Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
741094845300.exe

Overview

General Information

Sample name:741094845300.exe
Analysis ID:1567182
MD5:ec62fb7d71913b276757098aa90f81a1
SHA1:73bcd8b26b152831de2bf5f0d82b836c2a37d34b
SHA256:aa566695615be4dfa3b6a6779df02a90e1848711f7e31ac222fd3341c5987947
Infos:

Detection

Snake Keylogger
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
AI detected suspicious sample
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 741094845300.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\741094845300.exe" MD5: EC62FB7D71913B276757098AA90F81A1)
    • 741094845300.exe (PID: 7468 cmdline: C:\Users\user\Desktop\741094845300.exe MD5: EC62FB7D71913B276757098AA90F81A1)
      • WerFault.exe (PID: 7548 cmdline: C:\Windows\system32\WerFault.exe -u -p 7468 -s 12 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI/sendMessage?chat_id=1443320838", "Token": "7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI", "Chat_id": "1443320838", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x1b75f4:$a1: get_encryptedPassword
      • 0x1d8034:$a1: get_encryptedPassword
      • 0x1f886c:$a1: get_encryptedPassword
      • 0x1b78e0:$a2: get_encryptedUsername
      • 0x1d8320:$a2: get_encryptedUsername
      • 0x1f8b58:$a2: get_encryptedUsername
      • 0x1b7400:$a3: get_timePasswordChanged
      • 0x1d7e40:$a3: get_timePasswordChanged
      • 0x1f8678:$a3: get_timePasswordChanged
      • 0x1b74fb:$a4: get_passwordField
      • 0x1d7f3b:$a4: get_passwordField
      • 0x1f8773:$a4: get_passwordField
      • 0x1b760a:$a5: set_encryptedPassword
      • 0x1d804a:$a5: set_encryptedPassword
      • 0x1f8882:$a5: set_encryptedPassword
      • 0x1b8ca5:$a7: get_logins
      • 0x1d96e5:$a7: get_logins
      • 0x1f9f1d:$a7: get_logins
      • 0x1b8c08:$a10: KeyLoggerEventArgs
      • 0x1d9648:$a10: KeyLoggerEventArgs
      • 0x1f9e80:$a10: KeyLoggerEventArgs
      00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x1bc5b8:$x1: $%SMTPDV$
      • 0x1dcff8:$x1: $%SMTPDV$
      • 0x1fd830:$x1: $%SMTPDV$
      • 0x1baf9c:$x2: $#TheHashHere%&
      • 0x1db9dc:$x2: $#TheHashHere%&
      • 0x1fc214:$x2: $#TheHashHere%&
      • 0x1bc560:$x3: %FTPDV$
      • 0x1dcfa0:$x3: %FTPDV$
      • 0x1fd7d8:$x3: %FTPDV$
      • 0x1baf3c:$x4: $%TelegramDv$
      • 0x1db97c:$x4: $%TelegramDv$
      • 0x1fc1b4:$x4: $%TelegramDv$
      • 0x1b8873:$x5: KeyLoggerEventArgs
      • 0x1b8c08:$x5: KeyLoggerEventArgs
      • 0x1d92b3:$x5: KeyLoggerEventArgs
      • 0x1d9648:$x5: KeyLoggerEventArgs
      • 0x1f9aeb:$x5: KeyLoggerEventArgs
      • 0x1f9e80:$x5: KeyLoggerEventArgs
      • 0x1bc584:$m2: Clipboard Logs ID
      • 0x1bc7c2:$m2: Screenshot Logs ID
      • 0x1bc8d2:$m2: keystroke Logs ID
      Process Memory Space: 741094845300.exe PID: 7332JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 3 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.741094845300.exe.13dfb5b0.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0.2.741094845300.exe.13dfb5b0.4.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            0.2.741094845300.exe.13dfb5b0.4.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x12c84:$a1: get_encryptedPassword
            • 0x12f70:$a2: get_encryptedUsername
            • 0x12a90:$a3: get_timePasswordChanged
            • 0x12b8b:$a4: get_passwordField
            • 0x12c9a:$a5: set_encryptedPassword
            • 0x14335:$a7: get_logins
            • 0x14298:$a10: KeyLoggerEventArgs
            • 0x13f03:$a11: KeyLoggerEventArgsEventHandler
            0.2.741094845300.exe.13dfb5b0.4.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x1a5fe:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x19830:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x19c63:$a4: \Orbitum\User Data\Default\Login Data
            • 0x1aca2:$a5: \Kometa\User Data\Default\Login Data
            0.2.741094845300.exe.13dfb5b0.4.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x1386f:$s1: UnHook
            • 0x13876:$s2: SetHook
            • 0x1387e:$s3: CallNextHook
            • 0x1388b:$s4: _hook
            Click to see the 21 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI/sendMessage?chat_id=1443320838", "Token": "7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI", "Chat_id": "1443320838", "Version": "5.1"}
            Multi AV Scanner detection for submitted file
            Source: 741094845300.exeReversingLabs: Detection: 18%
            Source: 741094845300.exeVirustotal: Detection: 18%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Machine Learning detection for sample
            Source: 741094845300.exeJoe Sandbox ML: detected
            Source: 741094845300.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Yara detected Generic Downloader
            Source: Yara matchFile source: 0.2.741094845300.exe.13dfb5b0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.741094845300.exe.13ddab70.2.raw.unpack, type: UNPACKEDPE
            Source: 741094845300.exe, 00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: 741094845300.exe, 00000000.00000002.1233730524.0000000003C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://localhost/arkanoid_server/requests.php
            Source: 741094845300.exe, 00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.741094845300.exe.13dfb5b0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.741094845300.exe.13dfb5b0.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.741094845300.exe.13dfb5b0.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.741094845300.exe.13dfb5b0.4.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.741094845300.exe.13ddab70.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.741094845300.exe.13ddab70.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.741094845300.exe.13ddab70.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.741094845300.exe.13ddab70.2.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.741094845300.exe.13dfb5b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.741094845300.exe.13dfb5b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.741094845300.exe.13dfb5b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.741094845300.exe.13dfb5b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.741094845300.exe.13ddab70.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.741094845300.exe.13ddab70.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.741094845300.exe.13ddab70.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.741094845300.exe.13ddab70.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: 741094845300.exe PID: 7332, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: 741094845300.exe PID: 7332, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: C:\Users\user\Desktop\741094845300.exeCode function: 0_2_00007FFAAC5258A10_2_00007FFAAC5258A1
            Source: C:\Users\user\Desktop\741094845300.exeCode function: 0_2_00007FFAAC5208A90_2_00007FFAAC5208A9
            Source: C:\Users\user\Desktop\741094845300.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7468 -s 12
            Source: 741094845300.exeStatic PE information: No import functions for PE file found
            Source: 741094845300.exe, 00000000.00000002.1233730524.0000000003C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReactionDiffusion.dll0 vs 741094845300.exe
            Source: 741094845300.exe, 00000000.00000002.1233730524.0000000003C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs 741094845300.exe
            Source: 741094845300.exe, 00000000.00000000.1221855389.00000000008B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameZECH.exe0 vs 741094845300.exe
            Source: 741094845300.exe, 00000000.00000002.1243299136.000000001C6F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameReactionDiffusion.dll0 vs 741094845300.exe
            Source: 741094845300.exe, 00000000.00000002.1243844798.000000001E5F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGreenEnergy.dll@ vs 741094845300.exe
            Source: 741094845300.exe, 00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs 741094845300.exe
            Source: 741094845300.exe, 00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGreenEnergy.dll@ vs 741094845300.exe
            Source: 741094845300.exeBinary or memory string: OriginalFilenameZECH.exe0 vs 741094845300.exe
            Source: 0.2.741094845300.exe.13dfb5b0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.741094845300.exe.13dfb5b0.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.741094845300.exe.13dfb5b0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.741094845300.exe.13dfb5b0.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.741094845300.exe.13ddab70.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.741094845300.exe.13ddab70.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.741094845300.exe.13ddab70.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.741094845300.exe.13ddab70.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.741094845300.exe.13dfb5b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.741094845300.exe.13dfb5b0.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.741094845300.exe.13dfb5b0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.741094845300.exe.13dfb5b0.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.741094845300.exe.13ddab70.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.741094845300.exe.13ddab70.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.741094845300.exe.13ddab70.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.741094845300.exe.13ddab70.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: 741094845300.exe PID: 7332, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: 741094845300.exe PID: 7332, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 741094845300.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.741094845300.exe.13dfb5b0.4.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.741094845300.exe.13dfb5b0.4.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.741094845300.exe.13dfb5b0.4.raw.unpack, 2-.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.741094845300.exe.13dfb5b0.4.raw.unpack, 2-.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.741094845300.exe.13ddab70.2.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.741094845300.exe.13ddab70.2.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.741094845300.exe.13ddab70.2.raw.unpack, 2-.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.741094845300.exe.13ddab70.2.raw.unpack, 2-.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.741094845300.exe.13dfb5b0.4.raw.unpack, ---.csBase64 encoded string: 'tPa5k5FJD4dSXw0EqQ2lIcLtrXnSHhm60gt1D+3WpsNqPxTv3g1y5+EIwUawZGy8'
            Source: 0.2.741094845300.exe.13ddab70.2.raw.unpack, ---.csBase64 encoded string: 'tPa5k5FJD4dSXw0EqQ2lIcLtrXnSHhm60gt1D+3WpsNqPxTv3g1y5+EIwUawZGy8'
            Source: classification engineClassification label: mal88.troj.evad.winEXE@4/1@0/0
            Source: C:\Users\user\Desktop\741094845300.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\741094845300.exe.logJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeMutant created: NULL
            Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7468
            Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\381dbb8c-5d21-4557-bbae-8b50223d9b6aJump to behavior
            Source: 741094845300.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 741094845300.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
            Source: C:\Users\user\Desktop\741094845300.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 741094845300.exeReversingLabs: Detection: 18%
            Source: 741094845300.exeVirustotal: Detection: 18%
            Source: unknownProcess created: C:\Users\user\Desktop\741094845300.exe "C:\Users\user\Desktop\741094845300.exe"
            Source: C:\Users\user\Desktop\741094845300.exeProcess created: C:\Users\user\Desktop\741094845300.exe C:\Users\user\Desktop\741094845300.exe
            Source: C:\Users\user\Desktop\741094845300.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7468 -s 12
            Source: C:\Users\user\Desktop\741094845300.exeProcess created: C:\Users\user\Desktop\741094845300.exe C:\Users\user\Desktop\741094845300.exeJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: 741094845300.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 741094845300.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: 741094845300.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\741094845300.exeCode function: 0_2_00007FFAAC5264C8 pushad ; iretd 0_2_00007FFAAC526553
            Source: C:\Users\user\Desktop\741094845300.exeCode function: 0_2_00007FFAAC527969 push ebx; retf 0_2_00007FFAAC52796A
            Source: 741094845300.exeStatic PE information: section name: .text entropy: 7.595314549906555
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeMemory allocated: 1290000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeMemory allocated: 1BC30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\741094845300.exe TID: 7356Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Users\user\Desktop\741094845300.exeThread register set: target process: 7468Jump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeProcess created: C:\Users\user\Desktop\741094845300.exe C:\Users\user\Desktop\741094845300.exeJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeQueries volume information: C:\Users\user\Desktop\741094845300.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\741094845300.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.741094845300.exe.13dfb5b0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.741094845300.exe.13ddab70.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.741094845300.exe.13dfb5b0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.741094845300.exe.13ddab70.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 741094845300.exe PID: 7332, type: MEMORYSTR
            Source: Yara matchFile source: 0.2.741094845300.exe.13dfb5b0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.741094845300.exe.13ddab70.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.741094845300.exe.13dfb5b0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.741094845300.exe.13ddab70.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 741094845300.exe PID: 7332, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.741094845300.exe.13dfb5b0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.741094845300.exe.13ddab70.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.741094845300.exe.13dfb5b0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.741094845300.exe.13ddab70.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 741094845300.exe PID: 7332, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		111
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory41
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
            Virtualization/Sandbox Evasion            		Security Account Manager12
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
            Software Packing            		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
            Process Injection            		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Deobfuscate/Decode Files or Information            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Obfuscated Files or Information            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            741094845300.exe18%ReversingLabsByteCode-MSIL.Trojan.Sonbokli
            741094845300.exe18%VirustotalBrowse
            741094845300.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://localhost/arkanoid_server/requests.php0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://localhost/arkanoid_server/requests.php741094845300.exe, 00000000.00000002.1233730524.0000000003C31000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://checkip.dyndns.org/q741094845300.exe, 00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://reallyfreegeoip.org/xml/741094845300.exe, 00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmpfalse
                		high

