500eae4
Opcode Fuzzy Hash: 3bcd984c0fdadfa3f8fd8f90c76afe402ddc9b6092149c59414356619c005b2f
Instruction Fuzzy Hash: 17E02231D142AA0BCB128BB4A8510FEBF70EE83214F048992C4C127002DA31592BC352

Function 05371320 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d593b7872a691bbc16ecf6b29d41ef4a8d106bb17f8508a3a9a4716aa3ce17
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 91d593b7872a691bbc16ecf6b29d41ef4a8d106bb17f8508a3a9a4716aa3ce17
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 05377990 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 3010549423eae56ebededa12ce128f19c6d2174f561f451d111786c9fba9926b
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: B7C0803350D12C6AA235504F7C40DB3774DD3C12B59210137F55CC3200D4465C4041F5

Function 053751C1 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5d113f7962c512b5eeb638192eed2079e40a0ed7f0e6b6b162fce1a73ad7bc
Instruction ID: 6be83c3ea3615df272d9a6e670b00890b3effc0c59a998b56a8d9421d08f4801
Opcode Fuzzy Hash: da5d113f7962c512b5eeb638192eed2079e40a0ed7f0e6b6b162fce1a73ad7bc
Instruction Fuzzy Hash: 53E0C23004C2884FC702F770A9B04567B7EAAC220034155F1A14D4F1ABEA28684E8754

Function 05379E3D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee64dd6db79f7943d9e6e6c88b5cca88f72f9df6bef827a4b86062afbd9837b
Instruction ID: 62858800c78bbd2852c192288c669f1ef6bf56324d3258c36e8fae8c19655888
Opcode Fuzzy Hash: dee64dd6db79f7943d9e6e6c88b5cca88f72f9df6bef827a4b86062afbd9837b
Instruction Fuzzy Hash: B9D0673AB40018DFCB049F99E840DDEB7B6FB98221B148517EA15A3265C6319921DB54

Function 053751D0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abff164e6aa9d94fc244e3ed0005442a428bad2e42fb3045c3254211682bb36d
Instruction ID: c12b365e7aa73b7edc78c4952e38011a06e00a332668161a1146b020d8340b1a
Opcode Fuzzy Hash: abff164e6aa9d94fc244e3ed0005442a428bad2e42fb3045c3254211682bb36d
Instruction Fuzzy Hash: 19C0123055420C4EC541F775FA65566776FA6C02007415660A00D066AEDF74A8894698

Function 053789C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a5c43dd28335281135a146e59191d5b00d1567863a2e1b7c2f08431af09df97
Instruction ID: 2a8f85b0f907f28095409003e6905ce6a44fca90c96e671c44f786372abe6094
Opcode Fuzzy Hash: 6a5c43dd28335281135a146e59191d5b00d1567863a2e1b7c2f08431af09df97
Instruction Fuzzy Hash: 2EC08036F0408D87CB04CE94F4465DDFF35DF84221F104076E905A3601C635CA15C752

Non-executed Functions

Function 06791B08 Relevance: 24.3, Strings: 19, Instructions: 512COMMON

Download Yara Rule

Strings

LjAp, xrefs: 06792057
LjAp, xrefs: 06792139
PH^q, xrefs: 067920C7
PH^q, xrefs: 06791EDA
LjAp, xrefs: 06791E54
LjAp, xrefs: 06792041
LjAp, xrefs: 06791F62
Hbq, xrefs: 06791B59
PH^q, xrefs: 067921D6
PH^q, xrefs: 067921C2
0oAp, xrefs: 06791CF0
LjAp, xrefs: 06791F4C
LjAp, xrefs: 06791E6A
PH^q, xrefs: 067920DB
PH^q, xrefs: 06791EEE
LjAp, xrefs: 0679214F
", xrefs: 06792377
PH^q, xrefs: 06791FE6
PH^q, xrefs: 06791FD2

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID: "$0oAp$Hbq$LjAp$LjAp$LjAp$LjAp$LjAp$LjAp$LjAp$LjAp$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q
API String ID: 0-2694733611
Opcode ID: 98a5bf079550c7072ddbb4fe5f441e94290049f33749a52e94ef2f908d7993b3
Instruction ID: 01f8ef1fd0fae8880dfb5d1d956d4634268a81286e877b2f4884a0736c28e5c6
Opcode Fuzzy Hash: 98a5bf079550c7072ddbb4fe5f441e94290049f33749a52e94ef2f908d7993b3
Instruction Fuzzy Hash: C442B174E002188FDB64DF69D954BADBBF2BF89304F1084A9D409AB365DB359E85CF10

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Function 00408C60 Relevance: 2.9, Strings: 2, Instructions: 377COMMON

Download Yara Rule

Strings

@, xrefs: 00409092
@, xrefs: 00408D03

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Function 0537D8E0 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5vq, xrefs: 0537D9FB

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: .5vq
API String ID: 0-493797296
Opcode ID: 91efa3e3abeae1de4c4730351ab6f02efbd0e800ae345356c5f10f7d70700c7d
Instruction ID: e7ebb388ce867261083b8c7a3da395fc6d78fc0302137ed25032548110bff11a
Opcode Fuzzy Hash: 91efa3e3abeae1de4c4730351ab6f02efbd0e800ae345356c5f10f7d70700c7d
Instruction Fuzzy Hash: 10528A74E01228CFDB68DF69C984B9DBBB2BF89300F1085EAD409A7254DB359E85DF50

Function 05956708 Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

", xrefs: 05956C26

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 798d8dca8b5e4702dc57a8cd783f47850f2913afd7e3243a1f794aacf75f8338
Instruction ID: 408bf6b8825116bdf80480318082ff31f7a1e8e8041213efdf2b4f2a23d087fe
Opcode Fuzzy Hash: 798d8dca8b5e4702dc57a8cd783f47850f2913afd7e3243a1f794aacf75f8338
Instruction Fuzzy Hash: 7BF11470E002488FEB14CFA9D49479EBFB2BF88324F64D169E808AB395D7749985CF50

Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569

Function 067926A8 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

0oAp, xrefs: 06792713

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0oAp
API String ID: 0-730047704
Opcode ID: 2f5aa717e80b35e29a762166f661472a28f8b6051b8df767870a22c77350ec58
Instruction ID: 759c16daab67520afb62b8bafcb868ac57b60772960a52946d3287d2e27040ac
Opcode Fuzzy Hash: 2f5aa717e80b35e29a762166f661472a28f8b6051b8df767870a22c77350ec58
Instruction Fuzzy Hash: 8EB19574E00218CFDB54DFA9D994A9DBBF2FF89310F1081A9E819AB365DB30A945CF50

Function 02AF12B0 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02AF1398

Memory Dump Source

Source File: 00000004.00000002.2926487998.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2af0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 24fb5c0337c2f24923f222f07ceb6080fbca615715dca2a1a94f1615914dd65f
Instruction ID: 578b80cc73ab2f342d1ab2b66954548d939ebd7cefc225895dec0a876dedcd97
Opcode Fuzzy Hash: 24fb5c0337c2f24923f222f07ceb6080fbca615715dca2a1a94f1615914dd65f
Instruction Fuzzy Hash: 0661FF71E412598FDB49DF7AE88079BBBF3BBC9300F14C669D0449B2A9EB7058498F40

Function 02AF12C0 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02AF1398

Memory Dump Source

Source File: 00000004.00000002.2926487998.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2af0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 0e8191fa1a066fd39f46a44f24a3c57be8e75886b799ae1f27a8be6f2095059e
Instruction ID: d6652c19bcda33370af474a321a6d0f7134a971cf67c23615ad62103d60e8858
Opcode Fuzzy Hash: 0e8191fa1a066fd39f46a44f24a3c57be8e75886b799ae1f27a8be6f2095059e
Instruction Fuzzy Hash: 2561EE70D412598FDB49EF7AE98079FBBF3ABC9300F14C669D0449B2A9EB7058098F40