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1567182
                Start date and time:2024-12-03 08:54:29 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 12s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:18
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:741094845300.exe
                Detection:MAL
                Classification:mal88.troj.evad.winEXE@4/1@0/0
                EGA Information:Failed
                HCA Information:Failed
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target 741094845300.exe, PID 7332 because it is empty
                • Not all processes where analyzed, report is missing behavior information

                Simulations

                Behavior and APIs

                TimeTypeDescription
                02:55:20API Interceptor1x Sleep call for process: 741094845300.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\741094845300.exe.log

                Download File
                Process:C:\Users\user\Desktop\741094845300.exe
                File Type:CSV text
                Category:dropped
                Size (bytes):1510
                Entropy (8bit):5.380493107040482
                Encrypted:false
                SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNl+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAA
                MD5:3C7E5782E6C100B90932CBDED08ADE42
                SHA1:D498EE0833BB8C85592FB3B1E482267362DB3F74
                SHA-256:361A6FF160343A2400F7D3FA4A009EA20C994B9788C190EB9D53E544BB376490
                SHA-512:3A90D61631F4DC920860AEA31FDB5E56A102206311705D5D084E809D364F680B4E95F19CE9849D3F9CB3C2C273393FD2F2C67720BAAA885125EE358D59462B0A
                Malicious:true
                Reputation:moderate, very likely benign file
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                Static File Info

                General

                File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                Entropy (8bit):7.604337929568291
                TrID:
                • Win64 Executable GUI Net Framework (217006/5) 49.88%
                • Win64 Executable GUI (202006/5) 46.43%
                • Win64 Executable (generic) (12005/4) 2.76%
                • Generic Win/DOS Executable (2004/3) 0.46%
                • DOS Executable Generic (2002/1) 0.46%
                File name:741094845300.exe
                File size:732'672 bytes
                MD5:ec62fb7d71913b276757098aa90f81a1
                SHA1:73bcd8b26b152831de2bf5f0d82b836c2a37d34b
                SHA256:aa566695615be4dfa3b6a6779df02a90e1848711f7e31ac222fd3341c5987947
                SHA512:9b775be7a3fa11c11da716454b92cd41e5b8275814a897a673f2758dd3244be5e727f6b3af702bd29ea894717004c27dd14b08a040131d923bbdc30ad8fb10c1
                SSDEEP:12288:yDJWIRPRii7fTUXRxJLS+knj+sWya7fgXonnMwhdZ4B9cYoPuJVzwM5RMIR:yDJWIWi7rUXR++kFXGf2iNgc/PrI
                TLSH:A0F4CFC03B24734ECC6AD4318669DC74A2122D75A206B1E768DB379BB69E053DF18F93
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Ng.........."...0......N........... .....@..... .......................`............@...@......@............... .....

                File Icon

                Icon Hash:033424c4c199d839

                Static PE Info

                General

                Entrypoint:0x140000000
                Entrypoint Section:
                Digitally signed:false
                Imagebase:0x140000000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x674E9CCB [Tue Dec 3 05:53:15 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:

                Entrypoint Preview

                Instruction
                dec ebp
                pop edx
                nop
                add byte ptr [ebx], al
                add byte ptr [eax], al
                add byte ptr [eax+eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x4ca8.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000xadd2c0xade00b2378bb3df46d84edd311ffe82967167False0.8723012895398994data7.595314549906555IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0xb00000x4ca80x4e00a5fdd1fd8e3b5b80628d4ed553723f75False0.9411057692307693data7.768948589261188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_ICON0xb01300x46f9PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9932852661126094
                RT_GROUP_ICON0xb482c0x14data1.05
                RT_VERSION0xb48400x278data0.47310126582278483
                RT_MANIFEST0xb4ab80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                Network Behavior

                No network behavior found

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:02:55:20
                Start date:03/12/2024
                Path:C:\Users\user\Desktop\741094845300.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\Desktop\741094845300.exe"
                Imagebase:0x8b0000
                File size:732'672 bytes
                MD5 hash:EC62FB7D71913B276757098AA90F81A1
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1237076077.0000000013C38000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                Reputation:low
                Has exited:true

                General

                Target ID:3
                Start time:02:55:21
                Start date:03/12/2024
                Path:C:\Users\user\Desktop\741094845300.exe
                Wow64 process (32bit):false
                Commandline:C:\Users\user\Desktop\741094845300.exe
                Imagebase:0x40000
                File size:732'672 bytes
                MD5 hash:EC62FB7D71913B276757098AA90F81A1
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:false

                General

                Target ID:6
                Start time:02:55:21
                Start date:03/12/2024
                Path:C:\Windows\System32\WerFault.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\WerFault.exe -u -p 7468 -s 12
                Imagebase:0x7ff6b4a50000
                File size:570'736 bytes
                MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Disassembly