Function 0537D8D1 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

.5vq, xrefs: 0537D9FB

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: .5vq
API String ID: 0-493797296
Opcode ID: e941469fa62e27c68732be9d0ebd54a414397a8c5e2ba2b2584ca79729edc33e
Instruction ID: 6b2d1802fe5e410bbcc6dac60930ba42b617b5608bb1bcd4eaf9ca4f23a770c7
Opcode Fuzzy Hash: e941469fa62e27c68732be9d0ebd54a414397a8c5e2ba2b2584ca79729edc33e
Instruction Fuzzy Hash: 7C61E674E00219CFDB28DF66D990BADB7B6BF88300F10C1A9D80967368DB319986DF40

Function 0679269B Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

0oAp, xrefs: 06792713

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0oAp
API String ID: 0-730047704
Opcode ID: 84cad8a648836866d695511133595731b06f4e0d74f3697f55cdd29148ce3bd2
Instruction ID: 202753c456ddcba5e8c45addb888e393db1bcdbc1e0b37f938d5e77e526863ee
Opcode Fuzzy Hash: 84cad8a648836866d695511133595731b06f4e0d74f3697f55cdd29148ce3bd2
Instruction Fuzzy Hash: 2B51A574E116089FDB48DFAAD59499DFBF2BF89310F24C069D419AB365DB30A942CF10

Function 00407C3F Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95

Function 06793720 Relevance: .7, Instructions: 693COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ecfa0b12a1e2ac2ec3e71a385613caa74dc484d61b50f5fe3ec9cb6b7a2d94
Instruction ID: d972e7409f0f112f619fd7df2aefceac320fc68fb8b5a64fdd7414223920a8dd
Opcode Fuzzy Hash: 49ecfa0b12a1e2ac2ec3e71a385613caa74dc484d61b50f5fe3ec9cb6b7a2d94
Instruction Fuzzy Hash: 11824B74E012289FDB64DF69D994BDEBBB2BF88300F1081EA940DA7265DB315E85CF50

Function 06792A20 Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4683c7db98277c1e2d1950f1e69b24ced330656d68e7002bfa60a01511ab3ee7
Instruction ID: 53d62c20bf7b5eb1bb5e91f51f17c88e7a96ddd84995d55edec8495334f1083a
Opcode Fuzzy Hash: 4683c7db98277c1e2d1950f1e69b24ced330656d68e7002bfa60a01511ab3ee7
Instruction Fuzzy Hash: CB727D74E012288FDB65DF69D994BDEBBB2BF88300F1081EA940DA7265DB315E81CF51

Function 004073A0 Relevance: .6, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
Opcode Fuzzy Hash: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA

Function 067ACD60 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929241668.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c06a502d0f50ce5017271a848ed26ed195d989abe466aada2dc9394df0455d
Instruction ID: bbe5240931c69d6e4fdb34d6c30d9dc34761fffae558c87fd620872ea833330b
Opcode Fuzzy Hash: 76c06a502d0f50ce5017271a848ed26ed195d989abe466aada2dc9394df0455d
Instruction Fuzzy Hash: D55258B9D40B068FD710CF28EA8839A7BF1FBA4398BD04B19D5615B2D0D7B4656ACF40

Function 00406CA0 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55

Function 0537F548 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7eeef4acc49b8474570bd78ed57b180b61ac49c10d4064fe767a5594ad2f65
Instruction ID: 9ec4bcecd334da1bcfb630a581714176e94219e1d82582c8b10d218daca5e309
Opcode Fuzzy Hash: 1f7eeef4acc49b8474570bd78ed57b180b61ac49c10d4064fe767a5594ad2f65
Instruction Fuzzy Hash: 2FC19174E00218CFDB54DFA5D994B9DBBB2BF89300F2085A9E809A7364DB359E85CF50

Function 0537F9A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec517da1119a40771ed50ef5e32de31518d84d36d202e285f684bdd5153dd1e1
Instruction ID: 4416a02dc18dd2fc5ab507b5bc7dfcb1f8691bc6101604e2ac24dc889ecb4c4f
Opcode Fuzzy Hash: ec517da1119a40771ed50ef5e32de31518d84d36d202e285f684bdd5153dd1e1
Instruction Fuzzy Hash: 2CC19174E00218CFDB54DFA5D994B9DBBB2BF89300F2085A9E809A7364DB359E85CF50

Function 0595ED88 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5290d27072f437190a6fd42b92c692a719f574f94510281d5a66878ad80a1d
Instruction ID: 8af4dd0fe763c119f5ea9af4be2eaca03418908cfba0a5255bb08f8cedb3d722
Opcode Fuzzy Hash: 2c5290d27072f437190a6fd42b92c692a719f574f94510281d5a66878ad80a1d
Instruction Fuzzy Hash: 85C1A074E00218CFDB54DFA5C994B9DBBB2BF89310F2081A9D809AB365DB359E85CF50

Function 0595BDC0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663e83642f4ab6b14d01aeb3925287e0fc65dc91cc6899f210a14d6c9e8921eb
Instruction ID: 785aa619756faa5c6cecf1e8d205c5eacf451a71af6d1cb81fa8a2873c920c64
Opcode Fuzzy Hash: 663e83642f4ab6b14d01aeb3925287e0fc65dc91cc6899f210a14d6c9e8921eb
Instruction Fuzzy Hash: E1C1A074E00218CFDB54DFA5C994B9DBBB2BF88300F6081A9D809AB364DB359E85CF50

Function 0595F1E0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcef078c883622c69055747eec651891cbf819e247919f9610434f35d2cbb881
Instruction ID: 9b2b1a1b66c14542e0607edf490cfd87a50535c35cc5966eeb75c3bdcb432b35
Opcode Fuzzy Hash: dcef078c883622c69055747eec651891cbf819e247919f9610434f35d2cbb881
Instruction Fuzzy Hash: ADC1A174E00218CFDB54DFA5C994B9DBBB2BF89310F6081A9D809AB364DB359E85CF50

Function 0595E930 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7654ca28b8c17178b49dd8fab33d16924e11009fb38ce0b418c1086fd8c58289
Instruction ID: 1431c6289149ee33ef8f2ee66afd220aacce26940908ba5ae775b994d9240820
Opcode Fuzzy Hash: 7654ca28b8c17178b49dd8fab33d16924e11009fb38ce0b418c1086fd8c58289
Instruction Fuzzy Hash: 31C1A074E00218CFDB54DFA5C994B9DBBB6BF89300F2081A9D809AB365DB359E85CF50

Function 0595B968 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0075f4eafa071790553b9ac0ef611fb08176aec5b857174dcf1f0c5949e760b
Instruction ID: feba4187de6bc2e36951909f7b180b8bc2cbd9b5e2896bfd4902a4fdfe7beedd
Opcode Fuzzy Hash: a0075f4eafa071790553b9ac0ef611fb08176aec5b857174dcf1f0c5949e760b
Instruction Fuzzy Hash: 4DC1A174E00218CFDB54DFA5C994B9DBBB2BF89310F2081A9D809AB365DB359E85CF50

Function 0595E080 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d731445c28e2ac2355e9135340cee245713a0e8c30a5fbc1c498702ae17780
Instruction ID: 3c7ee8bbf650954667e92e829f8b4cc86d14602aa46472478159803f4ffc8f6e
Opcode Fuzzy Hash: 09d731445c28e2ac2355e9135340cee245713a0e8c30a5fbc1c498702ae17780
Instruction Fuzzy Hash: C6C1A174E00218CFDB54DFA5C994B9DBBB6BF89300F6081A9D809AB364DB359E85CF50