                Reset < >

                  Executed Functions

                  Function 00007FFAAC5258A1 Relevance: 1.5, Strings: 1, Instructions: 211COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID: +!
                  • API String ID: 0-3727194539
                  • Opcode ID: 4a6f062e7d4da5f2579acdb190123da070e43b8c4edf62930580e88d45882235
                  • Instruction ID: 14574142ff3c111c6faca0fc5180770354bc9ce1e79a7463b7df7bddb2556d2a
                  • Opcode Fuzzy Hash: 4a6f062e7d4da5f2579acdb190123da070e43b8c4edf62930580e88d45882235
                  • Instruction Fuzzy Hash: E561277290D7868FE708DB688856525BBE5EF57310B0581BFE48EC72A3ED24D8458782
                  Function 00007FFAAC52287F Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID: 5\c3
                  • API String ID: 0-1914132777
                  • Opcode ID: d3ae926a5f382f71ab768b6b11d422f4891ef43dd058c7833f6ef7911e6ea37e
                  • Instruction ID: 8d320c829289abc77589c8301e1140545ad2484f55a96b906adf45d198eb2d2f
                  • Opcode Fuzzy Hash: d3ae926a5f382f71ab768b6b11d422f4891ef43dd058c7833f6ef7911e6ea37e
                  • Instruction Fuzzy Hash: A4517D6244E3C54FE30B8B749C665A17FB0DF13224B1A81EBD0C6CB1A3E519985BC7A2
                  Function 00007FFAAC52069D Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID: L_^
                  • API String ID: 0-3397556586
                  • Opcode ID: 23f02d991f80c69dfce54a880b963d5a55d21da44b02e9461cf4e306859743e4
                  • Instruction ID: c98a1257f15649dc9a85dc3f3a4c790e2c256bf5802d8f5a9569ad3bc74a91f9
                  • Opcode Fuzzy Hash: 23f02d991f80c69dfce54a880b963d5a55d21da44b02e9461cf4e306859743e4
                  • Instruction Fuzzy Hash: 03516663A4F6D38BF712576898B61EA3FD4DF9322470C41B7E0CD4A1A3FC08544A86D1
                  Function 00007FFAAC5284FA Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID: K_^
                  • API String ID: 0-847152731
                  • Opcode ID: 8a193bbd6e4e1292db4cec7ee9019216d084c2072227b4ef24ea4ab8c6df5232
                  • Instruction ID: 5f51fd54f1f4170aaab542bd9bbb00d975bdcaa24637ab99be82124bd3bffaf6
                  • Opcode Fuzzy Hash: 8a193bbd6e4e1292db4cec7ee9019216d084c2072227b4ef24ea4ab8c6df5232
                  • Instruction Fuzzy Hash: 5B11C873A4A687EFF70A9774A8551A53BE8EF12314F454172E04986093FD2859188690
                  Function 00007FFAAC5212A7 Relevance: .3, Instructions: 319COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 47e4a2a556fc3c04592f1197823963994ac3fb4e08dccdcd46cc174b4e227e14
                  • Instruction ID: 5641fa164847ca00abbdc81a4efaff3958fd6f32a3a474fd492f9f0b419a1a7e
                  • Opcode Fuzzy Hash: 47e4a2a556fc3c04592f1197823963994ac3fb4e08dccdcd46cc174b4e227e14
                  • Instruction Fuzzy Hash: 5FA1F7A1D1CB868FF746A738C4255B7BBE1FF55210F0886BAE05FC7593ED28A8058781
                  Function 00007FFAAC5254D3 Relevance: .3, Instructions: 313COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b99fb8c62d221016276f093da65d37890674872d94008d1ca62d59789be2eeca
                  • Instruction ID: c6a9c2597b59e85f1d490202521f9c1120f0d34af184124572a9ced85153e546
                  • Opcode Fuzzy Hash: b99fb8c62d221016276f093da65d37890674872d94008d1ca62d59789be2eeca
                  • Instruction Fuzzy Hash: BD915D32E4E6468FFB29D76898455A97BD5EF83310F5482BAE08DC71D7FD14A80A83C0
                  Function 00007FFAAC52683D Relevance: .2, Instructions: 187COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 979062d37c08adde14ecd20fa1b8859ea9b0db59bc905b489826f28fbd7fd843
                  • Instruction ID: a76853688ce003a2de662275bf8dcdd369fc78f41f153751e2caca5ac5757b60
                  • Opcode Fuzzy Hash: 979062d37c08adde14ecd20fa1b8859ea9b0db59bc905b489826f28fbd7fd843
                  • Instruction Fuzzy Hash: 8F515953A4D6964FF306B77CE8A25FD7BD4DF42225F0882B7E04ECA293EC08554982A1
                  Function 00007FFAAC524D75 Relevance: .2, Instructions: 174COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6a40426506504d25abc0d7fb7f0d01d64a58ed51dab72400198eea83fe5ddb74
                  • Instruction ID: d0b744b35881a5c949c48c8f6d362c235027e928d74b13304c99b55c41e2bce1
                  • Opcode Fuzzy Hash: 6a40426506504d25abc0d7fb7f0d01d64a58ed51dab72400198eea83fe5ddb74
                  • Instruction Fuzzy Hash: 20517D5294F7C64FE31B97784C665657FA9DF5320075981EBE089CB1E3E808984EC3E2
                  Function 00007FFAAC5228C4 Relevance: .2, Instructions: 171COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ffd6e072bcfb539648b530d5c487dcb0f3ce3611907516053484e743c0ecac4f
                  • Instruction ID: adbed8dd5a912aa1513859e5fb479fb642313b2580feac8db14aa87a761f60e3
                  • Opcode Fuzzy Hash: ffd6e072bcfb539648b530d5c487dcb0f3ce3611907516053484e743c0ecac4f
                  • Instruction Fuzzy Hash: 39513A6240E3C64FD30B8B748C665A17FB0EF13214B1E85DBD4C6CB1A3E518A95BC7A2
                  Function 00007FFAAC521D90 Relevance: .2, Instructions: 156COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6f14b0e4e0296850164830564bb1590631cac8a58d9845f9c2ee45843aaf86b6
                  • Instruction ID: b15f6a1977bc279c7dc6d12b3c48b487b978c97d7c5a85dd8282c3b4fc1f3a69
                  • Opcode Fuzzy Hash: 6f14b0e4e0296850164830564bb1590631cac8a58d9845f9c2ee45843aaf86b6
                  • Instruction Fuzzy Hash: 00412B7190D7894FE71E9B248C551B67FD5EB43320B0582BFD08BC75A7ED28980683D2
                  Function 00007FFAAC526AE5 Relevance: .1, Instructions: 146COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c90137514eb714440ae0f6a22ec693ae20f1dc2c4c66f951927a613a15f42c8e
                  • Instruction ID: da29b69e9dfc33b6add89ed535ec9c44aa5090dc5d2a9788c595c7e95882d59e
                  • Opcode Fuzzy Hash: c90137514eb714440ae0f6a22ec693ae20f1dc2c4c66f951927a613a15f42c8e
                  • Instruction Fuzzy Hash: 52518074519B8A8FEB88DF18C8A1AA53BE1FF69304B1441ADE45EC72C2DF35D816C781
                  Function 00007FFAAC5292D4 Relevance: .1, Instructions: 141COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4bb9f6e14e442136b8dde5d536b0fc11b200e5ddf4ac8ace451631e650503fa2
                  • Instruction ID: 11cb77d491e3eebaee76b861f64145c0d3e31bd05c67a3ec69667e00db47dd5e
                  • Opcode Fuzzy Hash: 4bb9f6e14e442136b8dde5d536b0fc11b200e5ddf4ac8ace451631e650503fa2
                  • Instruction Fuzzy Hash: A341EA70E0991D8FEF98EF58C895BECB7F1FBA9301F504169D00EE7295DA34A9458B80
                  Function 00007FFAAC521DDD Relevance: .1, Instructions: 126COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7e42afd9023719d304d59378d5631bc9a07372883cf4667a446f70025ca6d9ae
                  • Instruction ID: c687723456a81f4092a1761847146bf91a8ba7e91d38f39d7e83961721dd3f4a
                  • Opcode Fuzzy Hash: 7e42afd9023719d304d59378d5631bc9a07372883cf4667a446f70025ca6d9ae
                  • Instruction Fuzzy Hash: DC310B2190D3895FE71B9B748C555B67FA5EB43210B0581FFD08ACB5A3ED28980A8392
                  Function 00007FFAAC524848 Relevance: .1, Instructions: 117COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7efdb709fa565bfe9ed6e6a4e4a9beb39da0664b52f7927c8b87a080cdff8d45
                  • Instruction ID: e0f5f143c6c9a9c86feeae314f701ca0ea984c14c3f6c2c72a9d5bf5c3f2cfc7
                  • Opcode Fuzzy Hash: 7efdb709fa565bfe9ed6e6a4e4a9beb39da0664b52f7927c8b87a080cdff8d45
                  • Instruction Fuzzy Hash: B121D53738D82D0AF214716EFC954EA77C5DBD13757044373E64ACA142D808599E86F5
                  Function 00007FFAAC5256E2 Relevance: .1, Instructions: 105COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a10de73fb925bb217347e5f585ea403c6bb47d8b4b3558a15c24940b51d2e646
                  • Instruction ID: 5e24bd23d374e0bcbd43945ddaa9d440599561770f0b4e35a91f39308acc4025
                  • Opcode Fuzzy Hash: a10de73fb925bb217347e5f585ea403c6bb47d8b4b3558a15c24940b51d2e646
                  • Instruction Fuzzy Hash: 8B319E31A4D547CFF658975C841657177CAEB96300B9882B9F48EC72D3ED04EC0A46C5
                  Function 00007FFAAC5210BD Relevance: .1, Instructions: 101COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4b21452c2296eeae541fe1ea482cfda7e50e3150f683892c7aa64cf8f268206d
                  • Instruction ID: 27ae72a0f8a5108b1de9c8c36e5f003ef954d9cfa19c9763c0b000deca12dd38
                  • Opcode Fuzzy Hash: 4b21452c2296eeae541fe1ea482cfda7e50e3150f683892c7aa64cf8f268206d
                  • Instruction Fuzzy Hash: 58214C5294DA868FF35D976548550A27BD6EB9725070941BDE08EC3197EC185C0743D1
                  Function 00007FFAAC525600 Relevance: .1, Instructions: 88COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 239026cf14a4c630db99c560ef6a34934251593a18923375c9a1d59467b876d0
                  • Instruction ID: d60fe6b185a2420450f1434d5603a0ca55a7a37984a21f08abb460a34718c487
                  • Opcode Fuzzy Hash: 239026cf14a4c630db99c560ef6a34934251593a18923375c9a1d59467b876d0
                  • Instruction Fuzzy Hash: CB31F534E4E64BCBFF59C71884455AC7BE5EF42310FA48239E49D972C5EE28E80E86C0
                  Function 00007FFAAC5262EC Relevance: .1, Instructions: 88COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 62254f46b02003c50b3e7fa6942e2c5ade79c41aceed8cb984bbd67e3fe38f93
                  • Instruction ID: 831598bc7a36c799fafe33ab8094f36517b039f342e6709a391c41973c390b69
                  • Opcode Fuzzy Hash: 62254f46b02003c50b3e7fa6942e2c5ade79c41aceed8cb984bbd67e3fe38f93
                  • Instruction Fuzzy Hash: A021F43164E3C54FD31A873488651A63FB5EF83220B1982FFD486CB1A3D9295C0AC3D1
                  Function 00007FFAAC525A01 Relevance: .1, Instructions: 86COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5ffc5b5c9574cf1b8699f1df7105c267425ccbd2801819ab5d6b676cf3352b4d
                  • Instruction ID: 7a54b56c02745731ec385fd8812b4b8947a2da0de2e98aa26f88179e812f9f99
                  • Opcode Fuzzy Hash: 5ffc5b5c9574cf1b8699f1df7105c267425ccbd2801819ab5d6b676cf3352b4d
                  • Instruction Fuzzy Hash: 9521D522A6D94B8BFB5CE728845267972D5EF55701F54C1BDA04FC32D3EE28E80947C1
                  Function 00007FFAAC52944E Relevance: .1, Instructions: 77COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 74c0395a3fcb6ac8df4f61a0ce21f825c2e620e826499f5c5f6103a3fb1a4978
                  • Instruction ID: 48ff8d272ef083917fc534fb7e5e6d8081655ea279b90b370bdfb9a3f31fc46e
                  • Opcode Fuzzy Hash: 74c0395a3fcb6ac8df4f61a0ce21f825c2e620e826499f5c5f6103a3fb1a4978
                  • Instruction Fuzzy Hash: 8021FF74A4892D8FEF98EF58C884BAC77F1FB69301F10416AE04DE7351DA34A845CB80
                  Function 00007FFAAC525781 Relevance: .1, Instructions: 76COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7f56cbc5fcf4c59037664f1f71bf670869b39bd6e0ca234869c3b18356452889
                  • Instruction ID: 3d77cffc4e7d5b8d77e259708096d94c3b7790ff09f403b53c0f1785e8e2e28b
                  • Opcode Fuzzy Hash: 7f56cbc5fcf4c59037664f1f71bf670869b39bd6e0ca234869c3b18356452889
                  • Instruction Fuzzy Hash: D9113532F4D9478BF658A71C945627573C6EB99300F54827AE48FC3293EC18DC0A46C1
                  Function 00007FFAAC525B49 Relevance: .1, Instructions: 76COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7940b93521f14cd005e16146fbd8cff853314381992d666fae066702d787fc89
                  • Instruction ID: 956938b2900c1949efd745775fa16d4141a096405087b921533f9fb062a560da
                  • Opcode Fuzzy Hash: 7940b93521f14cd005e16146fbd8cff853314381992d666fae066702d787fc89
                  • Instruction Fuzzy Hash: 871120A2A1DA8A8FFA68AB2C945197473D1EF65304B4485BEE08FC7193ED14E80947C0
                  Function 00007FFAAC5205A8 Relevance: .1, Instructions: 74COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4c330cc3645cf03b6b67a2c5621c32ea7adbd4adf7e39949a3eeab4f8eb2559b
                  • Instruction ID: bfe80b80494a2896daf77382521b92e896c6ed1dc6d64cc8fa0b3b2599fad55d
                  • Opcode Fuzzy Hash: 4c330cc3645cf03b6b67a2c5621c32ea7adbd4adf7e39949a3eeab4f8eb2559b
                  • Instruction Fuzzy Hash: DE112722B4DA964AF725E77CE4620F9BBD0DF82235704867BE4DEC2293ED18A44743D1
                  Function 00007FFAAC52A77A Relevance: .1, Instructions: 69COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e948d70f2679b3c98a88985e705f3cfd25d3f8df86d65d868a815cee3dc53147
                  • Instruction ID: 66b62df2a935f53715f48478e07054a3c20f140e300b537594c981eacb601ea5
                  • Opcode Fuzzy Hash: e948d70f2679b3c98a88985e705f3cfd25d3f8df86d65d868a815cee3dc53147
                  • Instruction Fuzzy Hash: B4216A31A08A5D8FEB54DF58D8406EE77F2FB99311F00427AE40DE7294DA34A9548BC0
                  Function 00007FFAAC524778 Relevance: .1, Instructions: 66COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4883d6291c908fb5a5d59df4e568f89e03cf94d3098bd5890378e984a1072eac
                  • Instruction ID: 8eb8a800ce0393478e44b72b87617b8e8524573d94961c9aea974b6dd45e9578
                  • Opcode Fuzzy Hash: 4883d6291c908fb5a5d59df4e568f89e03cf94d3098bd5890378e984a1072eac
                  • Instruction Fuzzy Hash: B40108326096194BE32C9A28D8554BA779AEBD6320B11833EE48B97295ED29AC0646C0
                  Function 00007FFAAC525809 Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 672c8925c22a4289fa9e3a3ade7eb0d99844da4ef141a4cdbcf64e2cff29634e
                  • Instruction ID: a57a5bd8241ac3bb7c5182820bc4adc5c6f014761891c21456de931192494140
                  • Opcode Fuzzy Hash: 672c8925c22a4289fa9e3a3ade7eb0d99844da4ef141a4cdbcf64e2cff29634e
                  • Instruction Fuzzy Hash: 36012632F1D9464BF69CA71C945627573C6EBA9310B54827AE08FC3397EC14EC0646C5
                  Function 00007FFAAC522FF0 Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0b26d71636258abb275defb5785d38e2b2c4592cbafa4b5a53db79491be5c66a
                  • Instruction ID: 34cbd4a3527b82c3f6c2d87ed66829cb3eb78e27c2bb290da923008b643b3a94
                  • Opcode Fuzzy Hash: 0b26d71636258abb275defb5785d38e2b2c4592cbafa4b5a53db79491be5c66a
                  • Instruction Fuzzy Hash: 1501F96294DBD64FE7568B3C98520A1BFF0EF5721070986EBD4CAC7593EA28984643C2
                  Function 00007FFAAC525731 Relevance: .1, Instructions: 61COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6629064613e41852d7ec563825cbac0412d3bdf6b4d747ad2bb82f304c46ab14
                  • Instruction ID: b9a4cca63e6fa8de40481b757b6dcc958aff1dae07585920ac10385d0c9b6c03
                  • Opcode Fuzzy Hash: 6629064613e41852d7ec563825cbac0412d3bdf6b4d747ad2bb82f304c46ab14