Function 0595B0B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfade3b52a4b59154c9690e50be59d93bfbc7b7545d146ec5461e4cd3309b5a
Instruction ID: dbaf1e1782a54c473361792a6a71974ff08f353207d07fb53c36de6037d8722a
Opcode Fuzzy Hash: 1cfade3b52a4b59154c9690e50be59d93bfbc7b7545d146ec5461e4cd3309b5a
Instruction Fuzzy Hash: AAC1AF74E00218CFDB54DFA5C994B9DBBB2BF89310F2081A9D809AB365DB359E85CF50

Function 059504A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e8f3649e77019e02f9dee8efaabaaa48f25aad2f7b46983875a7c1f3668232
Instruction ID: ed80213d50088b7b3a496be7c73912c2a0a297a510c25c68536f6fbe73a28165
Opcode Fuzzy Hash: 76e8f3649e77019e02f9dee8efaabaaa48f25aad2f7b46983875a7c1f3668232
Instruction Fuzzy Hash: E0C1A174E01218CFDB54DFA5D998B9DBBB2BF88300F2085A9E809A7354DB359E85CF50

Function 0595E4D8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa7825344cfce58248b1391c0925341415c7f13184a4cdfde3c8e78d80bce96
Instruction ID: 425064a8225c1920127af70de3c3cfb209a8a3c681962c55b394d860d382f0a8
Opcode Fuzzy Hash: caa7825344cfce58248b1391c0925341415c7f13184a4cdfde3c8e78d80bce96
Instruction Fuzzy Hash: 8EC1B274E00218CFDB54DFA5C994B9DBBB6BF89300F2081A9D809AB364DB359E85CF50

Function 0595A808 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f11f8205f2095b3309880aedfb365ac088506a0e13b2d9dbea11a7addf9c4a
Instruction ID: 363f4126d7c3ceea571c3a0dae3ffad7492a623e7570b9b3f5c489d2613a8e2f
Opcode Fuzzy Hash: c9f11f8205f2095b3309880aedfb365ac088506a0e13b2d9dbea11a7addf9c4a
Instruction Fuzzy Hash: 43C1B274E00218CFDB54DFA5C994B9DBBB2BF88301F2081A9D809AB364DB359E85CF54

Function 0595DC28 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf716034826a7b30c2d521952636d9231c3be2ed2637fc5aa6b5199df8ec8b8
Instruction ID: 774b385dfb5453628d2ac4bc2aa257033434c7eab0cd0ab785414d20418ad118
Opcode Fuzzy Hash: 9cf716034826a7b30c2d521952636d9231c3be2ed2637fc5aa6b5199df8ec8b8
Instruction Fuzzy Hash: 00C1A074E00218CFDB54DFA5C994B9DBBB2BF89300F6081A9D809AB365DB359E85CF50

Function 05950040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1980ea87ea8d3cb965da48f6d55100ee81d0ec0cb0708070ff327309ea97f53d
Instruction ID: ae91c707cac95241a63f96806284bafc4750fa0fb2e3ec262187bf641bc32815
Opcode Fuzzy Hash: 1980ea87ea8d3cb965da48f6d55100ee81d0ec0cb0708070ff327309ea97f53d
Instruction Fuzzy Hash: 5BC1A174E00218CFDB54DFA5D994B9DBBB2BF88300F6085A9E809AB354DB359E85CF50

Function 0595AC60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1aa3a2fced93a4624bf9d39e01cf182c4b52e3d4b5a996ff2235e249378eb4
Instruction ID: 47a7a79a5e4b58d8831ce3187a4cb2d7ded360986746613a08368eecf89afbd7
Opcode Fuzzy Hash: 2e1aa3a2fced93a4624bf9d39e01cf182c4b52e3d4b5a996ff2235e249378eb4
Instruction Fuzzy Hash: F3C1A174E00218CFDB54DFA5D994B9DBBB2BF89300F2081A9D809AB364DB359E85CF50

Function 0595D7D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22dd7dac793ab25229dbd225d280f7e8a4d65e42d4644b3bde9f2c8f8c41108e
Instruction ID: 070c0d19dcae87b0a66ca11726cc36849bfad7012cf1e03f8ff906cdab2001a1
Opcode Fuzzy Hash: 22dd7dac793ab25229dbd225d280f7e8a4d65e42d4644b3bde9f2c8f8c41108e
Instruction Fuzzy Hash: FCC19074E00218CFDB54DFA5C994B9DBBB6BF89300F2081A9D809AB365DB359E85CF50

Function 0595CF20 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecbca8693470319356d58147a4ad8464f18f872636010768cc4a572d0b2d0c5
Instruction ID: 940ef5997e80fbd806afbd1d240c386322229957b920b9ab0407c0e4bb948888
Opcode Fuzzy Hash: eecbca8693470319356d58147a4ad8464f18f872636010768cc4a572d0b2d0c5
Instruction Fuzzy Hash: A2C1B074E00218CFDB54DFA5D994B9DBBB2BF88304F6081A9D809AB364DB359E85CF50

Function 0595D378 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d2219ca7ef5f12f20918c22088fc75b3a867857ca39df0967437e1034678bfc
Instruction ID: 38d14de758becc69c681448576d5894f737c794b38e4d9277d10566c37d6f8c3
Opcode Fuzzy Hash: 6d2219ca7ef5f12f20918c22088fc75b3a867857ca39df0967437e1034678bfc
Instruction Fuzzy Hash: 4CC1A074E00218CFDB54DFA5C994B9DBBB2BF89300F2081A9D809AB365DB359E85CF50

Function 0595FA90 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1baf684c7af8f3bc6cd5f61975d8f9c3776f500d3d3c713d8d876d35e23738ae
Instruction ID: 468191c4ddc381acbf8bf48113e0a87f2af6e1e8a2f2e77d56ad3d174cdd353f
Opcode Fuzzy Hash: 1baf684c7af8f3bc6cd5f61975d8f9c3776f500d3d3c713d8d876d35e23738ae
Instruction Fuzzy Hash: F4C1A074E00218CFDB54DFA5C994B9DBBB2BF88310F2081A9D809AB365DB359E85CF50

Function 0595CAC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42ba6682b09c12647589eb51e8bbd100927b83eb8f58588ea331c94bd3c2b12
Instruction ID: 2f36234373db399a3f9ab8c56de6c6543633146642f1e715e89ca2b29e4aa204
Opcode Fuzzy Hash: b42ba6682b09c12647589eb51e8bbd100927b83eb8f58588ea331c94bd3c2b12
Instruction Fuzzy Hash: 77C1A074E00218CFDB54DFA5C994B9DBBB2BF89304F2081A9D809AB364DB359E85CF50

Function 0595C218 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f81200f89b4990164625ae7222b1555d11b18be054907181ca15f1ca38ef6216
Instruction ID: ec3575abf0d9118a184d665e936aaebe74021032990a96c7c03cca65c205ae32
Opcode Fuzzy Hash: f81200f89b4990164625ae7222b1555d11b18be054907181ca15f1ca38ef6216
Instruction Fuzzy Hash: AAC1B074E00218CFDB54DFA5C994B9DBBB2BF88300F2081A9D809AB364DB359E85CF50

Function 0595F638 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb4a0599b79648e8675f1fc5f54742a12fc3fc531e9d62af0c753beba66bb6c
Instruction ID: 90abbc7ac3655862ab9aca2594cdcb474502f399f214c494003aadb386d976ba
Opcode Fuzzy Hash: 4bb4a0599b79648e8675f1fc5f54742a12fc3fc531e9d62af0c753beba66bb6c
Instruction Fuzzy Hash: E2C1B174E00218CFDB54DFA5C994B9DBBB2BF88310F6081A9D809AB364DB359E85CF50

Function 0595C670 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d50cbedf1be1c32781069f0c71f38896e49c0e15143dab77a5bdbb05c479ffd1
Instruction ID: 22e9cfdc7dea50e912935d9ac0d47ee2a6f57ca388e57dbf3475e335cebe1951
Opcode Fuzzy Hash: d50cbedf1be1c32781069f0c71f38896e49c0e15143dab77a5bdbb05c479ffd1
Instruction Fuzzy Hash: 70C19F74E00218CFDB54DFA5D994B9DBBB2BF89300F2081A9D809AB364DB359E85CF50