                  • Instruction Fuzzy Hash: D011C632B5DA068BE75CAB1CD45626573D6EB94300FA082BAE54FC3396ED24AC0646C1
                  Function 00007FFAAC5226A5 Relevance: .1, Instructions: 55COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 20babcffdafb4c467702971ce2c2592aceb320fc5ee066a9b28d586b83012528
                  • Instruction ID: 2e851df6eff990aa54db530241cc48518963a9d19413c5fead30d825375b3858
                  • Opcode Fuzzy Hash: 20babcffdafb4c467702971ce2c2592aceb320fc5ee066a9b28d586b83012528
                  • Instruction Fuzzy Hash: 551186716197058FD74CDF08C491966B7E1FBD9300B24852CE48B87695DA34F886CB82
                  Function 00007FFAAC525CE7 Relevance: .1, Instructions: 52COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6bb4381e96539923b257f72c71747e957c8c275bf4e35ba070bc70f0a3489713
                  • Instruction ID: 63e45c0225ebca9dfee2b8b6a249eb4d65b8b7ff3b9a06abeecabeadfed1ae24
                  • Opcode Fuzzy Hash: 6bb4381e96539923b257f72c71747e957c8c275bf4e35ba070bc70f0a3489713
                  • Instruction Fuzzy Hash: 0801923172890A8FEB4CEB28C895A7973D6EB99305B548179E40FCB2B6DD28ED01C745
                  Function 00007FFAAC522A93 Relevance: .1, Instructions: 51COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cca33885971123b6800d2db8fc584b8e235a1657058af5e22f94a87263aa2704
                  • Instruction ID: 33916c5f9d4cb9e8f4eb75d81ec07f5e36471a488b7b89b4b081c9dce448f94a
                  • Opcode Fuzzy Hash: cca33885971123b6800d2db8fc584b8e235a1657058af5e22f94a87263aa2704
                  • Instruction Fuzzy Hash: 1FF0C8317985064BD71D9B2C885313933DAE7D7710724927DD9DBC36E2EC24E45786C2
                  Function 00007FFAAC526205 Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5e057696254b74aa36216cd521426b61ad137b6b1b9f98c9906d5a2dc86db392
                  • Instruction ID: 069ad9dd022e7028169c4f63aa1c436ced0edaaa7eb475fdd56bae121d3c07e1
                  • Opcode Fuzzy Hash: 5e057696254b74aa36216cd521426b61ad137b6b1b9f98c9906d5a2dc86db392
                  • Instruction Fuzzy Hash: 1EF0F63670D2064FA60CD71CAD130B8B3C7DBD6330B61922ED48BC629AED38A41B05C9
                  Function 00007FFAAC520840 Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ed95b47db19d5d4834752f1d995c90baf1a28d5cc2a1286c4c040b2956694657
                  • Instruction ID: fc6fc9b62e1290f63b01d8b238cae3fc3db281c1685184cbf83068b232fe329e
                  • Opcode Fuzzy Hash: ed95b47db19d5d4834752f1d995c90baf1a28d5cc2a1286c4c040b2956694657
                  • Instruction Fuzzy Hash: 92014C6798F7CA8FE712572898B51D63FE4EF83214F0A40EBE0C98E0A3B814584986D1
                  Function 00007FFAAC522ACA Relevance: .0, Instructions: 47COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a2837fc5762804dd7548ebe6edd59f0850ec11c021f269684b3eefaf097f4c35
                  • Instruction ID: ce7c70b44a4da69bbdefce4c421733645f0282879534d6dd0b6fc0306d7029fa
                  • Opcode Fuzzy Hash: a2837fc5762804dd7548ebe6edd59f0850ec11c021f269684b3eefaf097f4c35
                  • Instruction Fuzzy Hash: F4F0F0312585078BA70C8B2C8C5707433CAE793310760A23EE8C7C36E3ED28E86389C2
                  Function 00007FFAAC5205E0 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0cf69cd22790c9fb0dcf5347faadc8b5b1d7f02ad03f254d0681b0ebdf19dbee
                  • Instruction ID: 4eba8e784e7cb47479598e77b9adfc5252264b2c84bcab2c51a571ac48e36ab3
                  • Opcode Fuzzy Hash: 0cf69cd22790c9fb0dcf5347faadc8b5b1d7f02ad03f254d0681b0ebdf19dbee
                  • Instruction Fuzzy Hash: D5F02821A98E564BF768EB3CE4520B9B7D0DF45214704C73BE49FC2356EE28B84202C0
                  Function 00007FFAAC5263D5 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f0581972cffb534bffe97bb22f1611e67516a3c77f0cab6080ec45e6cf49363e
                  • Instruction ID: c9448d8e9d842e0b0e6c9b4f98c630cf721df04065f254e704b9653466fc4144
                  • Opcode Fuzzy Hash: f0581972cffb534bffe97bb22f1611e67516a3c77f0cab6080ec45e6cf49363e
                  • Instruction Fuzzy Hash: E7F0287170C5194F870CEB1C8866479729AE7DA700714D63EE5CBCB3D6EC24A90647C0
                  Function 00007FFAAC52A05A Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e832e0c6c5edfa301f4d3db2ba150b4d8165c3143d55a2b0f5ab4fd34d8f1301
                  • Instruction ID: bcb11f5245df5cd2af6e912a4133781e7643b35337e39ed961830e8196828c1b
                  • Opcode Fuzzy Hash: e832e0c6c5edfa301f4d3db2ba150b4d8165c3143d55a2b0f5ab4fd34d8f1301
                  • Instruction Fuzzy Hash: 4A11E570D1850ACFDF44DF94C8809EEB7F5FFA8310F24822AD40AA7258DB34A9468B94
                  Function 00007FFAAC5257B7 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fa610a02101df58b1534d3bb12c0303a5fa48e00d3960500a34c20e93513c911
                  • Instruction ID: ac2ce971fb1c80a745bd733bbaf7eaa620bb50d06b5d50e213bda95b6b22516e
                  • Opcode Fuzzy Hash: fa610a02101df58b1534d3bb12c0303a5fa48e00d3960500a34c20e93513c911
                  • Instruction Fuzzy Hash: 02F0C232B1D5068FF64CA718D45266532C6EB99700FA0817AE68FC3297ED24EC0746C5
                  Function 00007FFAAC52118A Relevance: .0, Instructions: 41COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cbb469f1b2a216800ad47098085afb72127699a523a63ffffa671d4c1d18acc9
                  • Instruction ID: 42e39d2e45aa6e74a76e08574d1f6aab2465e343684b05577766a1101de9b6d9
                  • Opcode Fuzzy Hash: cbb469f1b2a216800ad47098085afb72127699a523a63ffffa671d4c1d18acc9
                  • Instruction Fuzzy Hash: 38F0B472B5D40547E61CDA1894122B672CBD7C6710B21C13DD94FC26DBED28A91605C5
                  Function 00007FFAAC520850 Relevance: .0, Instructions: 41COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 688ce814c9f0c3a4e90ab5214e54c60b76f0266824beae6631f0773a44f2eb87
                  • Instruction ID: cb4ea535864f8eaaa83afa5ce9f00a589bd60a42152bdf89dbcec1e881cfffe7
                  • Opcode Fuzzy Hash: 688ce814c9f0c3a4e90ab5214e54c60b76f0266824beae6631f0773a44f2eb87
                  • Instruction Fuzzy Hash: 8FF03C66A8F7DA8EE713133858B51D63FE0DF83114F0941E7E4C88A0A3B809584D83A2
                  Function 00007FFAAC5205F0 Relevance: .0, Instructions: 40COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9c05101a57d346e4ecc0bab9b279bd8962f3fc0ef565c1bdf4f39c730c7f4d68
                  • Instruction ID: a580b1cdd9d0840cd9ca45c6ad0bd6796aea04b6e85c7087b618638b1a531443
                  • Opcode Fuzzy Hash: 9c05101a57d346e4ecc0bab9b279bd8962f3fc0ef565c1bdf4f39c730c7f4d68
                  • Instruction Fuzzy Hash: 05F0E231A98E1A4BE7A8DB2CD406179B3D5EB89210700873EA89FD3654EE38B84202C1
                  Function 00007FFAAC524913 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6dbfb4455322dc9420eb849353f3d5045f8997934f5acb01be35e795d04a6905
                  • Instruction ID: d9979909dbf00311efd423e760aa30dbad5f6be3986acef316bfee6c1ff9feb4
                  • Opcode Fuzzy Hash: 6dbfb4455322dc9420eb849353f3d5045f8997934f5acb01be35e795d04a6905
                  • Instruction Fuzzy Hash: 73F02B72B548178BE71CFB3884418BD73C6EB91360706853AE449CB2E2EE28DD4996C4
                  Function 00007FFAAC521991 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 58a64cc6dd339cf9de4dbb1ec61876765ffa9b01ba6f2988fcd410554c95178d
                  • Instruction ID: 035ef170d8292b0890f80351781b996d018fd4560bcb1e6b90ce555bbab5682e
                  • Opcode Fuzzy Hash: 58a64cc6dd339cf9de4dbb1ec61876765ffa9b01ba6f2988fcd410554c95178d
                  • Instruction Fuzzy Hash: A0F0F621F5CA1B8BF728DB68C49157773D6D796350B04823AC10BC6695EE24E90A82C0
                  Function 00007FFAAC5224B4 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 37aabfc65a29f40f85fe6106c185663edb96dbf16f8344e47488c3143b58955f
                  • Instruction ID: 38b939154026e62f397ec1186111ae02dc1d20bff5e883d263266651689561fd
                  • Opcode Fuzzy Hash: 37aabfc65a29f40f85fe6106c185663edb96dbf16f8344e47488c3143b58955f
                  • Instruction Fuzzy Hash: ADF0D62056E6829FE30E9328885207977D5AF82310B11817EE08B875E7ED18F84583D1
                  Function 00007FFAAC52ADFE Relevance: .0, Instructions: 38COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6914449e626a7fe4faf4612647a9e8a2bf3212b0cc34578ca7082ddc946424f3
                  • Instruction ID: 561d3615387ca8d98ffdb720d741bd58ba737cdd232391a9157004885f465c6f
                  • Opcode Fuzzy Hash: 6914449e626a7fe4faf4612647a9e8a2bf3212b0cc34578ca7082ddc946424f3
                  • Instruction Fuzzy Hash: 6D012C7094929DCFDB19DF58C8456ADB7B2FF15304F1441ADE48EA7241CB34A896DF80
                  Function 00007FFAAC521768 Relevance: .0, Instructions: 38COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8b767d54b5d66fb0e80232b08d486594275d54990002e0eea4db73d3879561bd
                  • Instruction ID: 93bae3421cea52aaaaf88373d9417c040148694ec4c48b5e06f0b3b0b4db096a
                  • Opcode Fuzzy Hash: 8b767d54b5d66fb0e80232b08d486594275d54990002e0eea4db73d3879561bd
                  • Instruction Fuzzy Hash: 01F0F030B592028B930CDB2C8D4547673DAEBCA301720867EE08BCA299D934E8068684
                  Function 00007FFAAC521F80 Relevance: .0, Instructions: 36COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 28fb185b32d2d605c86095459025706d9174ea22e31e70453392b2b75155cd67
                  • Instruction ID: 20ea400e7d2ed0ea6c8bd685b59c234256b5bad470bded53ebf0b5a64afb5a59
                  • Opcode Fuzzy Hash: 28fb185b32d2d605c86095459025706d9174ea22e31e70453392b2b75155cd67
                  • Instruction Fuzzy Hash: CFF0BB31B492068FE70CDB28855446977D7FBC6315B10C67DE447C73A5EA34E506CA84
                  Function 00007FFAAC52267D Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b2ef74bde3cb7b21533b4588e57a00f87f951fb44d5753070af2d6b68898bce8
                  • Instruction ID: 72e0599643aee05b9337ce2f1039eddce7c232883b2d289928820526de48e66e
                  • Opcode Fuzzy Hash: b2ef74bde3cb7b21533b4588e57a00f87f951fb44d5753070af2d6b68898bce8
                  • Instruction Fuzzy Hash: C0F0F43181E3428FE716EB1488564763FA4DF47300F25C4BEE04A8B0A7E929E80AC792
                  Function 00007FFAAC52125E Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 67d4cae7355027a769fcec5f5d82f56298bab0876cdceb640fe95ece0ce07e67
                  • Instruction ID: 273654e1eedae314ead75ab470906df4fad73d26924310b6b3f78c456dd07b7c
                  • Opcode Fuzzy Hash: 67d4cae7355027a769fcec5f5d82f56298bab0876cdceb640fe95ece0ce07e67
                  • Instruction Fuzzy Hash: C3E0ED21B5E9154BA648B74C78031F9B3C1EB86720F5041BAF54EC229BED19A90641CA
                  Function 00007FFAAC524EC1 Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c2d41810ab1f3813e6d97befb0fa221bf547ad39d5cc3703a574b0cd1091ab2a
                  • Instruction ID: e1b1271434cdf14e112f1ec67858c7f78f2f5cc7edb41873564e818a8565e37e
                  • Opcode Fuzzy Hash: c2d41810ab1f3813e6d97befb0fa221bf547ad39d5cc3703a574b0cd1091ab2a
                  • Instruction Fuzzy Hash: 16F02E3270842B8FE60DB71C44444B433C9E755310F15C13EE84ECB2E1FE14E84649C4
                  Function 00007FFAAC527C88 Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b64b35721a8378fae5477df560930e2ea6e645401a92b0e851433048e1702d15
                  • Instruction ID: 5df3bbe239f55654380a7e6ebeb5c59a7fdf0cf2d37a9a3c691fb615684ee987
                  • Opcode Fuzzy Hash: b64b35721a8378fae5477df560930e2ea6e645401a92b0e851433048e1702d15
                  • Instruction Fuzzy Hash: 20F0E770814A4E8FEF90EF68C809AEA77F0FF18305F00456AE81DD3260DB74A5948B81
                  Function 00007FFAAC524E7E Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4d327965c1d44ab69c305796e71cad2918d48a4e35427b1bb5332b7071be852a
                  • Instruction ID: 024331d8c1e9809529d934494047653bde1ea060803fb9da96c5222f9286e227
                  • Opcode Fuzzy Hash: 4d327965c1d44ab69c305796e71cad2918d48a4e35427b1bb5332b7071be852a
                  • Instruction Fuzzy Hash: 83F0EC3260841B8FD60DFB1C48555B472CAF755710F66C23EE84ADB2E1FD64E84549C4
                  Function 00007FFAAC529F66 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ad26573c3f57d510be4489590400534baca523be1c67cd16749e394054dc706e
                  • Instruction ID: 44109aac38e31f9b6df3abea6257690fe3d8c4ee086cda326248d20f4d41c15d
                  • Opcode Fuzzy Hash: ad26573c3f57d510be4489590400534baca523be1c67cd16749e394054dc706e
                  • Instruction Fuzzy Hash: 3101F635E0460ACFEB44DFA8C4805EEB7F6FB88311F10852AD019E7294DB39A905CF94
                  Function 00007FFAAC520860 Relevance: .0, Instructions: 32COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4e277e35b36d6ac145b4f953ec0aa3253936c7c50677fd8292b2ddac73b74655
                  • Instruction ID: a5b6f39e3f716da8e64292707165de40fed171f25ba5f419917730098aff64e7
                  • Opcode Fuzzy Hash: 4e277e35b36d6ac145b4f953ec0aa3253936c7c50677fd8292b2ddac73b74655
                  • Instruction Fuzzy Hash: 83F05E2698F7CA8EE713173858A50D57FE0DF83114F0941E7E4C88A0A3F808585C83A2
                  Function 00007FFAAC52B1AC Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 68ff2c78dfd94f3b2caf8c4d267aa46812279d3b612bcd9b91ee3746a53c6532
                  • Instruction ID: b11f0ce5a75e5a148f0e7f76aabcb2d817c7e28eb82e75b19313f3309218693e
                  • Opcode Fuzzy Hash: 68ff2c78dfd94f3b2caf8c4d267aa46812279d3b612bcd9b91ee3746a53c6532
                  • Instruction Fuzzy Hash: F1F0243085954EDFEB0DEBA0C461AEAB7B1FF01300B4441ADC0462B362DB295401DF40
                  Function 00007FFAAC525AC3 Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 50df07e551cd9a24c35b26eb782fec75b2d3f11f25f6c6cc3ddc07fcb6faa2d3
                  • Instruction ID: a5b9342669741fd205b71ebb4a0ad2682d2ac35a3bcbdb51677999389bef73f6
                  • Opcode Fuzzy Hash: 50df07e551cd9a24c35b26eb782fec75b2d3f11f25f6c6cc3ddc07fcb6faa2d3
                  • Instruction Fuzzy Hash: 86F02731A2CE168BE66CBF24C041D7973E2EB64700760857DD00FC3193DE24F80A86C4
                  Function 00007FFAAC52220F Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ab7648b9dfb5e455f51af34f81d4b09affdb7013f1d8522bf1d012d43765e272
                  • Instruction ID: ad118f51547006e60d45336cf1f7c868c2f6b7a306d44623a492161dbaed936e
                  • Opcode Fuzzy Hash: ab7648b9dfb5e455f51af34f81d4b09affdb7013f1d8522bf1d012d43765e272
                  • Instruction Fuzzy Hash: 0CF0BB3015D7868FE306D728C4514677BA1AF82304F24C5BED0DAC75ABC534F846C792