Function 06795EC0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf322c150b58946fe8d45f1abd446659977022878e4f7e566ce50c5c60bd721a
Instruction ID: 00953bea428b2a6811346341d8fed567060634670154c9771463e7bee34ab700
Opcode Fuzzy Hash: cf322c150b58946fe8d45f1abd446659977022878e4f7e566ce50c5c60bd721a
Instruction Fuzzy Hash: 9DC1A274E00218CFDB54DFA5D994B9DBBB2BF89300F2081A9D809AB365DB359E85CF50

Function 06796798 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da26533d9b11a4b535122939926b7ca9c36c07d5ddfa11744e35a7a0e311d211
Instruction ID: f2d56f3f852fa836d7ad31441f2783217da8dfb6c842020344cfed1327dd9c06
Opcode Fuzzy Hash: da26533d9b11a4b535122939926b7ca9c36c07d5ddfa11744e35a7a0e311d211
Instruction Fuzzy Hash: A8C1A274E00218CFDB54DFA5D994B9DBBB2BF89300F2081A9D809AB365DB359E85CF50

Function 067974A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8934c80be9ed4f58f1afe55b0e45ee303413f36956bd4dde8668b51ea2166104
Instruction ID: aaa2211e0a4d8900483037e33fa967cfd182c4e83c21166a0431fef5c806a94c
Opcode Fuzzy Hash: 8934c80be9ed4f58f1afe55b0e45ee303413f36956bd4dde8668b51ea2166104
Instruction Fuzzy Hash: 0FC1B374E00218CFDB58DFA5D994B9DBBB2BF89300F2081A9D409AB364DB359E85CF50

Function 06794488 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a9fb58fa552f051328d079b2f813dd3c458c0103b7437fb89faed25404e7b5
Instruction ID: 8ae9cd6dd2a57bbffd15280facbae6a5ff4ce2ec2c13d4732466039b004dde7a
Opcode Fuzzy Hash: 80a9fb58fa552f051328d079b2f813dd3c458c0103b7437fb89faed25404e7b5
Instruction Fuzzy Hash: BAC19174E00218CFDB54DFA5D994B9DBBB2BF89300F2081A9D409AB369DB359E85CF50

Function 06794D60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea521596e0c1b79b76ace8b0e629c67f4447458b8a78f398927243e1f033dd74
Instruction ID: 14f4fe637a74501c56e00432a725b87356c4da38088d50b573d205dea1d8757f
Opcode Fuzzy Hash: ea521596e0c1b79b76ace8b0e629c67f4447458b8a78f398927243e1f033dd74
Instruction Fuzzy Hash: 99C19074E00218CFDB54DFA5D994B9DBBB2BF89300F2081A9D809AB364DB359E85CF50

Function 06795A68 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5afa441313e99baacad6f3c1420d241ab04ba3c899428775a31ce4f0a5ccf30
Instruction ID: 90600ec76dac2527ffb472911cf59351da6d21077e51b190e99fe590a6ecfae6
Opcode Fuzzy Hash: b5afa441313e99baacad6f3c1420d241ab04ba3c899428775a31ce4f0a5ccf30
Instruction Fuzzy Hash: 6FC1B274E00218CFDB55DFA5D994B9DBBB2BF89300F2081A9D809AB364DB359E85CF50

Function 06796340 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6f46bb5f0b4db490e552e2114783372cd87e593a22abba850b7b4ce7441c47
Instruction ID: 9a2b834a592d4340c09ab86a9f810ac062b2b985398f0b86d397b694d00a8e68
Opcode Fuzzy Hash: dd6f46bb5f0b4db490e552e2114783372cd87e593a22abba850b7b4ce7441c47
Instruction Fuzzy Hash: 27C1B174E00218CFDB54DFA5D994B9DBBB2BF88300F2081A9D809AB365DB359E85CF50

Function 06796BF0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e200b3d7d501456be84586f5ad02446cdc8c035b7e3c8ca5e7d60202a1c963
Instruction ID: e2ef0d867238f3361ab1dbd458fa86be8d1f27ef6336da16e90c3485302c7988
Opcode Fuzzy Hash: b7e200b3d7d501456be84586f5ad02446cdc8c035b7e3c8ca5e7d60202a1c963
Instruction Fuzzy Hash: 6DC1B274E00218CFDB54DFA5D994B9DBBB2BF89300F2081A9D809AB364DB359E85CF50

Function 06797048 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27adb395be57c240f51f375c09f1930f7d1d8224abe5ae183a683442d9981e11
Instruction ID: 8882d6f30e167049ed63ebaaa4bf088edf35feacefb909dba51c0d98f74ea089
Opcode Fuzzy Hash: 27adb395be57c240f51f375c09f1930f7d1d8224abe5ae183a683442d9981e11
Instruction Fuzzy Hash: ECC1C174E00218CFDB54DFA5D994B9DBBB2BF89300F2081A9D808AB365DB359E85CF50

Function 06790040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a01202aa3c5a76d5471436de347b58d4ddd19d3da50bf9e3c45effaf7558c3
Instruction ID: d1a523f9b684316f2c20a4aa2ef42b7bb6677a87c7afc08a446655a11dee8234
Opcode Fuzzy Hash: f4a01202aa3c5a76d5471436de347b58d4ddd19d3da50bf9e3c45effaf7558c3
Instruction Fuzzy Hash: C6C1AF74E00218CFDB54DFA5D994B9DBBB2BF89300F2081A9D809AB365DB359E85CF50

Function 06794908 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95423e9bf4c821228eb8aa6ba108fb62f769718990291ec1b180549b5fea4aa2
Instruction ID: a6f8181a1cc414d6b7c0f2e7c58810473261e331cdcf2dce8c8703ab45239615
Opcode Fuzzy Hash: 95423e9bf4c821228eb8aa6ba108fb62f769718990291ec1b180549b5fea4aa2
Instruction Fuzzy Hash: 30C18174E00218CFDB54DFA5D994B9DBBF2AF89300F2081A9D409AB369DB359E85CF50

Function 067951B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249925fdd5aa66dc2f6d560df82c1b8f75c2c7507642cabd89f2521c0c698efb
Instruction ID: c38472cc296ccc5e5fb6895d80fd03bc44f2f5996b356df34e622f74a58e0bfc
Opcode Fuzzy Hash: 249925fdd5aa66dc2f6d560df82c1b8f75c2c7507642cabd89f2521c0c698efb
Instruction Fuzzy Hash: 41C1D274E00218CFDB54DFA5D994B9DBBB2BF89300F2081A9D809AB365DB359E85CF50

Function 067A9B9C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929241668.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe44f18c729f1beadcee8ba84b05f78b7d92ee62e6ef0a2eb37221bc2939539
Instruction ID: 5fd792629abe08e3e5a6efd66f4af1da81f4164aa0c9de178bf6f8efdc09685d
Opcode Fuzzy Hash: 7fe44f18c729f1beadcee8ba84b05f78b7d92ee62e6ef0a2eb37221bc2939539
Instruction Fuzzy Hash: 45A15A32E10309CFCF45DFB5C8845AEBBB2FFC5700B15866AE916AB221DB31A955CB50

Function 05956E90 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35d9cf16b25fe5691a478e21e88ee91b681304227873f76b3d93be36333b5d0
Instruction ID: ddb16f200ffbdd252882e2c4bca21497888662d51ee604f821d4e691cf230fb3
Opcode Fuzzy Hash: b35d9cf16b25fe5691a478e21e88ee91b681304227873f76b3d93be36333b5d0
Instruction Fuzzy Hash: 02919271E042198BCF18DFB9C9546AEBBF7BF88360F108569E805A7390DB34A915CB91