                  Function 00007FFAAC521CAD Relevance: .0, Instructions: 27COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dee2e49d21787defeb0b238672d83b98464b4da9b29365f3ddd5c9910b412b65
                  • Instruction ID: 4503439c1148b302fc848fd1166e15679222063b47512d90989d4d8a84c6d2ae
                  • Opcode Fuzzy Hash: dee2e49d21787defeb0b238672d83b98464b4da9b29365f3ddd5c9910b412b65
                  • Instruction Fuzzy Hash: DEF0A034B452078BD3189B18C5905AA72D7EBD5351710C33AD10A8A3A9E978EC598284
                  Function 00007FFAAC527CA8 Relevance: .0, Instructions: 26COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8337b6456f80b88cf80bca5f92cf5775a7f312b33da6ce2d19c69e4db0614773
                  • Instruction ID: acae05291c5c88ff07af552ae487d21b8db091a8a8c06deb0cb0a8e31dca2365
                  • Opcode Fuzzy Hash: 8337b6456f80b88cf80bca5f92cf5775a7f312b33da6ce2d19c69e4db0614773
                  • Instruction Fuzzy Hash: 4FF0AC70964A5E9EEB80EF64D8086AE76E4FF44304F404976E41DD2194DB74A5548B41
                  Function 00007FFAAC520C8F Relevance: .0, Instructions: 26COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0f4b0eb88513ab7288ccf94c9d4c17dab48c5fe2fe318f709d9c1f06a226f24e
                  • Instruction ID: 558bcb5334b107cd0e534161a1c1d7dcdcbae923b83c72cfda348606a4005eb3
                  • Opcode Fuzzy Hash: 0f4b0eb88513ab7288ccf94c9d4c17dab48c5fe2fe318f709d9c1f06a226f24e
                  • Instruction Fuzzy Hash: DBF03730A6D3418B934CDB58C09642E77F5FBD6B01F50583DF68683251DA34F8014E83
                  Function 00007FFAAC520870 Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2161c9827a26a56eba77486d9ef750e695edfecba86666157de76a61fcf952b8
                  • Instruction ID: 8bdaf9c47f0e8d2edc281e3c6bf52e009aedc34f9cc4d90dfebbaeba0ec74418
                  • Opcode Fuzzy Hash: 2161c9827a26a56eba77486d9ef750e695edfecba86666157de76a61fcf952b8
                  • Instruction Fuzzy Hash: 89E01A2288F7CA4EEB1757645CA10E57FB0EF83104F0941E7E4DD8A0A3F819591C83E2
                  Function 00007FFAAC52AD77 Relevance: .0, Instructions: 19COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 044b7a01909c1c9cd67867c20131e8808394dc69a4e4d5695708ab03211e8964
                  • Instruction ID: 99f7dc46cf5bf508ca5b421aeb92cdae4546bcaa2b26229d488a776c2ec2f434
                  • Opcode Fuzzy Hash: 044b7a01909c1c9cd67867c20131e8808394dc69a4e4d5695708ab03211e8964
                  • Instruction Fuzzy Hash: 85E012B0909659CFD715DB64C9066A9BBB2FF01304F04419DD48967351C7349845CF81
                  Function 00007FFAAC52B32E Relevance: .0, Instructions: 17COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f10bd4b3d32633672668ec0c8c2593ab64a01ef5c7f55f282885b04d82ebab7b
                  • Instruction ID: 163dea98ded0a260af8009bbefddf40093932d169701e678b43b3b9e99c6b8ba
                  • Opcode Fuzzy Hash: f10bd4b3d32633672668ec0c8c2593ab64a01ef5c7f55f282885b04d82ebab7b
                  • Instruction Fuzzy Hash: 55E0C9B4D05219CFDB58CF58C8906ECB771BF56304F1082ADD45967381DB75A981CF40
                  Function 00007FFAAC521796 Relevance: .0, Instructions: 17COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5ed5b110895753ba76444e31a4426da7774679c6efdbe1eed856112556d1be63
                  • Instruction ID: 260047072db59841f2da0fe161d251f22e5159d33ffc97ac3b5f8e58c50c9cf7
                  • Opcode Fuzzy Hash: 5ed5b110895753ba76444e31a4426da7774679c6efdbe1eed856112556d1be63
                  • Instruction Fuzzy Hash: 21E0C230E2C602CBD30C9B2840821BA73E5EFC6215B20927EF94FC5086E7309D239946
                  Function 00007FFAAC522019 Relevance: .0, Instructions: 17COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4e533d1121e54639e32793f3dbcfc26e597fd34ba2d918378d68bb151ef23fbf
                  • Instruction ID: e63707048944c25841e9c9dcc6338dfe247b272f0e3968b4e40e459e12bf2f2d
                  • Opcode Fuzzy Hash: 4e533d1121e54639e32793f3dbcfc26e597fd34ba2d918378d68bb151ef23fbf
                  • Instruction Fuzzy Hash: A7E08C30A29A41CB831CDB68C89606673F4FF9A304B10983EE18783541EA20F808CA86
                  Function 00007FFAAC52241B Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: babdd04da0dc9cdc5dc6224b188b019d73f124a83bb4218dde57f52da6805132
                  • Instruction ID: 043e2c0418fcac2e057457b1fe16bb33b503254b5a5f422982e5939b50a51541
                  • Opcode Fuzzy Hash: babdd04da0dc9cdc5dc6224b188b019d73f124a83bb4218dde57f52da6805132
                  • Instruction Fuzzy Hash: B0D0C734B9AB068BD219975D581213532D6AB86710760503CA14FC3351ED59EC4245C5
                  Function 00007FFAAC52226D Relevance: .0, Instructions: 13COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1421238a2d4cc027f14b8db2ff5580af9ccf4dcf99f961b9891975ce2b503446
                  • Instruction ID: d8abe1f8978d0b35e1beb0823fe362c2dde54ff122f861bdb5eafb0c2bd526fc
                  • Opcode Fuzzy Hash: 1421238a2d4cc027f14b8db2ff5580af9ccf4dcf99f961b9891975ce2b503446
                  • Instruction Fuzzy Hash: 7CD0C730645A0DCF9619D7198881856B3E5EF45314B104428B5DFC3751DA34F91697C5
                  Function 00007FFAAC528FCA Relevance: .0, Instructions: 13COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b4eee0123d759b187205c5a0d35a6972bd82c381c29e42155e0ba4b9f79832d6
                  • Instruction ID: 9c9286d4f9d89fc7bb3a4a06eaf4e798d84a7760112334700686149f1a07dbee
                  • Opcode Fuzzy Hash: b4eee0123d759b187205c5a0d35a6972bd82c381c29e42155e0ba4b9f79832d6
                  • Instruction Fuzzy Hash: 84E0EC30C1551ADEEB95DBA8C4416DCA6F2BF59300F4084A5E04EE2155DE3469848F54
                  Function 00007FFAAC522D07 Relevance: .0, Instructions: 12COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7de6fb5e513bb7a6e9a5c79070878ce4ee5f50ca26d4bb5996460d4a47101d06
                  • Instruction ID: f5c5e9dcb58243b3296eb3503002982d1e9eea24050a5907ff5c2ef92b4ed40f
                  • Opcode Fuzzy Hash: 7de6fb5e513bb7a6e9a5c79070878ce4ee5f50ca26d4bb5996460d4a47101d06
                  • Instruction Fuzzy Hash: C8C012B1A993028BB26C9B60405303571DEAB87105B10913ED68B46292ED29F4079542
                  Function 00007FFAAC52253B Relevance: .0, Instructions: 11COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 99b45e348a098b7d6337ae897d2ed3149d36a65cb0f6a3bb1c5d0f314634f7ae
                  • Instruction ID: 18cbb31a4d2ef1e11ff852ae2938e02e5ab1eb6723150808a22eb4c186a21f4e
                  • Opcode Fuzzy Hash: 99b45e348a098b7d6337ae897d2ed3149d36a65cb0f6a3bb1c5d0f314634f7ae
                  • Instruction Fuzzy Hash: B6D0C73155A5059FD358D714D4525A777D56F95200F10A43DA09B87292FD24F5058781

                  Non-executed Functions

                  Function 00007FFAAC5208A9 Relevance: .1, Instructions: 88COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1244437708.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac520000_741094845300.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0955323620c65d5d8bc499425212810dbfae78c8227a30f1e6e023e94a162780
                  • Instruction ID: 75f8cdd79d9ba22245a2b579a940dc663f9d7f585b6589257092d310fff2aa65
                  • Opcode Fuzzy Hash: 0955323620c65d5d8bc499425212810dbfae78c8227a30f1e6e023e94a162780
                  • Instruction Fuzzy Hash: F111276264D3990FE32C5DA86C97473BB9DD383225306937FDAC3C55A3ED05A41752C1