Function 05952B80 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35e5796a4ab5e36a88beca3cc38c567e802e07f65ccaba0a01539f46eb8b486
Instruction ID: 3c03fb95e86bc76fcb67e57285c2cf21ac54d550cbb29e6f786368498df34b8b
Opcode Fuzzy Hash: e35e5796a4ab5e36a88beca3cc38c567e802e07f65ccaba0a01539f46eb8b486
Instruction Fuzzy Hash: 85B11471D006598EDB10DFA9C844BADFBB1BF89310F14C6AAE408A7261EB709A84CF41

Function 05950921 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a41e4da6c7cd62d68a6b7bdee12d1cf570c5b1842b136bfbcf4c9b5ebf660a4
Instruction ID: 3daa01a0b62137ce685c248161f14961dd3c120295197c2e70f14277ae270db4
Opcode Fuzzy Hash: 5a41e4da6c7cd62d68a6b7bdee12d1cf570c5b1842b136bfbcf4c9b5ebf660a4
Instruction Fuzzy Hash: 86A10274E00208CFDB14DFA9C988BDDBBB1BF88314F249669E409AB391DB749985CF54

Function 05950930 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1258159a10fe596001233f8be2e264fa04dd8ae4135381de2d9ece5711f4d078
Instruction ID: ef6f3854ab0a5a71262ed7925ca78369b8cc51ed54d2a2b9f37cb91a984c4b73
Opcode Fuzzy Hash: 1258159a10fe596001233f8be2e264fa04dd8ae4135381de2d9ece5711f4d078
Instruction Fuzzy Hash: 4DA10470E00208CFDB14DFA9D998BDDBBB1BF88314F209669E409AB3A1DB705985CF54

Function 00402B90 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688

Function 05950C7B Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3935f0bc649d61f1259b718be76c15726e473734cacf808c988b59fccafc407b
Instruction ID: d859fc35162f0e3399af6bc7f3a262e19c731c578f047fee68a6a19f1f25b374
Opcode Fuzzy Hash: 3935f0bc649d61f1259b718be76c15726e473734cacf808c988b59fccafc407b
Instruction Fuzzy Hash: 5091F274D00218CFDB14DFA8D988BDDBBB1FF49314F249669E409AB291DB709985CF14

Function 004028B0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC

Function 02AF1560 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2926487998.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2af0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58ff1bd318d5c45d6cb49f42d2c2bd90b7391644906f6a19c7bbf6b741f5358
Instruction ID: 2b20ad9ac3ad445b7345c452ab78a2634c87ad36a714cc95b6f61c023683320f
Opcode Fuzzy Hash: e58ff1bd318d5c45d6cb49f42d2c2bd90b7391644906f6a19c7bbf6b741f5358
Instruction Fuzzy Hash: B8515E75D016289BEB6CCF6B8D442CAFAF3AFC9300F14C1F9950CA6254EB750A858F40

Function 06796308 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d90746d4ff6a6131e87cfa746063edb17752f1196a609aa46bb553da3d339a4
Instruction ID: 164d8b3110cf78d7dcd948fe7a7a5fd4fad4ca1bd989cc3a5141a858c3f95cc2
Opcode Fuzzy Hash: 3d90746d4ff6a6131e87cfa746063edb17752f1196a609aa46bb553da3d339a4
Instruction Fuzzy Hash: 66415970E052888FEB45CFBAD9506DDBBF2AF8A300F24C1AAC418AB256D7345945CF51

Function 02AF1550 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2926487998.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2af0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4248916ca84c47bd1873227a9030896666b565d59b660ba336c29b729cc67e3e
Instruction ID: 7528ac929ec242b518c2fb99544960b435b2ffa65c67b0a6ce952e448acef13d
Opcode Fuzzy Hash: 4248916ca84c47bd1873227a9030896666b565d59b660ba336c29b729cc67e3e
Instruction Fuzzy Hash: 65511275E056189BEB6CCF6B8D442DAFAF3AFC9340F14C1F9950CA6254EB350A868F41

Function 05950006 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345350dfba972e24411daad6d951319c75d52f082cf50460f8926d0cacf5c70e
Instruction ID: a1b834c7621b9c54a3798d28007c4983f55f65479142227db4a51715de3e1fa1
Opcode Fuzzy Hash: 345350dfba972e24411daad6d951319c75d52f082cf50460f8926d0cacf5c70e
Instruction Fuzzy Hash: 6E411870D052488FDB19CFB6D9546DEBBF2AF89310F14D16AD408AB3A5EB345946CF10

Function 06794D51 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef464476895286826329d2dcba3c1f7085a6791f62de3c5fbf36768a9e34db70
Instruction ID: eea6f8145435f9611eff3905f13dbdeb9b5f896d3230bebe3d3cd8d4fc4bba4f
Opcode Fuzzy Hash: ef464476895286826329d2dcba3c1f7085a6791f62de3c5fbf36768a9e34db70
Instruction Fuzzy Hash: D0411774E012489FEB54CFBAD85469EBBF2AF89300F24C169C418AB259DB345946CF50

Function 0537E0F4 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44018473ec5bfcb624c911d048fa03570c1da0ae42dd01de8bc928c87b3f18b9
Instruction ID: 7517ac3babfc375d3b7156a130e2bfb9dd14b68c11c792869061e9c1f13ee723
Opcode Fuzzy Hash: 44018473ec5bfcb624c911d048fa03570c1da0ae42dd01de8bc928c87b3f18b9
Instruction Fuzzy Hash: F2517134A01228CFCB65DF24D954B9ABBB2BF4A305F5089E9D40EA7354DB319E81DF50

Function 02AFE2F8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2926487998.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2af0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c9e496c84970274c3714b1df7a759df4ba05cb5723e0552d5fcf546e999201
Instruction ID: 75590b1f61d6f430d238793164d114dc35c0fdccbe36832eebec81042e0242dc
Opcode Fuzzy Hash: f9c9e496c84970274c3714b1df7a759df4ba05cb5723e0552d5fcf546e999201
Instruction Fuzzy Hash: B741DEB4D003489FDB14CFA9CA88B9DBBF1BB09304F209129E514BB260DB789885CF45

Function 00401650 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
Instruction ID: 39afabd8a370e1aacf823bb5b0eb141e0e266d105c364ee31248ba7b153c19f0
Opcode Fuzzy Hash: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
Instruction Fuzzy Hash: 2851F94400D7E18EC716873A44E0AA7BFD10FAB115F4E9ACDA5E90B2E3C159C288DB77

Function 059566FA Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f5bfb53d5c0fbd6ab2e56d7ee29e12b0996ac8fd88d0b051ac5520af113d61d
Instruction ID: b584f3492f8c67496a51e7f79105c969f159c81e1a089dbd6b05e03eb44ccdc0
Opcode Fuzzy Hash: 2f5bfb53d5c0fbd6ab2e56d7ee29e12b0996ac8fd88d0b051ac5520af113d61d
Instruction Fuzzy Hash: 2141D6B1D016189BEB18CFAAD8843DEBBF2BF88314F14C56AD408BB294DB740545CF50

Function 06794478 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebac4bd1a8f5c71b3413a51d661446c24bde1bd7a1afbd8c29d912535e40e65d
Instruction ID: 3920a0c7af9e3c6c48ebb117bf2a2347d95aa17bac5d7f3b0a8cd4a63672e13e
Opcode Fuzzy Hash: ebac4bd1a8f5c71b3413a51d661446c24bde1bd7a1afbd8c29d912535e40e65d
Instruction Fuzzy Hash: 3B41C374E012489BEB58DFEAD954A9EFBF2AF89300F20D129D418AB258DB345946CF50

Function 06797491 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51cffab9ee3f7d2e7d107be4a7513608c122c450bc202f0d9911c93de3f69f4
Instruction ID: dc331be0e4121ac32384097f2ad46781a517a41b7b247e950fc159c5eb3701d3
Opcode Fuzzy Hash: f51cffab9ee3f7d2e7d107be4a7513608c122c450bc202f0d9911c93de3f69f4
Instruction Fuzzy Hash: 9C41E270E012088FEF58DFAAD9546EEBBF2AFC8300F24D12AD418AB255DB345946CF50

Function 06796BE0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c7d2226da79486949c25e8a5366ddcba1701cefb2e1367c5fdfcaa189e3680
Instruction ID: f1fc598e03d51f9da955ce2029ca461801577d84209c769d40dc8a709703f5fe
Opcode Fuzzy Hash: 43c7d2226da79486949c25e8a5366ddcba1701cefb2e1367c5fdfcaa189e3680
Instruction Fuzzy Hash: 4041F570E05208CFEF48DFAAD5546EEBBF2AF89300F24C129D418AB255DB355946CF50

Function 0595F1D0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ffd30755a1a6e3e7b1f8d13bc8240cf1df2b6fdf0c67615d2270561d46e459
Instruction ID: 2892d219af988a5bd01c4d16128d86f7d7e97ef2436f05c38ba35f58c935e22f
Opcode Fuzzy Hash: b4ffd30755a1a6e3e7b1f8d13bc8240cf1df2b6fdf0c67615d2270561d46e459
Instruction Fuzzy Hash: 6A4106B4E01208CBDB18DFAAC9547EEBBF2AF89310F60D12AD419BB258DB345945CF54

Function 06795EB3 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40bd7dd130e7620e9873a0adb96efbec039b303d2c151533db75ffe67242d1c6
Instruction ID: 5e082ab5e2d49c7ad1684d7ba47df300cba1cad205be342ad8c398b27644540d
Opcode Fuzzy Hash: 40bd7dd130e7620e9873a0adb96efbec039b303d2c151533db75ffe67242d1c6
Instruction Fuzzy Hash: C841D270E012088BEB58DFEAD5546EEBBF2AF89300F20D12AD418AB259DB355946CF54

Function 06795A58 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06effdaee22acb29fe8f57bc86f1105dc7ee80667447dfb576997c811febd79
Instruction ID: ad2c89a2e45209b30a7647b2545fe6d7336685eead57cd403a7a2948ec9f7eae
Opcode Fuzzy Hash: a06effdaee22acb29fe8f57bc86f1105dc7ee80667447dfb576997c811febd79
Instruction Fuzzy Hash: 0841E470E01218CFEF58CFAAD5546EEBBF2AF88300F24D12AD418AB258DB355946CF54

Function 00402F20 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795

Function 05950491 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe463ad444a40e9a095246fdb17a776b0ce4ca5c35bc0e11d10918ed3fcdde50
Instruction ID: 5bb3dcc5d25b5b9e16663d00db20705cadf210b1745e48f2e3813ed60dec2601
Opcode Fuzzy Hash: fe463ad444a40e9a095246fdb17a776b0ce4ca5c35bc0e11d10918ed3fcdde50
Instruction Fuzzy Hash: 5D41D470E01208CBDB18DFAAD9586EEBBF2AF88310F24D12AD419AB354DB355946CF54

Function 06796330 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebeeeb76b2996af4e6e783df7bac19d995f284e47a9f1ee89994eae100c7b135
Instruction ID: 42554cb3b2a632e8f442cffb918fce1f8686210d71a637cdaba419c438a8d716
Opcode Fuzzy Hash: ebeeeb76b2996af4e6e783df7bac19d995f284e47a9f1ee89994eae100c7b135
Instruction Fuzzy Hash: 0141F3B0E012088BEF48DFBAD9546EEBBF2AF88300F20C129C418BB259DB345945CF50

Function 067948FB Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f61bbe204924d4d60044feeb9c942ef5ba3c54d5a3b53c97d61d833fa225169
Instruction ID: 8a3b89cad274d14bc6480d958e4998951319d0c4e738a3a933425de4ef5ba67b
Opcode Fuzzy Hash: 7f61bbe204924d4d60044feeb9c942ef5ba3c54d5a3b53c97d61d833fa225169
Instruction Fuzzy Hash: 2341F370E012088FEF58DFAAD5546EEBBF2AF89300F20D12AC418BB259DB345946CF54

Function 0537F538 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fca6648c5c074f182ad2bc6a993f27b9c344d523007370ed99c73e86cc4dc3e
Instruction ID: 915d50f2cf754efe3e1997d8877bbaf668b7069c338343c6f42f17c553bc5c56
Opcode Fuzzy Hash: 9fca6648c5c074f182ad2bc6a993f27b9c344d523007370ed99c73e86cc4dc3e
Instruction Fuzzy Hash: AD410470D012088BDB18CFAAD9446EEFBF2BF89300F20C02AD419AB254EB355945CF14

Function 0595ED78 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd69293782186a312280415785cdf02965dd83778b5741722770ed327a2cbcff
Instruction ID: 05aa9529b2d6f944f689c116fb297658340befb90bc3cad416adc2b5ed09790f
Opcode Fuzzy Hash: fd69293782186a312280415785cdf02965dd83778b5741722770ed327a2cbcff
Instruction Fuzzy Hash: B841E470E012088BEB18DFEAD9546DEFBF2AF88310F20D12AD419BB258DB355946CF40

Function 0595B0A8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ee6631a658caa6bbef281029523ee37eaf8ef9b6ea7da939b768e4f38fef33
Instruction ID: 8b03e7bd2ab7f043d96f50d68e6a9f13b2b87d578f7a6da341072dc17b533f52
Opcode Fuzzy Hash: 13ee6631a658caa6bbef281029523ee37eaf8ef9b6ea7da939b768e4f38fef33
Instruction Fuzzy Hash: DF41D270E002088FDB18DFAAD9546DEBBF3AF89310F20D12AD419AB354EB355946CF54

Function 0595E4C8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce339a7918a66cd3055a0ecc9512efb2e23a8fdb154e3e52e79cf045d17d752
Instruction ID: a219b6e1af955fcb67f74386b7de307e96135632c6a39398c8bf6e0b5a65ab30
Opcode Fuzzy Hash: 7ce339a7918a66cd3055a0ecc9512efb2e23a8fdb154e3e52e79cf045d17d752
Instruction Fuzzy Hash: EF41D370E012088BDB18DFAAD5547DEBBF2AF88310F24D16AD419BB254DB355A46CF40

Function 0595FA80 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2597ad39bb0d1305dfd207dbf351cc0dda5711a18ba2699bf18a66fd932aa071
Instruction ID: c66f04f5ef7b0284f17581895d6f73f6137c972eba63824344230dfd2f28fd6f
Opcode Fuzzy Hash: 2597ad39bb0d1305dfd207dbf351cc0dda5711a18ba2699bf18a66fd932aa071
Instruction Fuzzy Hash: 9741E6B0E00608CBDB18DFAAC9546DEFBF6AF88310F24D12AD418BB255EB355946CF54

Function 06796789 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e980de6214d7cd0f2aa2b95cc1d4eb2f010cc37e3ca17d4ae19f2d8791f92449
Instruction ID: de3adff023eabbb8ea4a9967abebd6049718c5c04abb8704266b2f3820d1e67b
Opcode Fuzzy Hash: e980de6214d7cd0f2aa2b95cc1d4eb2f010cc37e3ca17d4ae19f2d8791f92449
Instruction Fuzzy Hash: B341D674E01248CBEF58DFBAD5546AEBBF2AF88300F20D12AD418BB255EB355946CF50

Function 0537F998 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9180377386a48b5273102ded8bc573d8278bc0a471012620cc06fc6985c2bb6b
Instruction ID: c606f8e4f85a0807ac1d9dcd4cac818f908ba51d11c81d705bbd3d5bd6b654f3
Opcode Fuzzy Hash: 9180377386a48b5273102ded8bc573d8278bc0a471012620cc06fc6985c2bb6b
Instruction Fuzzy Hash: 2E41E370D0120C8BDB18DFAAD5546DDBBF2BF88300F20D12AD419A7358EB345945CF54

Function 0595E922 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22e00939125c22c83e71d8828408313cc1cbad36990738bf528521e343dd2f2
Instruction ID: 005961759bf547469b323e329f80cb6051328a9bef758f33f7bd0dae58919766
Opcode Fuzzy Hash: d22e00939125c22c83e71d8828408313cc1cbad36990738bf528521e343dd2f2
Instruction Fuzzy Hash: C941E570E05208CBEB18DFFAD5546EEBBF2AF88300F24D16AD418AB254DB355A45CF50

Function 0595DC18 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190be71c7a0bb99d0246d7ecea0a672347f4de2122784ecbc3927349d1c5659f
Instruction ID: 61a897b0222ed08ffb5ca87499daf3a665b9c1605d59d08e9d1a2e647513ca80
Opcode Fuzzy Hash: 190be71c7a0bb99d0246d7ecea0a672347f4de2122784ecbc3927349d1c5659f
Instruction Fuzzy Hash: 0941E7B0E052088BDB18DFAAD5547EEBBF2AF88310F24D16AC418BB255DB355946CF44

Function 0595E071 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5b790f9636f5584d1ed699bf57ec55f4a6351145fb7e53f88b62dd877cc8607
Instruction ID: d32d7416ede5b0b4bf4ad5db5315ec3eda7190c6e90b86d6b1daabf2e62cf464
Opcode Fuzzy Hash: b5b790f9636f5584d1ed699bf57ec55f4a6351145fb7e53f88b62dd877cc8607
Instruction Fuzzy Hash: 9441F570E012088BDB18DFAAC9546DEBBF2AF88310F20D06AD418BB254DB355A46CF44

Function 0595D7C0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c522a71673e681d7653014a6030000a452b26c32a52f82b73372317c0a620cfd
Instruction ID: a381f07ffbfa2ac0ceb3b51e4f9cf7eb7a6806b41aae91278a21fea4bb609e6a
Opcode Fuzzy Hash: c522a71673e681d7653014a6030000a452b26c32a52f82b73372317c0a620cfd
Instruction Fuzzy Hash: 8C41E470E012088BEB18DFAAC9547DEBBF2AF88310F24D12AD418BB254DB345A45CF54

Function 0595D36A Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27db1c04897cab7a1145ed5da14e72f52e979baf34f86028566a0a8d685523ee
Instruction ID: dfe73355c587ce2efd8790271e8fed1e2bb05bdc0f2583a038e61db9578f3f68
Opcode Fuzzy Hash: 27db1c04897cab7a1145ed5da14e72f52e979baf34f86028566a0a8d685523ee
Instruction Fuzzy Hash: B141E474E012088BEB18DFAAD9546DEBBF2AF88310F24D12AD418BB255DB345A46CF54

Function 0595F629 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d819fe9c323eea9326509a042e35b99c7a35099dd59b071d0dfcbe176208ecdc
Instruction ID: 1d92d181f30f800947ee38dfa908e12274432478c876bb0782bdd4ec7c31f328
Opcode Fuzzy Hash: d819fe9c323eea9326509a042e35b99c7a35099dd59b071d0dfcbe176208ecdc
Instruction Fuzzy Hash: A141E5B0E012088BDB18DFAAD9546DEFBF2AF88310F24D12AD419BB255EB355946CF44

Function 067951AB Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b80cbea084c290957437b10e91c31507971fa1363c33581d30ccd7e6f29866
Instruction ID: 34635f560666928e557893ae09e99455c0e5b7aacdcecce8eb43f096d96aa836
Opcode Fuzzy Hash: 87b80cbea084c290957437b10e91c31507971fa1363c33581d30ccd7e6f29866
Instruction Fuzzy Hash: 8341F5B0E012588FEB48DFAAD5546EEBBF2AF89300F20D12AC418BB255DB345946CF54

Function 0595A7F7 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68da8c5ef426359d621e3f55ac92f19e396a653f6963c1c61a546beb6deecb9d
Instruction ID: fe9504dfe2a42da926bc9baf14f9859d38953e18e0ecc415efd1d6287e0d10ba
Opcode Fuzzy Hash: 68da8c5ef426359d621e3f55ac92f19e396a653f6963c1c61a546beb6deecb9d
Instruction Fuzzy Hash: F941E570E012488BEB18DFAAD5547EEFBF2AF88310F24D16AC819BB254DB345946CF44

Function 0595CAB9 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb93fc53818f691eef72ee5f115b6ff173cd92773a1c6f14775bd5c1cb19b35b
Instruction ID: 5a80c9c0c0bc740991d4adff038ee073d2055251ba642e5aa6d3a863e6d9bef8
Opcode Fuzzy Hash: eb93fc53818f691eef72ee5f115b6ff173cd92773a1c6f14775bd5c1cb19b35b
Instruction Fuzzy Hash: 3541D375E01208CBEB18DFEAC5546EEBBF2AF88310F20D12AC419BB254DB345946CF54

Function 06797039 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e458cc5c7e89fc1b8dd6ee572b92d480d489f60a1c86883c0d309d7faeaf729
Instruction ID: 06987450516b10f357dde2ce8baa252c6ab9641115d47ac9d49af67e0b00f416
Opcode Fuzzy Hash: 9e458cc5c7e89fc1b8dd6ee572b92d480d489f60a1c86883c0d309d7faeaf729
Instruction Fuzzy Hash: 4441E470E01208CBEF58DFAAD5546EEBBF2AF88304F20D12AD418BB255DB355946CF54

Function 0595AC51 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b9fee2b2ec9c6c6ba4ad84b0a90679ae36f3779b1ef96526a7aadd869e60a4
Instruction ID: 945c5ac44392781ae206c9aac6efbb3f0a52fa01c6caa48c6b7c20be4b0b6ba0
Opcode Fuzzy Hash: f5b9fee2b2ec9c6c6ba4ad84b0a90679ae36f3779b1ef96526a7aadd869e60a4
Instruction Fuzzy Hash: 9241E274E012088BEB18DFAAD5547EEBBF2AF88310F24D12AD419BB258DB355946CF44

Function 0595CF14 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ceb6342cedf134a244500996cf8b798ba7e343f6ee55393c62f18e8f354f5f2
Instruction ID: cd4990cd731cd847589d7dc058aba59b6b5ce155e95f1d77498e3888a765013a
Opcode Fuzzy Hash: 5ceb6342cedf134a244500996cf8b798ba7e343f6ee55393c62f18e8f354f5f2
Instruction Fuzzy Hash: 5741E670E01248CBDB18DFBAD5546DEBBF2AF88304F24D12AD419BB258DB345946CF54

Function 0595C208 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe4d13d774e67af7e6bccbe8e21efb0a3d9c7435e01d8254198fda265e90576
Instruction ID: 5bc429e9cd459e68099fb5f71f3fad4abc5849e2948615c8d874a090add0a110
Opcode Fuzzy Hash: cbe4d13d774e67af7e6bccbe8e21efb0a3d9c7435e01d8254198fda265e90576
Instruction Fuzzy Hash: 7B41E574E012488BEB58DFAAD5546DEBBF2AF88310F20D129C419BB254DB355946CF40

Function 0595BDB1 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dbe814f2aaf718ee1956dbd21a86bbaeb03c55a5a36ca33287b9d816db62c7a
Instruction ID: a1618a6313b5b024c18ce70946ab550b8f22d8049b59adfba56f12cfc161fb46
Opcode Fuzzy Hash: 9dbe814f2aaf718ee1956dbd21a86bbaeb03c55a5a36ca33287b9d816db62c7a
Instruction Fuzzy Hash: 0441E470E012088BDB18DFAAC9546EEBBF2AF88310F24D12AD419BB354DB345955CF40

Function 0595B959 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b59587ddd9e1c2421a8aac6a5b23a7969d48de5ad5d5b7b18528005e2d9d4ac8
Instruction ID: 2948718bcc44a37824949b638c2bfd4626422373b0b7b9aa8f0134ed72e61ea2
Opcode Fuzzy Hash: b59587ddd9e1c2421a8aac6a5b23a7969d48de5ad5d5b7b18528005e2d9d4ac8
Instruction Fuzzy Hash: 0241C4B4E01608CBDB18DFAAD5547EEBBF2AF88310F20D12AD419BB258DB345956CF50

Function 0595C662 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6beb42569d0717cf270ff9f55c9f13583b58ff9ef33205cf59c134513812bb
Instruction ID: 0aedb49f4f1657712d49fd1543d84713d3aea5ce5bd27f5b3c2406d42e96a360
Opcode Fuzzy Hash: bc6beb42569d0717cf270ff9f55c9f13583b58ff9ef33205cf59c134513812bb
Instruction Fuzzy Hash: EC41E270E002088BDB18DFAAD9546AEBBF2AF89310F24D12AC418BB254DB355946CF40

Function 0679003D Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 015b9513634961d0ff332e2f457adfdb536a4ffa684c2dae4208f214248e3a7e
Instruction ID: 7047f5d7f680fb2006f685a344798a2be44e8a4783d4c5ad22967679685a39af
Opcode Fuzzy Hash: 015b9513634961d0ff332e2f457adfdb536a4ffa684c2dae4208f214248e3a7e
Instruction Fuzzy Hash: 1B41B674E01208CFEB58DFAAD5546DEBBF2AF89300F20D129D418BB254DB355945CF54

Function 067ABCB4 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929241668.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32f707555ccddae2028227b0bdd7bdeb0f0ff247739cc10526ce9922b8e09117
Instruction ID: 70ab8ba1c070f2f70ac2cccb6c55749cddaf7ca6274fb4916ab4b5a4dd43282b
Opcode Fuzzy Hash: 32f707555ccddae2028227b0bdd7bdeb0f0ff247739cc10526ce9922b8e09117
Instruction Fuzzy Hash: 1A317AB5D052189FCB14CFA9D984ADEFBF5AB49310F14902AE418B7310D378A945CF94

Function 06797F4D Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1fe67082b5c0748c5e4c9e7d41268b7712d4538cf61a631a5c36c9a5ab98244
Instruction ID: 3f7730bb08b9f4b7d2cdcc190c9771c8ccb20829c86de974d34d4d48cb35e5ac
Opcode Fuzzy Hash: f1fe67082b5c0748c5e4c9e7d41268b7712d4538cf61a631a5c36c9a5ab98244
Instruction Fuzzy Hash: FC31AFB5E016188BEB58CFAAD8447DEFBF2BF88300F14C12AD418AB254DB741946CF51

Function 00402F89 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785

Function 067986C0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49363f41eeaf029a6ae8dd668361b357e8275a78a34b2c823769205f50d37c03
Instruction ID: 4955f7d5b73bfa0e42eb975ff642182e5d15da550b3b4b6672e3068e9f1c11ef
Opcode Fuzzy Hash: 49363f41eeaf029a6ae8dd668361b357e8275a78a34b2c823769205f50d37c03
Instruction Fuzzy Hash: 6321BDB9D01218CFCB10CF99E684AEDBBF0AB4A310F14941AE814B7310C335A945CF65

Function 067986C8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929214370.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635db6937652feba432b6e0ea0a95a2f8a6dd5da43bb2c2da6c5e6f7bfafe386
Instruction ID: f2baaaa776f592fd3421bc289c326d372cb929fb9cd8967647b054c3f236e310
Opcode Fuzzy Hash: 635db6937652feba432b6e0ea0a95a2f8a6dd5da43bb2c2da6c5e6f7bfafe386
Instruction Fuzzy Hash: 1821ABB9D012189FCB10CFA9D584ADEFBF4EB4A320F14906AE818B7310C335A945CFA5

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,029E18D0), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID:
API String ID: 2805327698-0
Opcode ID: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(029E1660), ref: 00414050

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

IsProcessorFeaturePresent, xrefs: 0041361F
KERNEL32, xrefs: 00413610

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Function 05951B58 Relevance: 6.6, Strings: 5, Instructions: 379COMMON

Download Yara Rule

Strings

Hbq, xrefs: 05951BA6
Hbq, xrefs: 05951DA1
8cq, xrefs: 05951F99
TJcq, xrefs: 05951FD2
Hbq, xrefs: 05951D42

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8cq$Hbq$Hbq$Hbq$TJcq
API String ID: 0-1895975235
Opcode ID: 87fceff37b2673051e5596896a6e601ac34f216911bcb3976c420b3f1d04716d
Instruction ID: ea7254496d564e0d3c83a5f5268085fcef54b85a9d88647bb48b101927df842d
Opcode Fuzzy Hash: 87fceff37b2673051e5596896a6e601ac34f216911bcb3976c420b3f1d04716d
Instruction Fuzzy Hash: 22D1D330B042048FCB14DB68C494BAE7BB6FFC9320F2445A9E945EB3A1DA35DC45CB91

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,?,?,00000000,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,00000001,?,00000000,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000004.00000002.2925212798.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2925212798.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.2925212798.000000000043B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Function 059515D0 Relevance: 5.2, Strings: 4, Instructions: 224COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0595182B
, xrefs: 059516BD
Hbq, xrefs: 05951891
Hbq, xrefs: 0595185E

Memory Dump Source

Source File: 00000004.00000002.2928965888.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5950000_RegSvcs.jbxd

Similarity

API ID:
String ID: $Hbq$Hbq$Hbq
API String ID: 0-580995494
Opcode ID: 4a39caa07a613e90f6bd270f57c30975af5623c0a9ccc6b8d9b929c47da8f2ae
Instruction ID: a61b402018ac1435e700956633383ee64fc1e93a80d3aacd322a4fdbbdd99f32
Opcode Fuzzy Hash: 4a39caa07a613e90f6bd270f57c30975af5623c0a9ccc6b8d9b929c47da8f2ae
Instruction Fuzzy Hash: 1C71AE30B402088BCF259F78D45877E3AA7EB85370F248629E9528B3D0DF348D51DB52

Function 053753A8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 053753DA
\;^q, xrefs: 053753B4
\;^q, xrefs: 053753BE
\;^q, xrefs: 053753E6

Memory Dump Source

Source File: 00000004.00000002.2928500484.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5370000_RegSvcs.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 8216a00c450eceb0a5c101c9ac7823d1318f2a7c888d1199396466c8604ff3b6
Instruction ID: d9e875c8ff2e4980420aa9c05b005d0902db1545aebdf05ab939f54cfc219ddf
Opcode Fuzzy Hash: 8216a00c450eceb0a5c101c9ac7823d1318f2a7c888d1199396466c8604ff3b6
Instruction Fuzzy Hash: 28019A31F50118CFDB388A6DD444A2A37EBFF88A61725456AE402CF3B0DAA5DC418781

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report z1MRforsteamDRUM-A1_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\batchers

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
z1MRforsteamDRUM-A1_pdf.exe

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Function 0537A658 Relevance: 6.6, Strings: 5, Instructions: 352
COMMON

Function 053739E0 Relevance: 6.4, Strings: 5, Instructions: 191
COMMON

Function 0537B0F0 Relevance: 6.4, Strings: 5, Instructions: 190
COMMON

Function 0537AB10 Relevance: 6.4, Strings: 5, Instructions: 190
COMMON

Function 0537B3E0 Relevance: 6.4, Strings: 5, Instructions: 190
COMMON

Function 0537B6D0 Relevance: 6.4, Strings: 5, Instructions: 189
COMMON

Function 0537AE00 Relevance: 6.4, Strings: 5, Instructions: 187
COMMON

Function 0537B9C1 Relevance: 6.4, Strings: 5, Instructions: 187
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre