Edit tour

Windows Analysis Report
MV GOLDEN SCHULTE DETAILS.exe

Overview

General Information

Sample name:	MV GOLDEN SCHULTE DETAILS.exe
Analysis ID:	1576558
MD5:	6f6b30df02a24ad8819384f41b743a8a
SHA1:	c2bdbd4518c77544484d324fc39ce7f320e59fbc
SHA256:	f75da861b7cbf08727ea95e5e6111db769b818deec9d0328decc37a8a08a608f
Tags:	exeuser-julianmckein
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

MV GOLDEN SCHULTE DETAILS.exe (PID: 2960 cmdline: "C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe" MD5: 6F6B30DF02A24AD8819384F41B743A8A)

MV GOLDEN SCHULTE DETAILS.exe (PID: 2760 cmdline: "C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe" MD5: 6F6B30DF02A24AD8819384F41B743A8A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Username": "info@gzdled.com.tr", "Password": "Gozdeled1048", "Host": "mail.gzdled.com.tr", "Port": "587", "Token": "8043217727:AAHet_KMDJubZguJgq0Cp7yrQCzgcnbbXpU", "Chat_id": "6247294228", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3694364610.0000000005540000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
00000002.00000002.3691640862.0000000002DA8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1491f:$a1: get_encryptedPassword 0x14c0b:$a2: get_encryptedUsername 0x1472b:$a3: get_timePasswordChanged 0x14826:$a4: get_passwordField 0x14935:$a5: set_encryptedPassword 0x15fd0:$a7: get_logins 0x15f33:$a10: KeyLoggerEventArgs 0x15b9e:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182f8:$x1: $%SMTPDV$ 0x1835e:$x2: $#TheHashHere%& 0x19a4c:$x3: %FTPDV$ 0x19b40:$x4: $%TelegramDv$ 0x15b9e:$x5: KeyLoggerEventArgs 0x15f33:$x5: KeyLoggerEventArgs 0x19a70:$m2: Clipboard Logs ID 0x19c90:$m2: Screenshot Logs ID 0x19da0:$m2: keystroke Logs ID 0x1a07a:$m3: SnakePW 0x19c68:$m4: \SnakeKeylogger\
00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf412f:$a1: get_encryptedPassword 0x114d5f:$a1: get_encryptedPassword 0x13577f:$a1: get_encryptedPassword 0xf441b:$a2: get_encryptedUsername 0x11504b:$a2: get_encryptedUsername 0x135a6b:$a2: get_encryptedUsername 0xf3f3b:$a3: get_timePasswordChanged 0x114b6b:$a3: get_timePasswordChanged 0x13558b:$a3: get_timePasswordChanged 0xf4036:$a4: get_passwordField 0x114c66:$a4: get_passwordField 0x135686:$a4: get_passwordField 0xf4145:$a5: set_encryptedPassword 0x114d75:$a5: set_encryptedPassword 0x135795:$a5: set_encryptedPassword 0xf57e0:$a7: get_logins 0x116410:$a7: get_logins 0x136e30:$a7: get_logins 0xf5743:$a10: KeyLoggerEventArgs 0x116373:$a10: KeyLoggerEventArgs 0x136d93:$a10: KeyLoggerEventArgs
00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf7b08:$x1: $%SMTPDV$ 0x118738:$x1: $%SMTPDV$ 0x139158:$x1: $%SMTPDV$ 0xf7b6e:$x2: $#TheHashHere%& 0x11879e:$x2: $#TheHashHere%& 0x1391be:$x2: $#TheHashHere%& 0xf925c:$x3: %FTPDV$ 0x119e8c:$x3: %FTPDV$ 0x13a8ac:$x3: %FTPDV$ 0xf9350:$x4: $%TelegramDv$ 0x119f80:$x4: $%TelegramDv$ 0x13a9a0:$x4: $%TelegramDv$ 0xf53ae:$x5: KeyLoggerEventArgs 0xf5743:$x5: KeyLoggerEventArgs 0x115fde:$x5: KeyLoggerEventArgs 0x116373:$x5: KeyLoggerEventArgs 0x1369fe:$x5: KeyLoggerEventArgs 0x136d93:$x5: KeyLoggerEventArgs 0xf9280:$m2: Clipboard Logs ID 0xf94a0:$m2: Screenshot Logs ID 0xf95b0:$m2: keystroke Logs ID
00000002.00000002.3691640862.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2960	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2960	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2960	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2960	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x73e82:$a1: get_encryptedPassword 0x740cd:$a2: get_encryptedUsername 0x73cb1:$a3: get_timePasswordChanged 0x73d93:$a4: get_passwordField 0x73e98:$a5: set_encryptedPassword 0x75d71:$a7: get_logins 0x75cf2:$a10: KeyLoggerEventArgs 0x75a60:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2960	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x75a60:$x5: KeyLoggerEventArgs 0x75cf2:$x5: KeyLoggerEventArgs 0x76536:$x5: KeyLoggerEventArgs 0x76897:$x5: KeyLoggerEventArgs 0x77e6e:$m2: Clipboard Logs ID 0x77f65:$m2: Screenshot Logs ID 0x77fbb:$m2: keystroke Logs ID 0x780f0:$m3: SnakePW 0x77f51:$m4: \SnakeKeylogger\
Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2760	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2760	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2760	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4a426:$a1: get_encryptedPassword 0x4a708:$a2: get_encryptedUsername 0x4a23c:$a3: get_timePasswordChanged 0x4a337:$a4: get_passwordField 0x4a43c:$a5: set_encryptedPassword 0x4c91c:$a7: get_logins 0x4c87f:$a10: KeyLoggerEventArgs 0x4c4ea:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2760	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4c4ea:$x5: KeyLoggerEventArgs 0x4c87f:$x5: KeyLoggerEventArgs 0x4d186:$x5: KeyLoggerEventArgs 0x4d4e7:$x5: KeyLoggerEventArgs 0x4eb46:$m2: Clipboard Logs ID 0x4ec3d:$m2: Screenshot Logs ID 0x4ec93:$m2: keystroke Logs ID 0x4edc8:$m3: SnakePW 0x4ec29:$m4: \SnakeKeylogger\
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.MV GOLDEN SCHULTE DETAILS.exe.5540000.5.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4906b:$x1: In$J$ct0r
0.2.MV GOLDEN SCHULTE DETAILS.exe.5540000.5.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4906b:$x1: In$J$ct0r
0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d1f:$a1: get_encryptedPassword 0x1300b:$a2: get_encryptedUsername 0x12b2b:$a3: get_timePasswordChanged 0x12c26:$a4: get_passwordField 0x12d35:$a5: set_encryptedPassword 0x143d0:$a7: get_logins 0x14333:$a10: KeyLoggerEventArgs 0x13f9e:$a11: KeyLoggerEventArgsEventHandler
0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a84a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19a7c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19eaf:$a4: \Orbitum\User Data\Default\Login Data 0x1aeee:$a5: \Kometa\User Data\Default\Login Data
0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1390c:$s1: UnHook 0x13913:$s2: SetHook 0x1391b:$s3: CallNextHook 0x13928:$s4: _hook
0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x166f8:$x1: $%SMTPDV$ 0x1675e:$x2: $#TheHashHere%& 0x17e4c:$x3: %FTPDV$ 0x17f40:$x4: $%TelegramDv$ 0x13f9e:$x5: KeyLoggerEventArgs 0x14333:$x5: KeyLoggerEventArgs 0x17e70:$m2: Clipboard Logs ID 0x18090:$m2: Screenshot Logs ID 0x181a0:$m2: keystroke Logs ID 0x1847a:$m3: SnakePW 0x18068:$m4: \SnakeKeylogger\
2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b1f:$a1: get_encryptedPassword 0x14e0b:$a2: get_encryptedUsername 0x1492b:$a3: get_timePasswordChanged 0x14a26:$a4: get_passwordField 0x14b35:$a5: set_encryptedPassword 0x161d0:$a7: get_logins 0x16133:$a10: KeyLoggerEventArgs 0x15d9e:$a11: KeyLoggerEventArgsEventHandler
2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c64a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b87c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bcaf:$a4: \Orbitum\User Data\Default\Login Data 0x1ccee:$a5: \Kometa\User Data\Default\Login Data
2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1570c:$s1: UnHook 0x15713:$s2: SetHook 0x1571b:$s3: CallNextHook 0x15728:$s4: _hook
2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x184f8:$x1: $%SMTPDV$ 0x1855e:$x2: $#TheHashHere%& 0x19c4c:$x3: %FTPDV$ 0x19d40:$x4: $%TelegramDv$ 0x15d9e:$x5: KeyLoggerEventArgs 0x16133:$x5: KeyLoggerEventArgs 0x19c70:$m2: Clipboard Logs ID 0x19e90:$m2: Screenshot Logs ID 0x19fa0:$m2: keystroke Logs ID 0x1a27a:$m3: SnakePW 0x19e68:$m4: \SnakeKeylogger\
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d1f:$a1: get_encryptedPassword 0x1300b:$a2: get_encryptedUsername 0x12b2b:$a3: get_timePasswordChanged 0x12c26:$a4: get_passwordField 0x12d35:$a5: set_encryptedPassword 0x143d0:$a7: get_logins 0x14333:$a10: KeyLoggerEventArgs 0x13f9e:$a11: KeyLoggerEventArgsEventHandler
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a84a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19a7c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19eaf:$a4: \Orbitum\User Data\Default\Login Data 0x1aeee:$a5: \Kometa\User Data\Default\Login Data
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1390c:$s1: UnHook 0x13913:$s2: SetHook 0x1391b:$s3: CallNextHook 0x13928:$s4: _hook
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x166f8:$x1: $%SMTPDV$ 0x1675e:$x2: $#TheHashHere%& 0x17e4c:$x3: %FTPDV$ 0x17f40:$x4: $%TelegramDv$ 0x13f9e:$x5: KeyLoggerEventArgs 0x14333:$x5: KeyLoggerEventArgs 0x17e70:$m2: Clipboard Logs ID 0x18090:$m2: Screenshot Logs ID 0x181a0:$m2: keystroke Logs ID 0x1847a:$m3: SnakePW 0x18068:$m4: \SnakeKeylogger\
0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b1f:$a1: get_encryptedPassword 0x3553f:$a1: get_encryptedPassword 0x14e0b:$a2: get_encryptedUsername 0x3582b:$a2: get_encryptedUsername 0x1492b:$a3: get_timePasswordChanged 0x3534b:$a3: get_timePasswordChanged 0x14a26:$a4: get_passwordField 0x35446:$a4: get_passwordField 0x14b35:$a5: set_encryptedPassword 0x35555:$a5: set_encryptedPassword 0x161d0:$a7: get_logins 0x36bf0:$a7: get_logins 0x16133:$a10: KeyLoggerEventArgs 0x36b53:$a10: KeyLoggerEventArgs 0x15d9e:$a11: KeyLoggerEventArgsEventHandler 0x367be:$a11: KeyLoggerEventArgsEventHandler
0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c64a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d06a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b87c:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c29c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bcaf:$a4: \Orbitum\User Data\Default\Login Data 0x3c6cf:$a4: \Orbitum\User Data\Default\Login Data 0x1ccee:$a5: \Kometa\User Data\Default\Login Data 0x3d70e:$a5: \Kometa\User Data\Default\Login Data
0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1570c:$s1: UnHook 0x3612c:$s1: UnHook 0x15713:$s2: SetHook 0x36133:$s2: SetHook 0x1571b:$s3: CallNextHook 0x3613b:$s3: CallNextHook 0x15728:$s4: _hook 0x36148:$s4: _hook
0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x184f8:$x1: $%SMTPDV$ 0x38f18:$x1: $%SMTPDV$ 0x1855e:$x2: $#TheHashHere%& 0x38f7e:$x2: $#TheHashHere%& 0x19c4c:$x3: %FTPDV$ 0x3a66c:$x3: %FTPDV$ 0x19d40:$x4: $%TelegramDv$ 0x3a760:$x4: $%TelegramDv$ 0x15d9e:$x5: KeyLoggerEventArgs 0x16133:$x5: KeyLoggerEventArgs 0x367be:$x5: KeyLoggerEventArgs 0x36b53:$x5: KeyLoggerEventArgs 0x19c70:$m2: Clipboard Logs ID 0x19e90:$m2: Screenshot Logs ID 0x19fa0:$m2: keystroke Logs ID 0x3a690:$m2: Clipboard Logs ID 0x3a8b0:$m2: Screenshot Logs ID 0x3a9c0:$m2: keystroke Logs ID 0x1a27a:$m3: SnakePW 0x3ac9a:$m3: SnakePW 0x19e68:$m4: \SnakeKeylogger\
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b1f:$a1: get_encryptedPassword 0x3574f:$a1: get_encryptedPassword 0x5616f:$a1: get_encryptedPassword 0x14e0b:$a2: get_encryptedUsername 0x35a3b:$a2: get_encryptedUsername 0x5645b:$a2: get_encryptedUsername 0x1492b:$a3: get_timePasswordChanged 0x3555b:$a3: get_timePasswordChanged 0x55f7b:$a3: get_timePasswordChanged 0x14a26:$a4: get_passwordField 0x35656:$a4: get_passwordField 0x56076:$a4: get_passwordField 0x14b35:$a5: set_encryptedPassword 0x35765:$a5: set_encryptedPassword 0x56185:$a5: set_encryptedPassword 0x161d0:$a7: get_logins 0x36e00:$a7: get_logins 0x57820:$a7: get_logins 0x16133:$a10: KeyLoggerEventArgs 0x36d63:$a10: KeyLoggerEventArgs 0x57783:$a10: KeyLoggerEventArgs
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c64a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d27a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5dc9a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b87c:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c4ac:$a3: \Google\Chrome\User Data\Default\Login Data 0x5cecc:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bcaf:$a4: \Orbitum\User Data\Default\Login Data 0x3c8df:$a4: \Orbitum\User Data\Default\Login Data 0x5d2ff:$a4: \Orbitum\User Data\Default\Login Data 0x1ccee:$a5: \Kometa\User Data\Default\Login Data 0x3d91e:$a5: \Kometa\User Data\Default\Login Data 0x5e33e:$a5: \Kometa\User Data\Default\Login Data
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1570c:$s1: UnHook 0x3633c:$s1: UnHook 0x56d5c:$s1: UnHook 0x15713:$s2: SetHook 0x36343:$s2: SetHook 0x56d63:$s2: SetHook 0x1571b:$s3: CallNextHook 0x3634b:$s3: CallNextHook 0x56d6b:$s3: CallNextHook 0x15728:$s4: _hook 0x36358:$s4: _hook 0x56d78:$s4: _hook
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x184f8:$x1: $%SMTPDV$ 0x39128:$x1: $%SMTPDV$ 0x59b48:$x1: $%SMTPDV$ 0x1855e:$x2: $#TheHashHere%& 0x3918e:$x2: $#TheHashHere%& 0x59bae:$x2: $#TheHashHere%& 0x19c4c:$x3: %FTPDV$ 0x3a87c:$x3: %FTPDV$ 0x5b29c:$x3: %FTPDV$ 0x19d40:$x4: $%TelegramDv$ 0x3a970:$x4: $%TelegramDv$ 0x5b390:$x4: $%TelegramDv$ 0x15d9e:$x5: KeyLoggerEventArgs 0x16133:$x5: KeyLoggerEventArgs 0x369ce:$x5: KeyLoggerEventArgs 0x36d63:$x5: KeyLoggerEventArgs 0x573ee:$x5: KeyLoggerEventArgs 0x57783:$x5: KeyLoggerEventArgs 0x19c70:$m2: Clipboard Logs ID 0x19e90:$m2: Screenshot Logs ID 0x19fa0:$m2: keystroke Logs ID
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa51bf:$a1: get_encryptedPassword 0xc5def:$a1: get_encryptedPassword 0xe680f:$a1: get_encryptedPassword 0xa54ab:$a2: get_encryptedUsername 0xc60db:$a2: get_encryptedUsername 0xe6afb:$a2: get_encryptedUsername 0xa4fcb:$a3: get_timePasswordChanged 0xc5bfb:$a3: get_timePasswordChanged 0xe661b:$a3: get_timePasswordChanged 0xa50c6:$a4: get_passwordField 0xc5cf6:$a4: get_passwordField 0xe6716:$a4: get_passwordField 0xa51d5:$a5: set_encryptedPassword 0xc5e05:$a5: set_encryptedPassword 0xe6825:$a5: set_encryptedPassword 0xa6870:$a7: get_logins 0xc74a0:$a7: get_logins 0xe7ec0:$a7: get_logins 0xa67d3:$a10: KeyLoggerEventArgs 0xc7403:$a10: KeyLoggerEventArgs 0xe7e23:$a10: KeyLoggerEventArgs
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xa5dac:$s1: UnHook 0xc69dc:$s1: UnHook 0xe73fc:$s1: UnHook 0xa5db3:$s2: SetHook 0xc69e3:$s2: SetHook 0xe7403:$s2: SetHook 0xa5dbb:$s3: CallNextHook 0xc69eb:$s3: CallNextHook 0xe740b:$s3: CallNextHook 0xa5dc8:$s4: _hook 0xc69f8:$s4: _hook 0xe7418:$s4: _hook
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xa8b98:$x1: $%SMTPDV$ 0xc97c8:$x1: $%SMTPDV$ 0xea1e8:$x1: $%SMTPDV$ 0xa8bfe:$x2: $#TheHashHere%& 0xc982e:$x2: $#TheHashHere%& 0xea24e:$x2: $#TheHashHere%& 0xaa2ec:$x3: %FTPDV$ 0xcaf1c:$x3: %FTPDV$ 0xeb93c:$x3: %FTPDV$ 0xaa3e0:$x4: $%TelegramDv$ 0xcb010:$x4: $%TelegramDv$ 0xeba30:$x4: $%TelegramDv$ 0xa643e:$x5: KeyLoggerEventArgs 0xa67d3:$x5: KeyLoggerEventArgs 0xc706e:$x5: KeyLoggerEventArgs 0xc7403:$x5: KeyLoggerEventArgs 0xe7a8e:$x5: KeyLoggerEventArgs 0xe7e23:$x5: KeyLoggerEventArgs 0xaa310:$m2: Clipboard Logs ID 0xaa530:$m2: Screenshot Logs ID 0xaa640:$m2: keystroke Logs ID
0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
0.2.MV GOLDEN SCHULTE DETAILS.exe.3005494.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa20a4:$x1: In$J$ct0r 0xa3044:$a1: WriteProcessMemory 0xa30d0:$a1: WriteProcessMemory 0xa31a4:$a4: VirtualAllocEx 0xa33c8:$a4: VirtualAllocEx 0xa3448:$a4: VirtualAllocEx
0.2.MV GOLDEN SCHULTE DETAILS.exe.3002c54.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa48e4:$x1: In$J$ct0r 0xa5884:$a1: WriteProcessMemory 0xa5910:$a1: WriteProcessMemory 0xa59e4:$a4: VirtualAllocEx 0xa5c08:$a4: VirtualAllocEx 0xa5c88:$a4: VirtualAllocEx
Click to see the 40 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T09:02:05.534599+0100	2803305	3	Unknown Traffic	192.168.2.7	49704	172.67.177.134	443	TCP
2024-12-17T09:02:08.643772+0100	2803305	3	Unknown Traffic	192.168.2.7	49708	172.67.177.134	443	TCP
2024-12-17T09:02:17.935425+0100	2803305	3	Unknown Traffic	192.168.2.7	49727	172.67.177.134	443	TCP
2024-12-17T09:02:24.055204+0100	2803305	3	Unknown Traffic	192.168.2.7	49747	172.67.177.134	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T09:02:01.336370+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49699	193.122.6.168	80	TCP
2024-12-17T09:02:03.898894+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49699	193.122.6.168	80	TCP
2024-12-17T09:02:07.023881+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49706	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: MV GOLDEN SCHULTE DETAILS.exe

Avira: detected

Found malware configuration

Source: 00000002.00000002.3691640862.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "info@gzdled.com.tr", "Password": "Gozdeled1048", "Host": "mail.gzdled.com.tr", "Port": "587", "Token": "8043217727:AAHet_KMDJubZguJgq0Cp7yrQCzgcnbbXpU", "Chat_id": "6247294228", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: MV GOLDEN SCHULTE DETAILS.exe	Virustotal: Detection: 51%			Perma Link
Source: MV GOLDEN SCHULTE DETAILS.exe	ReversingLabs: Detection: 58%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: MV GOLDEN SCHULTE DETAILS.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: MV GOLDEN SCHULTE DETAILS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.7:49703 version: TLS 1.0

Source: MV GOLDEN SCHULTE DETAILS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: MV GOLDEN SCHULTE DETAILS.exe, 00000000.00000002.3695006740.00000000058E0000.00000004.08000000.00040000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000000.00000002.3691221952.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0114F1F6h	2_2_0114F007
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0114FB80h	2_2_0114F007
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_0114E528
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 06791A38h	2_2_06791620
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 067902F1h	2_2_06790040
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 06791471h	2_2_067911C0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0679FD11h	2_2_0679FA68
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0679C8F1h	2_2_0679C648
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0679F8B9h	2_2_0679F610
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 06791A38h	2_2_06791610
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0679D1A1h	2_2_0679CEF8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0679CD49h	2_2_0679CAA0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0679D5F9h	2_2_0679D350
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0679DA51h	2_2_0679D7A8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0679E301h	2_2_0679E058
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0679DEA9h	2_2_0679DC00
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0679B791h	2_2_0679B4E8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0679E759h	2_2_0679E4B0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 06790751h	2_2_067904A0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 06791011h	2_2_06790D60
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0679F009h	2_2_0679ED60
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 06791A38h	2_2_06791966
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0679BBE9h	2_2_0679B940
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0679EBB1h	2_2_0679E908
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 06790BB1h	2_2_06790900
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0679C499h	2_2_0679C1F0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0679F461h	2_2_0679F1B8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 0679C041h	2_2_0679BD98
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 067C8945h	2_2_067C8608
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 067C5D19h	2_2_067C5A70
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 067C58C1h	2_2_067C5618
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_067C36CE
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 067C6171h	2_2_067C5EC8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 067C6A21h	2_2_067C6778
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 067C65C9h	2_2_067C6320
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 067C6E79h	2_2_067C6BD0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_067C33B8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_067C33AF
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 067C72FAh	2_2_067C7050
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 067C02E9h	2_2_067C0040
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 067C0B99h	2_2_067C08F0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 067C7751h	2_2_067C74A8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 067C0741h	2_2_067C0498
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 067C8001h	2_2_067C7D58
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 067C0FF1h	2_2_067C0D48
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 067C7BA9h	2_2_067C7900
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 067C8459h	2_2_067C81B0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 4x nop then jmp 067C5441h	2_2_067C5198

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49706 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49699 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49704 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49708 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49727 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49747 -> 172.67.177.134:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.7:49703 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D36000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D6D000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D36000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002CE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: MV GOLDEN SCHULTE DETAILS.exe, 00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D36000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002CBC000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D36000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002CE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: MV GOLDEN SCHULTE DETAILS.exe, 00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002CE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D36000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002CE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.5540000.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.5540000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3005494.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3002c54.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.3694364610.0000000005540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2960, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2960, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2760, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2760, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 0_2_02D9A0F0	0_2_02D9A0F0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 0_2_02D9D304	0_2_02D9D304
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 0_2_02D95E17	0_2_02D95E17
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 0_2_062A9680	0_2_062A9680
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_01146108	2_2_01146108
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0114C192	2_2_0114C192
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0114F007	2_2_0114F007
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0114B328	2_2_0114B328
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0114C470	2_2_0114C470
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_01146730	2_2_01146730
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0114C752	2_2_0114C752
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_01149858	2_2_01149858
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0114BBD2	2_2_0114BBD2
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0114CA32	2_2_0114CA32
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_01144AD9	2_2_01144AD9
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0114BEB6	2_2_0114BEB6
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0114E517	2_2_0114E517
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0114E528	2_2_0114E528
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_01143572	2_2_01143572
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0114B4F2	2_2_0114B4F2
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_06797B70	2_2_06797B70
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_06793870	2_2_06793870
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_06798460	2_2_06798460
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_06790040	2_2_06790040
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067911C0	2_2_067911C0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679FA68	2_2_0679FA68
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679C648	2_2_0679C648
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679C638	2_2_0679C638
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679F610	2_2_0679F610
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679F600	2_2_0679F600
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679CEF8	2_2_0679CEF8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679CAA0	2_2_0679CAA0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679CA9F	2_2_0679CA9F
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679D350	2_2_0679D350
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679DBF1	2_2_0679DBF1
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067973E8	2_2_067973E8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067973D8	2_2_067973D8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679D7A8	2_2_0679D7A8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_06793860	2_2_06793860
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679E058	2_2_0679E058
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679E04B	2_2_0679E04B
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679001F	2_2_0679001F
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679DC00	2_2_0679DC00
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067908FC	2_2_067908FC
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679B4E8	2_2_0679B4E8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679E4B0	2_2_0679E4B0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067904A0	2_2_067904A0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679E4A0	2_2_0679E4A0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_06790490	2_2_06790490
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_06790D60	2_2_06790D60
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679ED60	2_2_0679ED60
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_06790D51	2_2_06790D51
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679B940	2_2_0679B940
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679B930	2_2_0679B930
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679E908	2_2_0679E908
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_06790900	2_2_06790900
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679C1F0	2_2_0679C1F0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679F1B8	2_2_0679F1B8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067911B0	2_2_067911B0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679F1B7	2_2_0679F1B7
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679BD98	2_2_0679BD98
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_06797D90	2_2_06797D90
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679BD88	2_2_0679BD88
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067CD670	2_2_067CD670
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067CAA58	2_2_067CAA58
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C8608	2_2_067C8608
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067CB6E8	2_2_067CB6E8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C8B58	2_2_067C8B58
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067CC388	2_2_067CC388
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067CD028	2_2_067CD028
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067CA408	2_2_067CA408
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067CB0A0	2_2_067CB0A0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067CBD38	2_2_067CBD38
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067CC9D8	2_2_067CC9D8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C11A0	2_2_067C11A0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C5A70	2_2_067C5A70
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C5A60	2_2_067C5A60
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067CD661	2_2_067CD661
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067CAA48	2_2_067CAA48
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C5618	2_2_067C5618
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067CB6D9	2_2_067CB6D9
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C5EC8	2_2_067C5EC8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C6778	2_2_067C6778
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067CC378	2_2_067CC378
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C6777	2_2_067C6777
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C3730	2_2_067C3730
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C6320	2_2_067C6320
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C631F	2_2_067C631F
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067CA3F8	2_2_067CA3F8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C6BD0	2_2_067C6BD0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C33B8	2_2_067C33B8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C33AF	2_2_067C33AF
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C7050	2_2_067C7050
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C0040	2_2_067C0040
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C4430	2_2_067C4430
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067CD018	2_2_067CD018
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C2809	2_2_067C2809
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C2807	2_2_067C2807
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C78F0	2_2_067C78F0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C08F0	2_2_067C08F0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C28B0	2_2_067C28B0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C74A8	2_2_067C74A8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C0498	2_2_067C0498
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067CB090	2_2_067CB090
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C7D58	2_2_067C7D58
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C0D48	2_2_067C0D48
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067CBD28	2_2_067CBD28
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C7900	2_2_067C7900
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C85F8	2_2_067C85F8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067CC9C8	2_2_067CC9C8
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C81B0	2_2_067C81B0
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C5198	2_2_067C5198
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C1191	2_2_067C1191
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_067C518B	2_2_067C518B

Source: MV GOLDEN SCHULTE DETAILS.exe, 00000000.00000002.3694364610.0000000005540000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs MV GOLDEN SCHULTE DETAILS.exe
Source: MV GOLDEN SCHULTE DETAILS.exe, 00000000.00000000.1224671595.0000000000992000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePano.exe* vs MV GOLDEN SCHULTE DETAILS.exe
Source: MV GOLDEN SCHULTE DETAILS.exe, 00000000.00000002.3689744031.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs MV GOLDEN SCHULTE DETAILS.exe
Source: MV GOLDEN SCHULTE DETAILS.exe, 00000000.00000002.3695006740.00000000058E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs MV GOLDEN SCHULTE DETAILS.exe
Source: MV GOLDEN SCHULTE DETAILS.exe, 00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs MV GOLDEN SCHULTE DETAILS.exe
Source: MV GOLDEN SCHULTE DETAILS.exe, 00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs MV GOLDEN SCHULTE DETAILS.exe
Source: MV GOLDEN SCHULTE DETAILS.exe, 00000000.00000002.3691221952.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs MV GOLDEN SCHULTE DETAILS.exe
Source: MV GOLDEN SCHULTE DETAILS.exe, 00000000.00000002.3691221952.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs MV GOLDEN SCHULTE DETAILS.exe
Source: MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3689390772.0000000000B87000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs MV GOLDEN SCHULTE DETAILS.exe
Source: MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs MV GOLDEN SCHULTE DETAILS.exe
Source: MV GOLDEN SCHULTE DETAILS.exe	Binary or memory string: OriginalFilenamePano.exe* vs MV GOLDEN SCHULTE DETAILS.exe

Source: MV GOLDEN SCHULTE DETAILS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.5540000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.5540000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3005494.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3002c54.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.3694364610.0000000005540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2960, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2960, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2760, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2760, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: MV GOLDEN SCHULTE DETAILS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack, U--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack, U--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack, U--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack, U--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.5540000.5.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack, U--.cs	Base64 encoded string: 'ViLs46Ni17kqXknl3a/surrcJ7pvkA8IQp2Ee8qHOw3tIovg501k+XmRyFSOdgOk'
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack, U--.cs	Base64 encoded string: 'ViLs46Ni17kqXknl3a/surrcJ7pvkA8IQp2Ee8qHOw3tIovg501k+XmRyFSOdgOk'
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.5540000.5.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@2/2

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Mutant created: NULL

Source: MV GOLDEN SCHULTE DETAILS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: MV GOLDEN SCHULTE DETAILS.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3693324113.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002E59000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002E13000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002E23000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002E66000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: MV GOLDEN SCHULTE DETAILS.exe	Virustotal: Detection: 51%
Source: MV GOLDEN SCHULTE DETAILS.exe	ReversingLabs: Detection: 58%

Source: unknown	Process created: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe "C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe"
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process created: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe "C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe"
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process created: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe "C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: MV GOLDEN SCHULTE DETAILS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: MV GOLDEN SCHULTE DETAILS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: MV GOLDEN SCHULTE DETAILS.exe, PC.cs

.Net Code: CypherMatic System.Reflection.Assembly.Load(byte[])

Source: MV GOLDEN SCHULTE DETAILS.exe

Static PE information: 0x86919054 [Wed Jul 17 15:10:12 2041 UTC]

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 0_2_02D95E17 push eax; iretd	0_2_02D95E21
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 0_2_062AA153 pushad ; iretd	0_2_062AA159
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_011424B9 push 8BFFFFFFh; retf	2_2_011424BF
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_06792E78 push esp; iretd	2_2_06792E79
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_06796FE3 push es; ret	2_2_06796FE4
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Code function: 2_2_0679705B push es; iretd	2_2_0679705C

Source: MV GOLDEN SCHULTE DETAILS.exe

Static PE information: section name: .text entropy: 7.594465058241345

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2960, type: MEMORYSTR

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Memory allocated: 2D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Memory allocated: 4DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Memory allocated: 1140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Memory allocated: 29E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 599739	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 599574	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 599454	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 595980	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 594956	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 594826	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Window / User API: threadDelayed 2149			Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Window / User API: threadDelayed 7671			Jump to behavior

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7220	Thread sleep count: 2149 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -599739s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -599574s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -599454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7220	Thread sleep count: 7671 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -595980s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -595875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -595766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -595438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -595313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -594956s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -594826s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -594719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe TID: 7212	Thread sleep time: -593985s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 599739	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 599574	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 599454	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 595980	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 594956	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 594826	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3689955345.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Code function: 2_2_06797B70 LdrInitializeThunk,

2_2_06797B70

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.58e0000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.58e0000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.58e0000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Process created: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe "C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe"

Jump to behavior

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Queries volume information: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Queries volume information: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3691640862.0000000002DA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3691640862.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2760, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2760, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MV GOLDEN SCHULTE DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3eb9240.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e98610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV GOLDEN SCHULTE DETAILS.exe.3e07f70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3691640862.0000000002DA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3691640862.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MV GOLDEN SCHULTE DETAILS.exe PID: 2760, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MV GOLDEN SCHULTE DETAILS.exe	51%	Virustotal		Browse
MV GOLDEN SCHULTE DETAILS.exe	58%	ReversingLabs	Win32.Trojan.Generic
MV GOLDEN SCHULTE DETAILS.exe	100%	Avira	HEUR/AGEN.1309847
MV GOLDEN SCHULTE DETAILS.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	172.67.177.134	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D36000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002CE2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D6D000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D36000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002CE2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D36000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	MV GOLDEN SCHULTE DETAILS.exe, 00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D36000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002CE2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D36000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002CBC000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	MV GOLDEN SCHULTE DETAILS.exe, 00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MV GOLDEN SCHULTE DETAILS.exe, 00000002.00000002.3691640862.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
172.67.177.134	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576558
Start date and time:	2024-12-17 09:01:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MV GOLDEN SCHULTE DETAILS.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 136 Number of non-executed functions: 46
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 13.107.246.43, 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:02:02	API Interceptor	11794470x Sleep call for process: MV GOLDEN SCHULTE DETAILS.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.6.168	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Request for Quotations and specifications.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Confirm revised invoice to proceed with payment ASAP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	REQUEST FOR QUOATION AND PRICES 0108603076-24_pdf.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	Bank Swift and SOA PRN0072700314159453_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
172.67.177.134	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	file.exe	Get hash	malicious	Snake Keylogger	Browse
	77541373_BESOZT00_2024_99101234_1_4_1.exe	Get hash	malicious	MassLogger RAT	Browse
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	MassLogger RAT	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse
	T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
reallyfreegeoip.org	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	188.114.97.3
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ldr.ps1	Get hash	malicious	GO Miner, Xmrig	Browse	147.154.227.160
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	end.exe	Get hash	malicious	Unknown	Browse	130.61.86.87
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
CLOUDFLARENETUS	https://onedefender.xyz/w/a/s/?lp_key=17343c9645d1ac0fef5c105d161ba25127ffc78983&clickid=ctg89et00fes73cmfgu0&trk=fireclk.xyz&language=de&feed=7539&zone=3dcf5f1b&dm=1	Get hash	malicious	Unknown	Browse	172.67.181.93
	c5bnEkMx.ps1	Get hash	malicious	LummaC	Browse	104.21.64.1
	Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnk	Get hash	malicious	Unknown	Browse	104.21.83.229
	sEOELQpFOB.lnk	Get hash	malicious	RedLine	Browse	188.114.97.6
	ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk	Get hash	malicious	RedLine, SectopRAT	Browse	188.114.97.6
	payload_1.hta	Get hash	malicious	RedLine	Browse	104.21.87.65
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	bxAoaISZJQ.lnk	Get hash	malicious	Unknown	Browse	172.67.139.105
	ei0woJS3Dy.lnk	Get hash	malicious	Unknown	Browse	172.67.140.151
	tz1WicW6sG.lnk	Get hash	malicious	Unknown	Browse	188.114.96.6

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.583038497316671
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	MV GOLDEN SCHULTE DETAILS.exe
File size:	343'552 bytes
MD5:	6f6b30df02a24ad8819384f41b743a8a
SHA1:	c2bdbd4518c77544484d324fc39ce7f320e59fbc
SHA256:	f75da861b7cbf08727ea95e5e6111db769b818deec9d0328decc37a8a08a608f
SHA512:	0efede7326f53ba4eee0bdb84657cdcfe932dd17f149c5a180559c93325d6dbbcb6060650d517f3d43f865861cf124aa8cf9b5ccc6ca29af4021800d671f4206
SSDEEP:	6144:+Z+8NYTXUXYQV54TJ+dKE/5sJNYdzgtvkFoYmrbq89ATGlJYf9ktf2r8pXxcIXYF:/quNoKTodz/iNYBg9kFLmrb8TeYfStf0
TLSH:	DA74CF60E8E0B263E97A367241FEE934435E7C45EA41996D3400536CFAA23473E91FB7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T.................0..4..........>R... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x45523e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x86919054 [Wed Jul 17 15:10:12 2041 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x551e4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x56000	0x586	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x58000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x53244	0x53400	f911450a29b01d0df44c4acff3853245	False	0.7045033314564565	data	7.594465058241345	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x56000	0x586	0x600	cd0190c127aaa560b63ee4e5483f602f	False	0.412109375	data	4.005264498794733	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x58000	0xc	0x200	38b7319a2b856850b136768bd8555da6	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x560a0	0x2fc	data			0.43455497382198954
RT_MANIFEST	0x5639c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-17T09:02:01.336370+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49699	193.122.6.168	80	TCP
2024-12-17T09:02:03.898894+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49699	193.122.6.168	80	TCP
2024-12-17T09:02:05.534599+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49704	172.67.177.134	443	TCP
2024-12-17T09:02:07.023881+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49706	193.122.6.168	80	TCP
2024-12-17T09:02:08.643772+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49708	172.67.177.134	443	TCP
2024-12-17T09:02:17.935425+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49727	172.67.177.134	443	TCP
2024-12-17T09:02:24.055204+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49747	172.67.177.134	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 09:01:59.486332893 CET	49699	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:01:59.606092930 CET	80	49699	193.122.6.168	192.168.2.7
Dec 17, 2024 09:01:59.606198072 CET	49699	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:01:59.606422901 CET	49699	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:01:59.726106882 CET	80	49699	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:00.876338959 CET	80	49699	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:00.879854918 CET	49699	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:00.999821901 CET	80	49699	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:01.287127018 CET	80	49699	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:01.336369991 CET	49699	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:01.755249977 CET	49703	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:01.755309105 CET	443	49703	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:01.755398035 CET	49703	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:01.762149096 CET	49703	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:01.762167931 CET	443	49703	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:02.984884977 CET	443	49703	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:02.984966993 CET	49703	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:02.989631891 CET	49703	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:02.989640951 CET	443	49703	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:02.990098000 CET	443	49703	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:03.039479017 CET	49703	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:03.039937019 CET	49703	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:03.083328962 CET	443	49703	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:03.425578117 CET	443	49703	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:03.425750017 CET	443	49703	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:03.425832033 CET	49703	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:03.431283951 CET	49703	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:03.434317112 CET	49699	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:03.554109097 CET	80	49699	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:03.846863031 CET	80	49699	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:03.850656033 CET	49704	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:03.850692034 CET	443	49704	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:03.850743055 CET	49704	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:03.851162910 CET	49704	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:03.851182938 CET	443	49704	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:03.898894072 CET	49699	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:05.081258059 CET	443	49704	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:05.083456993 CET	49704	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:05.083473921 CET	443	49704	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:05.534672022 CET	443	49704	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:05.534838915 CET	443	49704	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:05.534897089 CET	49704	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:05.535141945 CET	49704	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:05.538809061 CET	49699	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:05.539874077 CET	49706	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:05.659013033 CET	80	49699	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:05.659099102 CET	49699	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:05.659689903 CET	80	49706	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:05.659771919 CET	49706	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:05.659874916 CET	49706	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:05.779589891 CET	80	49706	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:06.977317095 CET	80	49706	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:06.978380919 CET	49708	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:06.978418112 CET	443	49708	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:06.978488922 CET	49708	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:06.978729010 CET	49708	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:06.978744030 CET	443	49708	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:07.023880959 CET	49706	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:08.198097944 CET	443	49708	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:08.199727058 CET	49708	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:08.199754953 CET	443	49708	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:08.643800020 CET	443	49708	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:08.643966913 CET	443	49708	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:08.644104004 CET	49708	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:08.644383907 CET	49708	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:08.648245096 CET	49709	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:08.768615961 CET	80	49709	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:08.768709898 CET	49709	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:08.781404972 CET	49709	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:08.901881933 CET	80	49709	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:10.074620008 CET	80	49709	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:10.077734947 CET	49710	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:10.077788115 CET	443	49710	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:10.077862024 CET	49710	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:10.078093052 CET	49710	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:10.078110933 CET	443	49710	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:10.117635012 CET	49709	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:11.301892042 CET	443	49710	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:11.316140890 CET	49710	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:11.316175938 CET	443	49710	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:11.746377945 CET	443	49710	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:11.746539116 CET	443	49710	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:11.746592999 CET	49710	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:11.746952057 CET	49710	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:11.750468016 CET	49709	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:11.751316071 CET	49712	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:11.870588064 CET	80	49709	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:11.870654106 CET	49709	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:11.871196985 CET	80	49712	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:11.871263981 CET	49712	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:11.871366978 CET	49712	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:11.991189957 CET	80	49712	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:13.216159105 CET	80	49712	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:13.217319965 CET	49718	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:13.217341900 CET	443	49718	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:13.217406988 CET	49718	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:13.217633963 CET	49718	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:13.217644930 CET	443	49718	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:13.258359909 CET	49712	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:14.435223103 CET	443	49718	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:14.437124968 CET	49718	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:14.437146902 CET	443	49718	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:14.876710892 CET	443	49718	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:14.876869917 CET	443	49718	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:14.876934052 CET	49718	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:14.877458096 CET	49718	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:14.881798983 CET	49712	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:14.883255005 CET	49719	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:15.001868010 CET	80	49712	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:15.001988888 CET	49712	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:15.003022909 CET	80	49719	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:15.003118992 CET	49719	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:15.003381968 CET	49719	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:15.123174906 CET	80	49719	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:16.270747900 CET	80	49719	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:16.272435904 CET	49727	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:16.272505999 CET	443	49727	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:16.272588015 CET	49727	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:16.272907019 CET	49727	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:16.272928953 CET	443	49727	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:16.320801973 CET	49719	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:17.487878084 CET	443	49727	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:17.489762068 CET	49727	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:17.489813089 CET	443	49727	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:17.935478926 CET	443	49727	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:17.935575008 CET	443	49727	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:17.935662031 CET	49727	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:17.936289072 CET	49727	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:17.940785885 CET	49719	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:17.942334890 CET	49734	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:18.061907053 CET	80	49719	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:18.062000036 CET	49719	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:18.062294006 CET	80	49734	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:18.062876940 CET	49734	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:18.063112020 CET	49734	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:18.183434963 CET	80	49734	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:19.331243992 CET	80	49734	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:19.332822084 CET	49736	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:19.332864046 CET	443	49736	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:19.332959890 CET	49736	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:19.333183050 CET	49736	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:19.333198071 CET	443	49736	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:19.383323908 CET	49734	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:20.548468113 CET	443	49736	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:20.560517073 CET	49736	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:20.560555935 CET	443	49736	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:20.993119001 CET	443	49736	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:20.993197918 CET	443	49736	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:20.993637085 CET	49736	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:20.993761063 CET	49736	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:20.997067928 CET	49734	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:20.998305082 CET	49742	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:21.117207050 CET	80	49734	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:21.117333889 CET	49734	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:21.118022919 CET	80	49742	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:21.118117094 CET	49742	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:21.118292093 CET	49742	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:21.237966061 CET	80	49742	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:22.386943102 CET	80	49742	193.122.6.168	192.168.2.7
Dec 17, 2024 09:02:22.388746977 CET	49747	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:22.388861895 CET	443	49747	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:22.388974905 CET	49747	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:22.389252901 CET	49747	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:22.389291048 CET	443	49747	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:22.432010889 CET	49742	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:02:23.600850105 CET	443	49747	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:23.602649927 CET	49747	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:23.602736950 CET	443	49747	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:24.055243969 CET	443	49747	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:24.055345058 CET	443	49747	172.67.177.134	192.168.2.7
Dec 17, 2024 09:02:24.055716038 CET	49747	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:02:24.055990934 CET	49747	443	192.168.2.7	172.67.177.134
Dec 17, 2024 09:03:11.976104021 CET	80	49706	193.122.6.168	192.168.2.7
Dec 17, 2024 09:03:11.976214886 CET	49706	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:03:27.386658907 CET	80	49742	193.122.6.168	192.168.2.7
Dec 17, 2024 09:03:27.387279034 CET	49742	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:04:02.399490118 CET	49742	80	192.168.2.7	193.122.6.168
Dec 17, 2024 09:04:02.519263029 CET	80	49742	193.122.6.168	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 09:01:59.340265989 CET	59044	53	192.168.2.7	1.1.1.1
Dec 17, 2024 09:01:59.478777885 CET	53	59044	1.1.1.1	192.168.2.7
Dec 17, 2024 09:02:01.325298071 CET	60706	53	192.168.2.7	1.1.1.1
Dec 17, 2024 09:02:01.750737906 CET	53	60706	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 09:01:59.340265989 CET	192.168.2.7	1.1.1.1	0xc021	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 09:02:01.325298071 CET	192.168.2.7	1.1.1.1	0x1cba	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 09:01:59.478777885 CET	1.1.1.1	192.168.2.7	0xc021	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 09:01:59.478777885 CET	1.1.1.1	192.168.2.7	0xc021	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 17, 2024 09:01:59.478777885 CET	1.1.1.1	192.168.2.7	0xc021	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 17, 2024 09:01:59.478777885 CET	1.1.1.1	192.168.2.7	0xc021	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 17, 2024 09:01:59.478777885 CET	1.1.1.1	192.168.2.7	0xc021	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 17, 2024 09:01:59.478777885 CET	1.1.1.1	192.168.2.7	0xc021	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 17, 2024 09:02:01.750737906 CET	1.1.1.1	192.168.2.7	0x1cba	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 17, 2024 09:02:01.750737906 CET	1.1.1.1	192.168.2.7	0x1cba	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	193.122.6.168	80	2760	C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 09:01:59.606422901 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 09:02:00.876338959 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:02:00 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3daf7348e9234d2681c98f13761bb2a4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 17, 2024 09:02:00.879854918 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 09:02:01.287127018 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:02:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a8da3096dc4ea33ba2c239c0229ccd1d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 17, 2024 09:02:03.434317112 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 09:02:03.846863031 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:02:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 062863942b7aed414ec842c5e0633ae5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49706	193.122.6.168	80	2760	C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 09:02:05.659874916 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 09:02:06.977317095 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:02:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 64712a34dad3ab859cacad4b00a06689 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49709	193.122.6.168	80	2760	C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 09:02:08.781404972 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 09:02:10.074620008 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:02:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 93e9781188fc96d11a3e7eb4d094cf8d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49712	193.122.6.168	80	2760	C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 09:02:11.871366978 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 09:02:13.216159105 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:02:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 86018682a66d7cc2561a67c993d25225 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49719	193.122.6.168	80	2760	C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 09:02:15.003381968 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 09:02:16.270747900 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:02:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 64c3570f35305587380c5009615697d8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49734	193.122.6.168	80	2760	C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 09:02:18.063112020 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 09:02:19.331243992 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:02:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a8a610d04ae79e86843c4367acb755e7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49742	193.122.6.168	80	2760	C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 09:02:21.118292093 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 09:02:22.386943102 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:02:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6410c318a8e93b65d44f1e377a161375 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49703	172.67.177.134	443	2760	C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 08:02:03 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 08:02:03 UTC	880	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:02:03 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 411292 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ixwqf%2BD2noNys%2BrMvY9y7Kc3vjXA5Drr6tfW2kgbmJHv7NRtpQUDFCKkp6eEx%2BU3pUXuX5jY%2BMpXXjlGYE03m7hMAkjL%2FP4RfgEdCOgiKmrT83NA8fHtQE6bUqQraOk1SAGKYyQK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3563825f3c8c21-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1824&min_rtt=1817&rtt_var=697&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1554018&cwnd=242&unsent_bytes=0&cid=07042815ef0edfe2&ts=456&x=0"
2024-12-17 08:02:03 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49704	172.67.177.134	443	2760	C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 08:02:05 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-17 08:02:05 UTC	878	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:02:05 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 411294 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FFQniMO%2BtlTfOzPJ8Rte1BDKBJzsY82QVk8M5izuFC1tVLOMExrZZ2Qtj06PbLV1FOS4tlw%2B84mlTv49S50qjI08m6fQwU8d3BXslAB%2BNcaqXxTpw8WRWg2Qs9HDQCkTcl0Ajc%2BZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f35638f8a0b0f93-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1635&min_rtt=1629&rtt_var=623&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1738095&cwnd=168&unsent_bytes=0&cid=94f71723d0f92754&ts=458&x=0"
2024-12-17 08:02:05 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49708	172.67.177.134	443	2760	C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 08:02:08 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-17 08:02:08 UTC	882	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:02:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 411297 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N3C5kabkv4if%2FPMLa0%2FTRtSuxd01YcXQWq4GpMVQ3d6eZE2U5t82aS%2Bi1lkegqj8D8oGfR%2B2bgsV69QAeMlVdBWEcAfvaqAxVCcOo1o11jHbaAnQFqRJiPkSlUI5nnhrr%2FA%2BqnVg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3563a2fd6e5e5f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1735&min_rtt=1581&rtt_var=902&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1035828&cwnd=251&unsent_bytes=0&cid=1f45ea878b2ebac9&ts=455&x=0"
2024-12-17 08:02:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49710	172.67.177.134	443	2760	C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 08:02:11 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 08:02:11 UTC	884	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:02:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 411300 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QQlVyyNo6k%2BQgyflhGNkRN0HMcwcXSEbYDCT%2FDNmlAxI%2BCE7pK5pcvwMR2E0UN%2FlG7fMj1kpe1Vfid8ehu5NIfCizlle%2BxO4rlpJC1E%2BbGij44ItOpf5BXO2j4i8nKjW%2F0A26VzI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3563b668b942ef-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2208&min_rtt=2174&rtt_var=883&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1193785&cwnd=218&unsent_bytes=0&cid=a82df09f0f76f6ac&ts=452&x=0"
2024-12-17 08:02:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49718	172.67.177.134	443	2760	C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 08:02:14 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 08:02:14 UTC	876	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:02:14 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 411303 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NzGJYE32rbboYNpJhCb9%2B9Hza9MVUc%2BDrXz4KUum3qD4S8ATa9Ulz8NJKIQLpHnWwbu1uEb3uBJ2PrOpIijXYabykZuOiuOVYFMIWYB4xrHfKBN8%2Frqw3M1sdEWyXccf0XFmcxIU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3563c9ffffde9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1690&min_rtt=1602&rtt_var=664&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1822721&cwnd=209&unsent_bytes=0&cid=43bdc438120d3d42&ts=450&x=0"
2024-12-17 08:02:14 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49727	172.67.177.134	443	2760	C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 08:02:17 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-17 08:02:17 UTC	878	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:02:17 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 411306 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1ZwRGghRsjy%2F5sZ8jwu4tNs3bKs%2BrKL%2FP4pUv2VVxNG96mA34ov5Nwwc%2B0BYPxV7ZdzmAxZ4psj3TqQKJWdrMcOJmqevOlC5YLHMz0PSkezHyN0RgClJ9OeqXxYA8M1qOYMgH9qd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3563dd0b667ca2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1860&min_rtt=1812&rtt_var=776&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1327272&cwnd=239&unsent_bytes=0&cid=9cfdf9e03dbf2f97&ts=452&x=0"
2024-12-17 08:02:17 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49736	172.67.177.134	443	2760	C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 08:02:20 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 08:02:20 UTC	878	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:02:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 411309 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qTZWtfQjk5KPvVhpc3J1NmXN4HNaJjC%2FSfXW0SSYyQ%2FxIeC5FFrq4oFoWaVWnp1GeecGl0qcEOAmCrk1FC6t6Sf4vYKPOIjIiPXUw%2BsGS5oJwW6Dg%2FtOZgBGfUekX7fVxad2lmoH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3563f02a5542b8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1737&min_rtt=1732&rtt_var=659&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1647855&cwnd=232&unsent_bytes=0&cid=7eab09f5f2134a3e&ts=450&x=0"
2024-12-17 08:02:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49747	172.67.177.134	443	2760	C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 08:02:23 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-17 08:02:24 UTC	878	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:02:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 411312 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cSMFv%2FLUXT6JfmxrcdZf%2FBfddQI3cMO9y82104XJbCy81R4bitmaP7l%2BF2ED1UZBiEzHjkLD262LJCEpCWtYTksB7zWmnV%2BZ6hbo4Qfyg2nIpwAumVhw1jXe5VCsNTYoTsul6IrW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3564034d8b4380-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1578&min_rtt=1574&rtt_var=598&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1817050&cwnd=220&unsent_bytes=0&cid=e673f45f13384a24&ts=460&x=0"
2024-12-17 08:02:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	03:01:57
Start date:	17/12/2024
Path:	C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe"
Imagebase:	0x990000
File size:	343'552 bytes
MD5 hash:	6F6B30DF02A24AD8819384F41B743A8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.3694364610.0000000005540000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.3692686155.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	03:01:57
Start date:	17/12/2024
Path:	C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MV GOLDEN SCHULTE DETAILS.exe"
Imagebase:	0x7a0000
File size:	343'552 bytes
MD5 hash:	6F6B30DF02A24AD8819384F41B743A8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3691640862.0000000002DA8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.3689134012.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3691640862.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	130
Total number of Limit Nodes:	13

Executed Functions

Function 062A9680 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3695679923.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: b46f60c59c3a8ee543d2d6509cc704fe49bbd4513a3d80d7861601e4d8530753
Instruction ID: 785b16aff02c5e47bc21e2dd8cf96a94fa793452d0265805378ed055da7b64ba
Opcode Fuzzy Hash: b46f60c59c3a8ee543d2d6509cc704fe49bbd4513a3d80d7861601e4d8530753
Instruction Fuzzy Hash: 54F13B30E20309CFDB54DFAAC944BADBBF1BF88314F158559E805AF255DBB0A985CB90

Function 02D9A0F0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3691155548.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e13b74ae40f6d9b098d07d9d0014ea52a731e29c52f7964b37e5f98b3f7c943b
Instruction ID: a55d008782370517aca69c9012e9334b8ac68c5515790d7ba6282061e5457189
Opcode Fuzzy Hash: e13b74ae40f6d9b098d07d9d0014ea52a731e29c52f7964b37e5f98b3f7c943b
Instruction Fuzzy Hash: 6651F832D14385CFDB02EBB4D8506CABBB1FF9A310F168756E194BB291EB306585CB91

Function 02D9D3C9 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02D9D456
GetCurrentThread.KERNEL32 ref: 02D9D493
GetCurrentProcess.KERNEL32 ref: 02D9D4D0
GetCurrentThreadId.KERNEL32 ref: 02D9D529

Memory Dump Source

Source File: 00000000.00000002.3691155548.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c7481022da3ba7bf1732ed4685b361f1c7c7ca76e168c204a0a80d3a60595011
Instruction ID: 2d2526c981299f0a33a684ab979eecadf5413bfd2d8b795fa27170be25c6bd4c
Opcode Fuzzy Hash: c7481022da3ba7bf1732ed4685b361f1c7c7ca76e168c204a0a80d3a60595011
Instruction Fuzzy Hash: 9E5156B49003098FDB18DFA9D548B9EBBF2BF48314F20845AE009AB360D734A944CB65

Function 02D9D3D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02D9D456
GetCurrentThread.KERNEL32 ref: 02D9D493
GetCurrentProcess.KERNEL32 ref: 02D9D4D0
GetCurrentThreadId.KERNEL32 ref: 02D9D529

Memory Dump Source

Source File: 00000000.00000002.3691155548.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1c7b0ee98eaec3b129976653c83f0d63242cbc4d0bd91116ff923b7795181f88
Instruction ID: 0c58fdc49df75164bd59dca4371ddcab8c47636d61a27bdc03c68219844105e9
Opcode Fuzzy Hash: 1c7b0ee98eaec3b129976653c83f0d63242cbc4d0bd91116ff923b7795181f88
Instruction Fuzzy Hash: AF5155B4D003098FDB18DFAAD548BAEFBF6BF48314F208459E419AB360DB746944CB65

Function 02D9AD48 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D9AF9E

Memory Dump Source

Source File: 00000000.00000002.3691155548.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0c76e4208d69efdd8268249d0359984f915a3cbfec25b2df62c2c4cc750593bd
Instruction ID: 6f9ac8d64991b65893f9ea0e31eabcb29aa726d1731a919634f5485855d85530
Opcode Fuzzy Hash: 0c76e4208d69efdd8268249d0359984f915a3cbfec25b2df62c2c4cc750593bd
Instruction Fuzzy Hash: 4B711272A00B058FDB24DF29D44579ABBF5FF88304F10892EE48A9BB40DB75E845CB91

Function 02D94248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D959C9

Memory Dump Source

Source File: 00000000.00000002.3691155548.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b37349aed3b64ad83717f5ed1d3aed7f39b75c65ed2c748097e1459ee5948f41
Instruction ID: 721b19a6a0f5805b99d3fbe67a6354f2f8aa37be7b247b97a101847ec178d291
Opcode Fuzzy Hash: b37349aed3b64ad83717f5ed1d3aed7f39b75c65ed2c748097e1459ee5948f41
Instruction Fuzzy Hash: 6341CF70C00719DFEF25DFA9C885B9DBBB5BF48304F60806AE408AB251DB75694ACF94

Function 02D9590D Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D959C9

Memory Dump Source

Source File: 00000000.00000002.3691155548.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1dd9a7d618b19e0e458bc41a7fe8055aac537e4fb8e69f18c6dd56f99b62b7a9
Instruction ID: 9502c30c3f73cd7fa5e63830eaa9cef0c74575859d17fc3d6fa27ec92c5ddee4
Opcode Fuzzy Hash: 1dd9a7d618b19e0e458bc41a7fe8055aac537e4fb8e69f18c6dd56f99b62b7a9
Instruction Fuzzy Hash: A241EF70C007198FEF25CFA9C885BDDBBB5BF48304F60806AE408AB250DB75694ACF50

Function 02D9D619 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D9D6A7

Memory Dump Source

Source File: 00000000.00000002.3691155548.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eddb2f184495d672c6cda522516b1c4a2c5022461671ff6a246aef400303880e
Instruction ID: e8980894f97c718d8f6c0770d17e895a5132621d6b1b46ad7547c776acc99234
Opcode Fuzzy Hash: eddb2f184495d672c6cda522516b1c4a2c5022461671ff6a246aef400303880e
Instruction Fuzzy Hash: A021E0B5D002499FDF10CFAAD984ADEBBF5FB48314F24841AE958A7350D378A944CF64

Function 02D9D620 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D9D6A7

Memory Dump Source

Source File: 00000000.00000002.3691155548.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c11e6f7f2c49baa811b51a88fc2c247ed6a14671e03aa0e0941f0f7e8a2a75bd
Instruction ID: 89cc679372b5fac6be4043d8954619fff97404965fda3b23200aa912488a526f
Opcode Fuzzy Hash: c11e6f7f2c49baa811b51a88fc2c247ed6a14671e03aa0e0941f0f7e8a2a75bd
Instruction Fuzzy Hash: 1121E0B5D002489FDF10CFAAD984ADEBBF9FB48310F14841AE958A7350C378A940CFA5

Function 062A0563 Relevance: 1.6, APIs: 1, Instructions: 59
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 062A05E5

Memory Dump Source

Source File: 00000000.00000002.3695679923.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3f33d985d2d2fd0c247ec3b055be7c424d65c1c1ee5121a6b0ee150b04b63050
Instruction ID: 3924f47e6fd13e41bf08db724a6b1f1a56517eb8cf2770352b77a50c531a6b1e
Opcode Fuzzy Hash: 3f33d985d2d2fd0c247ec3b055be7c424d65c1c1ee5121a6b0ee150b04b63050
Instruction Fuzzy Hash: F12179B18043898FDB11CFA5C845BDEBFF4EB09320F14449AD454E7692C378A544CFA1

Function 062A7A30 Relevance: 1.6, APIs: 1, Instructions: 55
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,062A9862,00000000,00000000,03DB4108,02DD0548), ref: 062A9CB0

Memory Dump Source

Source File: 00000000.00000002.3695679923.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 4ff0548e1ffc497496943f4c684d8460caa0638f231a70c80434da74aa915583
Instruction ID: a748019e0711205b491b5ee990659c127b85f595055c61ae5bd58b5dc8c9adb1
Opcode Fuzzy Hash: 4ff0548e1ffc497496943f4c684d8460caa0638f231a70c80434da74aa915583
Instruction Fuzzy Hash: 2211E7B5C107499FDB10CF9AD944BDEBBF4FB48310F10842AE958A7251D378A544CFA5

Function 062A9C43 Relevance: 1.6, APIs: 1, Instructions: 53
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,062A9862,00000000,00000000,03DB4108,02DD0548), ref: 062A9CB0

Memory Dump Source

Source File: 00000000.00000002.3695679923.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: ba0f76e3e7599c4ccf5c8bd59dbc299bb761b86a989210079822711af9db78dc
Instruction ID: 98887c447b44388461663f86681e8d69351c134aed65740ff7c1b54848285987
Opcode Fuzzy Hash: ba0f76e3e7599c4ccf5c8bd59dbc299bb761b86a989210079822711af9db78dc
Instruction Fuzzy Hash: 0611E4B5C102499FDB10CF9AD944BDEBBF8FB48310F10842AE958A7350C378A544CFA5

Function 062A0588 Relevance: 1.5, APIs: 1, Instructions: 48
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 062A05E5

Memory Dump Source

Source File: 00000000.00000002.3695679923.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 55816e574bdcc4e65f5a211af025f905d0476d8e3fae41d784298c76c012857c
Instruction ID: 7fb300e2aff63fd1f32bfebfff26198d6413ef7d5fad53421949c7be5e5e92bf
Opcode Fuzzy Hash: 55816e574bdcc4e65f5a211af025f905d0476d8e3fae41d784298c76c012857c
Instruction Fuzzy Hash: 6411E6B58003499FDB10CF9AC885BDEBBF8FB48314F10841AE554A7640D379A544CFA5

Function 02D9AF38 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D9AF9E

Memory Dump Source

Source File: 00000000.00000002.3691155548.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 47cac10ffdbfdf9237a6ad341c09fbe1b5d6650f0d6a7d006c4fc8b64a52267e
Instruction ID: 4c50d7f4c5dd9980ddbb379989fe6e28b49d213004f19a19dfdb71f61d2c1812
Opcode Fuzzy Hash: 47cac10ffdbfdf9237a6ad341c09fbe1b5d6650f0d6a7d006c4fc8b64a52267e
Instruction Fuzzy Hash: C71110B6C002498FCF20CF9AD444BDEFBF4AB88214F10842AE829A7340C379A545CFA5

Function 062A1EC0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 062A1F1D

Memory Dump Source

Source File: 00000000.00000002.3695679923.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 257c6cf138a5a1e058ee14db6fab22b669d6b49a6a298e2b16537aa3126098c1
Instruction ID: 1c4d479707cd3e0f8f958dcfe464c388712a0b2b94c7f8a760ed2ab5ff598bf9
Opcode Fuzzy Hash: 257c6cf138a5a1e058ee14db6fab22b669d6b49a6a298e2b16537aa3126098c1
Instruction Fuzzy Hash: F51103B5C103498FDB20DF9AD489BDEBBF4EB48324F20841AD959A7240C379A545CFA9

Function 062A92AC Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,062A99A7), ref: 062AA445

Memory Dump Source

Source File: 00000000.00000002.3695679923.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 43c40d0fdbb108796fbabc8b8e105504c6997d51ddd6cef150577e7021013bd7
Instruction ID: 05757c067460767dc9c0bcac84d8d0c0a258d04d542cc5ca154bc7baa890dced
Opcode Fuzzy Hash: 43c40d0fdbb108796fbabc8b8e105504c6997d51ddd6cef150577e7021013bd7
Instruction Fuzzy Hash: 6D11E0B5C147498FCB20CF9AD484BDEFBF4EB48314F10842AE958A7210D3B9A544CFA5

Function 062A0818 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 062A1F1D

Memory Dump Source

Source File: 00000000.00000002.3695679923.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 02d8f2aa3e942975bcf39916f612691b3e5e1b570b4d568f599c5697d88a4c1d
Instruction ID: fdb9bd3dd5c54126663908567e875320aa30ff0834f83fe1a3822d38df65a377
Opcode Fuzzy Hash: 02d8f2aa3e942975bcf39916f612691b3e5e1b570b4d568f599c5697d88a4c1d
Instruction Fuzzy Hash: 0A1103B5C103498FDB20DF9AD548BDEBBF4EB48324F208459E919A7640C379A944CFA9

Function 062AA3E3 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,062A99A7), ref: 062AA445

Memory Dump Source

Source File: 00000000.00000002.3695679923.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 3c067dabb39cacbc5f76ec1b396eb1ff364d7f77a850ac059e32edadcf7b957e
Instruction ID: d980c5816259e9ece169c53f00fc21f5ede05c98c147a72eed6a19cc759cf4b5
Opcode Fuzzy Hash: 3c067dabb39cacbc5f76ec1b396eb1ff364d7f77a850ac059e32edadcf7b957e
Instruction Fuzzy Hash: 4611FEB5C102498FCB20CF9AD848BDEFBF4EB48314F10842AE928A7200D378A544CFA5

Function 012FD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3690654363.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b7fc228ac09fa4f1a0289c5b84996e5aa337e291e782f8ce2dd6a6629ec97f
Instruction ID: 73bad795ec22018a4fd65c668f1c92e439148bc2dba7fa1b87dbe341d57d87e6
Opcode Fuzzy Hash: 64b7fc228ac09fa4f1a0289c5b84996e5aa337e291e782f8ce2dd6a6629ec97f
Instruction Fuzzy Hash: 5D213371510208EFDB15DF94E9C4B26FFA1FB88318F20C57DEA090B256C336D446CAA2

Function 012FD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3690654363.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2f5c3885b183cd0df8235d72447f3ce4aa9fc0fce19c51d0cd67abe6438d899
Instruction ID: ede884b64be0b84e33f6991db243403489f5ad8a74d6bfbc8f7822eb58ea5fab
Opcode Fuzzy Hash: e2f5c3885b183cd0df8235d72447f3ce4aa9fc0fce19c51d0cd67abe6438d899
Instruction Fuzzy Hash: 85213375510208EFDB15DF94D9C0B56FBA5FB88324F20C17CEA0A0B256C336E446CAA2

Function 02BBD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3690826620.0000000002BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bbd000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69cf89da5bfc63c55b2a86f9f1d08a66646c16740cbbeda139043dcc37bdf7b4
Instruction ID: e6e67b3d7797bf9d7ba765f56ab2ef99a669afdd68165fab2b8bcc86c3b5120c
Opcode Fuzzy Hash: 69cf89da5bfc63c55b2a86f9f1d08a66646c16740cbbeda139043dcc37bdf7b4
Instruction Fuzzy Hash: FF212571504300DFDB15DF20D5D0B66BBA1FF84314F60C5ADE80A4B252C3BAD447CA61

Function 02BBD2BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3690826620.0000000002BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bbd000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568b0c4670fee1d71b6da60162333ccc6fd30586a2fdc199d02e977533a8f66c
Instruction ID: 83a0fa0e7782ecbd5d4ecd35aa479d417a77de81fb9c2968a4d15398241ec906
Opcode Fuzzy Hash: 568b0c4670fee1d71b6da60162333ccc6fd30586a2fdc199d02e977533a8f66c
Instruction Fuzzy Hash: C721F671604245DFDB16DF10D5C0B7ABBA5FF84324F24C5A9E8490B242C3BED446CBA2

Function 02BBD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3690826620.0000000002BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bbd000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bedb5baec4e161b2cd6e9d429d0bfc4c83234b5065c1e0d76284b50e76b3432
Instruction ID: f0b26802af10d329cbbca5995c7c7a1d89f2be752dae16041c8f187dbba6c9d3
Opcode Fuzzy Hash: 1bedb5baec4e161b2cd6e9d429d0bfc4c83234b5065c1e0d76284b50e76b3432
Instruction Fuzzy Hash: 6921F571A04241EFDB16DF10D5C0B65BBA5FF84314F20C5ADE8894B252C37AD446CA61

Function 02BBD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3690826620.0000000002BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bbd000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab469fbfcf023409ae4fcac360ff6b27b1c5e6af84f5bda6c0a01af671152de
Instruction ID: 834c8f5dd0ee1563f592e7946b1a67a32383a53879ce46f026a2941d5b406c99
Opcode Fuzzy Hash: dab469fbfcf023409ae4fcac360ff6b27b1c5e6af84f5bda6c0a01af671152de
Instruction Fuzzy Hash: 2E2181755093808FCB17CF20D9A4B15BF71EF45214F28C5EAD8498B6A7C37AD80ACB62

Function 012FD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3690654363.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
Instruction ID: 50ab353bcc55094d24546d29b723ced0e8db4ca22f9f8ada4add5e80ce901814
Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
Instruction Fuzzy Hash: 20119D76504284CFCB16CF54E5C4B16BF61FB84318F2486A9DA490B656C336D45ACBA2

Function 012FD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3690654363.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
Instruction ID: 7f21bae4d95140c7f17cf036eb108596e78744db54ede0b210a184043b7e5950
Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
Instruction Fuzzy Hash: D011CD76404284CFCB12CF54D5C4B56BF71FB84324F2486A9DA090B656C33AE456CBA2

Function 02BBD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3690826620.0000000002BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bbd000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
Instruction ID: 803cbbc1b9ae5ee81d97f59453bc09a3373f3d41e957123e23d470abae5294ed
Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
Instruction Fuzzy Hash: FD118B75904280DFCB16CF10D5C4B65BBA1FF84318F24C6A9D8894B696C37AD44ACB61

Function 02BBD2B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3690826620.0000000002BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bbd000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fbc9ecfa64d6cd6169a34e6f0bd23febabaae063db22b202cb29621ee734798
Instruction ID: ea166bfd60e26ed8b43cedc9f38584203948cf9959a4f79e64dd12fdb60cc580
Opcode Fuzzy Hash: 8fbc9ecfa64d6cd6169a34e6f0bd23febabaae063db22b202cb29621ee734798
Instruction Fuzzy Hash: B811B275508280CFCB12CF10D5C4B69FF61FF84324F24C6A9D8494B656C37AD406CBA1

Non-executed Functions

Function 02D95E17 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

4'q, xrefs: 02D95FAA
4'q, xrefs: 02D95FCD

Memory Dump Source

Source File: 00000000.00000002.3691155548.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: b4380d76e879e18845e3753139c09d400705853ec51a21c8f76ac5c5f4dcab29
Instruction ID: 280c17d180c629b6eb8770b1c8690bd33b69dd4f9b2b9b0dd4b3e013cea52880
Opcode Fuzzy Hash: b4380d76e879e18845e3753139c09d400705853ec51a21c8f76ac5c5f4dcab29
Instruction Fuzzy Hash: 2091F235E142499FDB01EBB8E4A4AEEBBB1FF85300F5400AAD144AF366DB319D05CB95

Function 02D9D304 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3691155548.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb650c2c7a4718cc8f5c135464171e1da84f170fc48ae0d623e4899d316f493
Instruction ID: 22c64513c605b983bb9666ecca7fc01f53b4d619f7c96e955dd9c817a2703134
Opcode Fuzzy Hash: 1cb650c2c7a4718cc8f5c135464171e1da84f170fc48ae0d623e4899d316f493
Instruction Fuzzy Hash: 00A15A36A002098FCF15DFA4C89059EBBB6FF85300B25856AF805EB365DB71ED16CB90

Analysis Process: MV GOLDEN SCHULTE DETAILS.exePID: 2760, Parent PID: 2960COMMON

Execution Graph

Execution Coverage:	16.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	28.3%
Total number of Nodes:	53
Total number of Limit Nodes:	6

Executed Functions

Function 01146730 Relevance: 6.7, Strings: 5, Instructions: 441
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 0114697A
,q, xrefs: 01146A00
,q, xrefs: 011469F2
(oq, xrefs: 01146CA5
(oq, xrefs: 01146988

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$,q$,q
API String ID: 0-189141485
Opcode ID: b7f9b888c0d0568c09937a16f59afd3ba6c5df30880b7614806538786e204eef
Instruction ID: fbca320e354536f5dd163c4bb25b7dd13121a1e20173207d75abbf15a61d9479
Opcode Fuzzy Hash: b7f9b888c0d0568c09937a16f59afd3ba6c5df30880b7614806538786e204eef
Instruction Fuzzy Hash: EB028F70E00209DFDB19CFA9C984AADBBF6FF8A709F158469E505AB261D730EC41CB51

Function 01149858 Relevance: 3.3, Strings: 2, Instructions: 842COMMON

Download Yara Rule

Strings

4'q, xrefs: 0114A273
(oq, xrefs: 01149C78

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: (oq$4'q
API String ID: 0-1336004174
Opcode ID: 2f1f37f21ac8cc1acdb97a04563f85c8b91f59a0f754c96c0b3675980b7fa38a
Instruction ID: 697ea7a3276117d5e2e1161a40f41ae3ea4d5251c32a61cf51cebc1da5021f8b
Opcode Fuzzy Hash: 2f1f37f21ac8cc1acdb97a04563f85c8b91f59a0f754c96c0b3675980b7fa38a
Instruction Fuzzy Hash: A072A471A40209CFCB19CF68D984AAEBBF2FF88704F158559E9069B3A1D730ED51CB91

Function 01146108 Relevance: 3.0, Strings: 2, Instructions: 507COMMON

Download Yara Rule

Strings

Hq, xrefs: 0114650E
(oq, xrefs: 01146642

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: (oq$Hq
API String ID: 0-2917151738
Opcode ID: 7b06b7f9c274d5f639e9f882223b4f2ae6a309566af791b6557a4abaeb3b96b1
Instruction ID: bacbeffd278449695fb04221f897c2c5995cd2b0c2e01efaf49e0ab5b15ab550
Opcode Fuzzy Hash: 7b06b7f9c274d5f639e9f882223b4f2ae6a309566af791b6557a4abaeb3b96b1
Instruction Fuzzy Hash: 6F12AE70A002199FDB18DF69C954BAEBBF6FF89704F148529E40ADB395EB309D41CB90

Function 0114B328 Relevance: 2.8, Strings: 2, Instructions: 349
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0114B747
PHq, xrefs: 0114B758

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: f8c313634041719464fbb902cc10ff7591da65b669a578a7140f782c79351ab5
Instruction ID: 3f1b752148923c9972c8c30b542029358bf8434732017f6012f2308d43c8a197
Opcode Fuzzy Hash: f8c313634041719464fbb902cc10ff7591da65b669a578a7140f782c79351ab5
Instruction Fuzzy Hash: B3E11774E04619CFDB18CFA9C984A9DBBB2BF49710F198069E809AB361DB30EC41CF54

Function 067C8B58 Relevance: 2.8, Strings: 2, Instructions: 288
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 067C8EAB
PHq, xrefs: 067C8E9A

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 46f67718d53be3f1c6d071c8e00cef9356f81a61690c7f368db0df975af87d62
Instruction ID: 4761b6d9ab594667b5d73cd052594e0b8380e0ba647699dac9f3da59774404de
Opcode Fuzzy Hash: 46f67718d53be3f1c6d071c8e00cef9356f81a61690c7f368db0df975af87d62
Instruction Fuzzy Hash: B2C18770D01358CFDBA6CFA9C8586ADBFB2BF89310F2486AEC459AB245D7305841CF52

Function 0114BBD2 Relevance: 2.7, Strings: 2, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0114BE27
PHq, xrefs: 0114BE38

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: baa9f30452314a6ea6d288fedac8bbb6ec44d66f9c43a4db397b7006e6d25691
Instruction ID: bb8bfcf22341d99b11e5f854b94d67f31d644ca7cb0546cfa68780ee55ec252c
Opcode Fuzzy Hash: baa9f30452314a6ea6d288fedac8bbb6ec44d66f9c43a4db397b7006e6d25691
Instruction Fuzzy Hash: 4F81E774E04218CFEB18DFAAD984B9DBBF2BF88314F148069D459AB365DB309941CF15

Function 0114C470 Relevance: 2.7, Strings: 2, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0114C6C7
PHq, xrefs: 0114C6D8

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 882d4edc15af459dc9b69e07d67b954af6da9d2200e35c0f5092c0e4b49510bc
Instruction ID: a9966b55b1526df1b9b39db3a96fb4a985b0c7a7a123911b2837f5494b0da96f
Opcode Fuzzy Hash: 882d4edc15af459dc9b69e07d67b954af6da9d2200e35c0f5092c0e4b49510bc
Instruction Fuzzy Hash: BF81AF74E012188FEB18DFAAD984B9DBBF2BF88310F14D069E419AB365DB709941CF51

Function 0114C752 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

PHq, xrefs: 0114C9B8
PHq, xrefs: 0114C9A7

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 6636804edce6d477d01efbf5f8c1e7525f2f65ee8297d3b97de4fcecf413f87a
Instruction ID: 9d3d7c97b932834e3ee0b142eb234b5f6f1a6c9b31f7b8167bfba80373575bdf
Opcode Fuzzy Hash: 6636804edce6d477d01efbf5f8c1e7525f2f65ee8297d3b97de4fcecf413f87a
Instruction Fuzzy Hash: 1F81D374E01218DFEB18DFAAD984B9DBBF2BF88310F148069E459AB365DB309941CF51

Function 01144AD9 Relevance: 2.7, Strings: 2, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 01144D30
PHq, xrefs: 01144D41

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 8c8e29773a2c29ef75c137448ba6ef95f7804b795f5f8a69de8c0ad36c759703
Instruction ID: 84d920bf79d80532b9b887f8e3ea7cd5cb65643e85ab265e4ff19b3f9b606993
Opcode Fuzzy Hash: 8c8e29773a2c29ef75c137448ba6ef95f7804b795f5f8a69de8c0ad36c759703
Instruction Fuzzy Hash: E281B574E00218DFEB18DFAAD984B9DBBF2BF88310F148069D459AB365DB709941CF15

Function 0114C192 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PHq, xrefs: 0114C3F8
PHq, xrefs: 0114C3E7

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 657833ec41a056e95f2bb56c3c974420715bae707e6824429d1f2d91133cc2f5
Instruction ID: f0154fd27ebe7de822571da25a150969744f039bf01dc9602aac953e19d99b02
Opcode Fuzzy Hash: 657833ec41a056e95f2bb56c3c974420715bae707e6824429d1f2d91133cc2f5
Instruction Fuzzy Hash: E781B274E01218CFEB18DFAAD984B9DBBF2BF88310F148069E459AB365DB709941CF51

Function 0114CA32 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PHq, xrefs: 0114CC98
PHq, xrefs: 0114CC87

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 7ff64a1613ff951db03445d2c52101ee20671ccbc42eeaa004dcb47ef9f9268a
Instruction ID: 15402b5b3c52095d8d1c9346ca5997e19671647200a4e1a621c1279ba52e0539
Opcode Fuzzy Hash: 7ff64a1613ff951db03445d2c52101ee20671ccbc42eeaa004dcb47ef9f9268a
Instruction Fuzzy Hash: 9D81B374E01218CFEB18DFAAD984B9DBBF2BF88310F148069E419AB365DB709941CF55

Function 0114BEB6 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PHq, xrefs: 0114C107
PHq, xrefs: 0114C118

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 6f38da56a764b7f4ae8b31e1d0898c2a847e00243cca5094ccfabbd3a750c28e
Instruction ID: 2e6f8ea49840023a1d706ffef196cc8abaa394ba29d1b3003cd39a9486de52a6
Opcode Fuzzy Hash: 6f38da56a764b7f4ae8b31e1d0898c2a847e00243cca5094ccfabbd3a750c28e
Instruction Fuzzy Hash: BF81B574E01218CFEB18DFAAD984B9DBBF2BF89300F148069E459AB365DB309941CF51

Function 0114B4F2 Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

PHq, xrefs: 0114B747
PHq, xrefs: 0114B758

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: e3266e0a40fbffffd458c49beb9f55b4c2f1a51efb61ddd8d11624e09cebd855
Instruction ID: ffe2c9282af1522a66ba80d1cf58b1158ce06853ba717794832e6ebe744b5f81
Opcode Fuzzy Hash: e3266e0a40fbffffd458c49beb9f55b4c2f1a51efb61ddd8d11624e09cebd855
Instruction Fuzzy Hash: DA61C574E046089FDB18DFAAD984A9DFBF2BF88300F14C069D419AB365DB749841CF15

Function 06797B70 Relevance: 2.0, APIs: 1, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca51e8785eaf2883fb6921ceea1ddab2d6c6ef6c168192b73253ce477d9a88b2
Instruction ID: c7c7fca3587cf8561fe31dfb4a8966b5c03f78e43363040305f86050689daa53
Opcode Fuzzy Hash: ca51e8785eaf2883fb6921ceea1ddab2d6c6ef6c168192b73253ce477d9a88b2
Instruction Fuzzy Hash: 3D223974E002198FDF58DFA8D884BADBBF2BF85300F1485A9D449AB395DB349941CFA1

Function 067C11A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98925d90c3942312b23810810a5043b6217aa896ed604072a40192d8635cd436
Instruction ID: 009e972ceff8e6020ada0ead1132c0579dd7feb6c5638245cc9ebe71c8783883
Opcode Fuzzy Hash: 98925d90c3942312b23810810a5043b6217aa896ed604072a40192d8635cd436
Instruction Fuzzy Hash: 87827174E012288FEBA4DF65C998BDDBBB2BF49300F1481E9944DAB255DB309E81CF51

Function 0114F007 Relevance: .7, Instructions: 717COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cbc401b3b74eefeda5ba0a3c4dea866ac2677049d7e9cfd3b7c3d7135baf480
Instruction ID: 917e6bfb52adab0c9cecce581d865e6a7333e79409fd16836a52d1100780f8b0
Opcode Fuzzy Hash: 8cbc401b3b74eefeda5ba0a3c4dea866ac2677049d7e9cfd3b7c3d7135baf480
Instruction Fuzzy Hash: 6E72CF74E002298FDB68DF69C994BDDBBB2BB49300F1481E9D449AB355DB349E82CF50

Function 067C8608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8594069eb556d81564c1b62774c5a7cd84c42c6e8ae3f66568c8d348e15012b8
Instruction ID: fbf5760744063e984278dd513a9d45bbe7c90cf63691f5f112c16def212473ff
Opcode Fuzzy Hash: 8594069eb556d81564c1b62774c5a7cd84c42c6e8ae3f66568c8d348e15012b8
Instruction Fuzzy Hash: CEE1DF74E00218CFEB64DFA5D944B9DBBF2BF89304F2080A9D409AB394DB355A85CF51

Function 06790040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbad122a815e8dee3513b0837a2ac6ab1d43dc05e1c59f5922504e9bc1314360
Instruction ID: fd3101be80ee93faf37a95293c1e001876c40863187c349eeed96bbda279fa81
Opcode Fuzzy Hash: bbad122a815e8dee3513b0837a2ac6ab1d43dc05e1c59f5922504e9bc1314360
Instruction Fuzzy Hash: 1DC19F78E00218CFDB54DFA5D954BADBBB2BF89304F2081A9D809AB355DB359A81CF50

Function 067911C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b389509afb38114ee19527924092e0d43441b772b98b485e48a5b49357db60a
Instruction ID: 08bff92e356fac52f813cf092915a7948f4268b3932a418bca071b92823f3d57
Opcode Fuzzy Hash: 5b389509afb38114ee19527924092e0d43441b772b98b485e48a5b49357db60a
Instruction Fuzzy Hash: DBC19F78E00218CFDB54DFA5D954BADBBB2BF89304F2081A9D809AB355DB359E81CF50

Function 06791610 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62c94118fa9178015bec539a403d1ac3c1a3256446ffdb6ec0fd599238fb309
Instruction ID: 3e9f2d1585068f5a38199d4baacf268648c51edc06a39cae878e65aacd7e0b4e
Opcode Fuzzy Hash: a62c94118fa9178015bec539a403d1ac3c1a3256446ffdb6ec0fd599238fb309
Instruction Fuzzy Hash: 2FA12470E002098FEB24DFA9D588BEDBBF1FF88314F248269D448AB291DB705985CF54

Function 06791620 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce44ce30fd0689ee38d97ddcd29451536a7830f4c4d0001be937ef3ac1e14ec5
Instruction ID: 777aa1cc0a758340ae15bf48ebc1bbe272cdc27883ea358c7043887a82b35f6c
Opcode Fuzzy Hash: ce44ce30fd0689ee38d97ddcd29451536a7830f4c4d0001be937ef3ac1e14ec5
Instruction Fuzzy Hash: 8FA1F470D002098FEB24DFA9D948BEDBBF1FF88314F248269D448AB291DB705985CF65

Function 067CD670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d5aa85f3a382cea46767706205044df82c80ecf11aed5c19f99b58f56f272c
Instruction ID: f396cf52c9a4771f8bee541ff962ff6626ffb700dc0f304ef066770b316ab3c4
Opcode Fuzzy Hash: 53d5aa85f3a382cea46767706205044df82c80ecf11aed5c19f99b58f56f272c
Instruction Fuzzy Hash: 22A1B074E012288FEB68DF6AC944B9DBBF2BF89310F14C0AAD40CA7254DB745A85CF50

Function 067CB6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193d9779effcb322a6278bcc3091e3fc209a9f414b67e203cb17de4d8f21bf5d
Instruction ID: ae7622f9fdddc0984e854ad50b7098887f19b5adc43ea0223358e438bc0bbb77
Opcode Fuzzy Hash: 193d9779effcb322a6278bcc3091e3fc209a9f414b67e203cb17de4d8f21bf5d
Instruction Fuzzy Hash: 65A1AF74E012288FEB68CF6AC945B9DBBF2BF89310F14C0AAD408A7255DB745A85CF50

Function 067CC388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761bfc371eb3f028f080f98592294b1f283a5e30bba94cedf7c779df56538cc8
Instruction ID: f84bbe9df05e8fec3f6ebfae63abd5bb1b96e1fbb0324588c89ff13733f2fb99
Opcode Fuzzy Hash: 761bfc371eb3f028f080f98592294b1f283a5e30bba94cedf7c779df56538cc8
Instruction Fuzzy Hash: 5FA1A3B4E012188FEB68CF6AD944B9DBBF2AF89310F14C0AAD40CA7255DB745A85CF50

Function 067CA408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8cdd886e847290f2ecef6c4e20bfd5aeab05923ec28efdce8294ae3d91a5e3
Instruction ID: 363ed794b82f95a7f1c11e646dfface99898e4cb76ba3d46686f09facd302831
Opcode Fuzzy Hash: bd8cdd886e847290f2ecef6c4e20bfd5aeab05923ec28efdce8294ae3d91a5e3
Instruction Fuzzy Hash: A6A1A274E016188FEB68CF6AC944B9DBBF2BF89311F14C0AAD408A7255DB745A85CF50

Function 067CBD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45896df4f0f8fa58a513f736bb9adc5a0115924454788bbe04394ac688afdb8f
Instruction ID: dbd38b5e9a1129c49a576da790907e8548d5192146d62ebe0583c63d9f55dea6
Opcode Fuzzy Hash: 45896df4f0f8fa58a513f736bb9adc5a0115924454788bbe04394ac688afdb8f
Instruction Fuzzy Hash: 43A1A274E012288FEB68CF6AD944B9DBBF2BF89310F14C0AAD40DA7255DB345A85CF51

Function 067CC9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c183006f11b14acf7ac9e22ff14cb6d7f03e4b723716f424a26e12d384e060
Instruction ID: cf13158c94a9ab17d12efcccf3181660893d0367dd67fe630de7ac61f6c4382b
Opcode Fuzzy Hash: 74c183006f11b14acf7ac9e22ff14cb6d7f03e4b723716f424a26e12d384e060
Instruction Fuzzy Hash: F6A1B274E012288FEB68CF6AC944B9DBBF2BF89310F14C1AAD40DA7255DB345A85CF50

Function 067CAA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a7c12f5e5d61a273b2b9b2721032cc358674a1b11b2d9036fae8d7343633f4
Instruction ID: 62ce056e306a8420d31a13ccf7d2c996742c862b0ac25a7b07b78dd384747fec
Opcode Fuzzy Hash: b0a7c12f5e5d61a273b2b9b2721032cc358674a1b11b2d9036fae8d7343633f4
Instruction Fuzzy Hash: 68A1A174E012288FEB68CF6AC944B9DFBF2BF89311F14C1AAD408A7255DB745A85CF50

Function 067CD028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d21109da267e73cc569cde2f78f0603c88f9e28418b4fc2b4070052f85a8e04
Instruction ID: ccb39414a0aeea333a0749abf2f0705607bd1709dadb179e94756a5acca31c9e
Opcode Fuzzy Hash: 6d21109da267e73cc569cde2f78f0603c88f9e28418b4fc2b4070052f85a8e04
Instruction Fuzzy Hash: 0CA19175E012288FEB68DF6AC944B9DBBF2AF89310F14C0AAD408A7255DB745A85CF50

Function 067CB0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8edf8353064e763a3e9db4dee6af4b761632ad4a05e3214be52affb6591b1e73
Instruction ID: 817fc7a5b988686a47d697f01f763b6d71825d346755721ff4904c95de62b585
Opcode Fuzzy Hash: 8edf8353064e763a3e9db4dee6af4b761632ad4a05e3214be52affb6591b1e73
Instruction Fuzzy Hash: 89A1AF74E002288FEB68DF6AC945B9DFBF2BF89310F14C1AAD408A7254DB345A85CF11

Function 06791966 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a4eb15404193e09462295144b9879b64bd1f36967cad459d7b80be11c80c6b
Instruction ID: 0779dcdf8788505a3f8c0993fffa2ea06ff835d00f25e94500e64b2ed5f5fbc8
Opcode Fuzzy Hash: 75a4eb15404193e09462295144b9879b64bd1f36967cad459d7b80be11c80c6b
Instruction Fuzzy Hash: C891E274D002098FEB54DFA8D588BACBBF1FF48314F208269E449AB291DB709985CF64

Function 067CB090 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d91ae45350040cd122d8afa69c7bb5765522de65fb9f2ed8efdb098863da153
Instruction ID: e556b6dbd8ab9f78dad1a133ddb3b2b03f512c9045619c67dc8fc059deb3dd1e
Opcode Fuzzy Hash: 8d91ae45350040cd122d8afa69c7bb5765522de65fb9f2ed8efdb098863da153
Instruction Fuzzy Hash: E591C7B1D006588FEB68CF6AC945B9DBBB2BF89310F14C0EAD40CA7255DB315A85CF51

Function 067C1191 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638d9f484d34d5a8e7bb80789865752e4f58c2a91689f55c324a822f7e15ae31
Instruction ID: fe8a93cc7373bae9f9f05375135ea640450676a4bad55efaa7fe2d930093ff27
Opcode Fuzzy Hash: 638d9f484d34d5a8e7bb80789865752e4f58c2a91689f55c324a822f7e15ae31
Instruction Fuzzy Hash: 4981A474E412289FDB64DF29D954BEDBBB2BF89300F1081EAD849A7254DB305E81CF40

Function 067CD018 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb012dad05cbcc29304daf64f2bfef9174aa4ed407ae092fe3685a69d9f2294
Instruction ID: 14ba477b63b92796d1ffacced5bf354ac8041579c6a4c68d919734c4856c41ee
Opcode Fuzzy Hash: beb012dad05cbcc29304daf64f2bfef9174aa4ed407ae092fe3685a69d9f2294
Instruction Fuzzy Hash: 8A717471E01628CFEB68CF6AC944B9DFAF2AF89310F14C1AAD40DA7255DB344A85CF51

Function 067CAA48 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c870b9e9a65e27b837223f76f79645ef47b2541b82d1a68c7411cf2ddbd3dfe
Instruction ID: 6c5f751ad0936f46a169d1f08bc5fa528cacffa8419b9fc6ae4e4d50ac217e51
Opcode Fuzzy Hash: 5c870b9e9a65e27b837223f76f79645ef47b2541b82d1a68c7411cf2ddbd3dfe
Instruction Fuzzy Hash: B17183B1E006188FEB68CF6AC944B9DFAF2AF89301F14C0AAD40DA7255DB344A85CF51

Function 067C85F8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceac9f78c0b0937cc6c88d3f8efab5819ed4b99ff05f12884010e95d2f2dc959
Instruction ID: abcdef5399c7938d2dd7fa99b09b31be7190a005a304755988e31b06be0a5762
Opcode Fuzzy Hash: ceac9f78c0b0937cc6c88d3f8efab5819ed4b99ff05f12884010e95d2f2dc959
Instruction Fuzzy Hash: 9F5102B0D006088FEB58DFAAD9547EEBBF2AF88310F14C16AC418BB254EB354946CF55

Function 067CC378 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7013a515d51a1aae4b962728a2906847ebff8afe15204daf3308af863d455d87
Instruction ID: 2170dab941f6b310a31bced492e020cc6022e24b578d6e1eb37d1e827093bbeb
Opcode Fuzzy Hash: 7013a515d51a1aae4b962728a2906847ebff8afe15204daf3308af863d455d87
Instruction Fuzzy Hash: C5519BB1D016188FEB58CF6BD95579AFAF3AFC9314F04C0AAC40CA6255DB740A86CF51

Function 067CC9C8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e355e95f530ea875cd10dda9c34fb1b0b75691801e91377658c4794de1a32a
Instruction ID: 4cc816086ea3f23e40ac64a5375139a61fd90a65f13cc2b6e65bfe695a7623da
Opcode Fuzzy Hash: 95e355e95f530ea875cd10dda9c34fb1b0b75691801e91377658c4794de1a32a
Instruction Fuzzy Hash: 18517871E016188BEB58CF6BD9457D9FAF3AFC9314F04C1AAC50CA6264DB740A868F51

Function 067CD661 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3794ec2197af18a9b10b1e9a16d9fd840e7f65170c5ccdb8a2ebcb4fa8e94e63
Instruction ID: a594cd90d43b25184526a36fcdeeeb747de21e2b846652ba55affe57f317617a
Opcode Fuzzy Hash: 3794ec2197af18a9b10b1e9a16d9fd840e7f65170c5ccdb8a2ebcb4fa8e94e63
Instruction Fuzzy Hash: 2C415AB1D016188FEB58CF6BC945799FAF3AFC8310F14C1AAC50CA6255DB744A85CF51

Function 067CBD28 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7544e34df0123c8cdbca85b60d7f93fc0d256d9546a0ba7d218b10bbd0322b2
Instruction ID: df0a71f8222cd5bc549517ef478f7666e78a03405a0523ab98466b4030b049e1
Opcode Fuzzy Hash: c7544e34df0123c8cdbca85b60d7f93fc0d256d9546a0ba7d218b10bbd0322b2
Instruction Fuzzy Hash: 5B417AB1E016188FEB58CF6BD9457DAFAF3AFC8310F14C1AAD40CA6255DB740A868F51

Function 067CB6D9 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992240cd5bc41d155e48ffcc5f50ae722cf113ea6af04c91b33336e8686cefcd
Instruction ID: a56fc1cb983987b1cc989bb10b5f32aa387d047c2dc62767e602ee88cfae78d8
Opcode Fuzzy Hash: 992240cd5bc41d155e48ffcc5f50ae722cf113ea6af04c91b33336e8686cefcd
Instruction Fuzzy Hash: 2B416971E016188BEB58CF6BC945799FAF3AFC8314F14C1AAD40CA6264DB740A858F51

Function 067CA3F8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c8f4a1e62c028ce9228d916d62b0e4aa0e9aff9e6ec6ae4d64be3b42d468b35
Instruction ID: f0b0ded6277b5bcd3b44b678c5c5e798b986bbe977fc47cb29f389c4e0a2ea2b
Opcode Fuzzy Hash: 1c8f4a1e62c028ce9228d916d62b0e4aa0e9aff9e6ec6ae4d64be3b42d468b35
Instruction Fuzzy Hash: 044168B5E016188FEB58CF6BC9457DAFAF3AFC8311F14C1AAC50CA6264DB740A858F51

Function 01146E58 Relevance: 10.5, Strings: 8, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 0114701A
(oq, xrefs: 01147377
(oq, xrefs: 01146F51
,q, xrefs: 01147308
(oq, xrefs: 01146E96
(oq, xrefs: 01146F7D
,q, xrefs: 011472F8
(oq, xrefs: 01147367

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
API String ID: 0-2212926057
Opcode ID: 321c5ff85f9f74bd946105ffe335202e99e0a30ff1d726291cda21491db97860
Instruction ID: 4126c7e8f46ad508fb885ccfcdd0de16728617a236646e632726a8d00fae2c64
Opcode Fuzzy Hash: 321c5ff85f9f74bd946105ffe335202e99e0a30ff1d726291cda21491db97860
Instruction Fuzzy Hash: 7A129D30A002098FDB29CF69D894EAEBBF2FF49714F158559E945DB2A1D730ED41CB50

Function 011487E9 Relevance: 4.2, Strings: 3, Instructions: 496
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'q, xrefs: 01148811
;q, xrefs: 01148C2C
4'q, xrefs: 01148837

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: 4'q$4'q$;q
API String ID: 0-144927120
Opcode ID: 66a0dca93aab9fe5b8a55fb135b941f01ad7162f77ff6d6b5ef5b60afd7a350b
Instruction ID: 10f3679dd395e619e169e4d8b9ce6292b55ac5fd8267fdd3f496a27a5dcdcfed
Opcode Fuzzy Hash: 66a0dca93aab9fe5b8a55fb135b941f01ad7162f77ff6d6b5ef5b60afd7a350b
Instruction Fuzzy Hash: CBF1A0707142018FEB1D9BBDC958B3D7B96AF85B01F1944AAE502CF3A2EB24CC42C752

Function 01145C08 Relevance: 4.0, Strings: 3, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,q, xrefs: 01145CE8
,q, xrefs: 01145CDE
b, xrefs: 01145E5E

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: ,q$,q$b
API String ID: 0-2072535545
Opcode ID: 381524da97819bcaba8de615cace02e84f5e9c0d017e04e0862406e925cc547e
Instruction ID: ae39ae367224f7e878ccbf9cf53001c85e3d15f1044d4a01b4766a6d7b297c77
Opcode Fuzzy Hash: 381524da97819bcaba8de615cace02e84f5e9c0d017e04e0862406e925cc547e
Instruction Fuzzy Hash: 8B819131A001158FDBACCF6DC488AADBBF7BF89A10B158169D506EB361D731E842CB51

Function 011477F0 Relevance: 3.2, Strings: 2, Instructions: 704
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 01148314
$q, xrefs: 01148337

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: a0d22adbaf8c69244d65c8f56bed3c3cf080fcf9a9bae9645d8492bfbc652e3c
Instruction ID: d2e7b6be0890f0355bea76b9ef7d6953434685a2ec3dfc999f68e88e20c805c0
Opcode Fuzzy Hash: a0d22adbaf8c69244d65c8f56bed3c3cf080fcf9a9bae9645d8492bfbc652e3c
Instruction Fuzzy Hash: ED520234A003198FEB289BA4C964B9EBBB2EB94700F1080ADC14A6F395DF355D45DFA5

Function 011456A8 Relevance: 2.8, Strings: 2, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 011457C6
Hq, xrefs: 01145793

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: 2e12923c39dbb45bf74dc087fd2282783920f5e403d181737c1c14ca6a747d41
Instruction ID: dbb171f175616ef0b4583523dabaf786b25fffa175b2d23d32e900d83b4f234c
Opcode Fuzzy Hash: 2e12923c39dbb45bf74dc087fd2282783920f5e403d181737c1c14ca6a747d41
Instruction Fuzzy Hash: 1DB1BB31B043058FEB6A9F69D898B7A7BA3BF89614F158929E446CB291DF34CC01C791

Function 067C23E0 Relevance: 2.7, Strings: 2, Instructions: 242
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRq, xrefs: 067C2529
LRq, xrefs: 067C23FC

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: LRq$LRq
API String ID: 0-3710822783
Opcode ID: 740a4ad424c83a05e964bfbbe74f1f70f36c517de22ee462c08bc3766a04d89b
Instruction ID: 8433ae22efa8de6f5b81c09818b349cfac92dec3d979684b4deab5406bb18abf
Opcode Fuzzy Hash: 740a4ad424c83a05e964bfbbe74f1f70f36c517de22ee462c08bc3766a04d89b
Instruction Fuzzy Hash: E3819334B002058FDB44EB79D854A6E7BB6AF8972071585ADE511DB3B6EB30DE01CBA0

Function 067C9510 Relevance: 2.7, Strings: 2, Instructions: 212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(q, xrefs: 067C96EA
(&q, xrefs: 067C962B

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: (&q$(q
API String ID: 0-2464455664
Opcode ID: 8d53c126a1596a1b64033ad558432bf131f3cc53035c908ca2bf3b0f7dc20545
Instruction ID: dff11b8edc48560652ee0f8da67c70033ecaebd35df05ee8b2855f04f9f92c4b
Opcode Fuzzy Hash: 8d53c126a1596a1b64033ad558432bf131f3cc53035c908ca2bf3b0f7dc20545
Instruction Fuzzy Hash: 60717D31F002199FDB55DFA9D8546AEBBB2AFC8710F14852DE506BB280EE309D46C7D1

Function 01143428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xq, xrefs: 0114345E
Xq, xrefs: 01143435

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: 7912d432a2ef4bfdc3eb9ce6cfab0a276fb8fa34af6e483723502d9032f78fdf
Instruction ID: f9dc6f9e168067cd6a9abfd1568d07bb28a98ed73e8917b392c99ff815716fb4
Opcode Fuzzy Hash: 7912d432a2ef4bfdc3eb9ce6cfab0a276fb8fa34af6e483723502d9032f78fdf
Instruction Fuzzy Hash: 9D310975B103358BEF2D5A6955943BE65EABBC4A10F1C443DD92ACB380DFB4CC0586A2

Function 01140C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

LRq, xrefs: 01140E5E

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 7b3c085547e048b4b5168d1e3ef13013b696fad0b3deb0f7950b633c52585698
Instruction ID: ca484250b29906c06d836792d2821667eb1d213d5a5db4c6dd915c82218614f3
Opcode Fuzzy Hash: 7b3c085547e048b4b5168d1e3ef13013b696fad0b3deb0f7950b633c52585698
Instruction Fuzzy Hash: 2422C778D00219CFCB54EF68E995A9DBBF1BF48305F1086A9D809AB758DB306E45CF90

Function 01140CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LRq, xrefs: 01140E5E

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 7fa8dcc8fd21994c860184711a80f4af0eceaf32bf385216d8f04fd49d00a515
Instruction ID: 12fe8562f482f62b7c94b2a643fae209bccb89f90fdf04a15751a1e1d09e9336
Opcode Fuzzy Hash: 7fa8dcc8fd21994c860184711a80f4af0eceaf32bf385216d8f04fd49d00a515
Instruction Fuzzy Hash: 0922B778D00219CFCB54EF68E995A9DBBF1BF48305F1086A9D809AB758DB306E45CF90

Function 06798174 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 067982B6

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69aff623910099078539ecef91962e5606c50414ca5e5353ecdc8c222245bc0d
Instruction ID: cfe44977dbc8d42bd52c62274b23bcffb8efe4ab1bab956ebf0084607c3307bc
Opcode Fuzzy Hash: 69aff623910099078539ecef91962e5606c50414ca5e5353ecdc8c222245bc0d
Instruction Fuzzy Hash: 97117C74E012098FEF44DBA8E588AADB7F5FF8A314F148565E944AB242D730A841CB61

Function 0114A650 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

(oq, xrefs: 0114A7D9

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-1999159160
Opcode ID: 3a2d3f19c2c1481683479a097ab0db3a710ce46193722be2a2ea8eeb33f6c3c7
Instruction ID: 307867ac4124cbef33ad7212b4dc2a5ed2b56b7712a60b15bbe954d58be75db8
Opcode Fuzzy Hash: 3a2d3f19c2c1481683479a097ab0db3a710ce46193722be2a2ea8eeb33f6c3c7
Instruction Fuzzy Hash: 2941EF35B442048FDB199B78E9546AE7BF6BFC8211F198429D506AB390CE319C02CB91

Function 01144DC8 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

b, xrefs: 01144DD9, 01144DF6, 01144E13, 01144EA9

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: b
API String ID: 0-2387849686
Opcode ID: eacc50b3b7c10bbcafae464f9e6f7a35f7801bdc4a889b29a48640588dcd94e1
Instruction ID: 53edb6ceb8333d07dd545ce87d2004814a29f94d317a16f3229575682c1d77c7
Opcode Fuzzy Hash: eacc50b3b7c10bbcafae464f9e6f7a35f7801bdc4a889b29a48640588dcd94e1
Instruction Fuzzy Hash: 0F31807160821AAFCB1A9FA9D454AAF7FB2FF88600F104424F9559B650CB38DC61CBE1

Function 011476D0 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

b, xrefs: 011476EA

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: b
API String ID: 0-2387849686
Opcode ID: 7915df2fbba6444854668d07f656135a97fed49ffa64bb21c05547377807c4df
Instruction ID: f39363dd4be51ec7475e1991b97ae967b32872f1db9a05e9e6d8cbf54a7745c7
Opcode Fuzzy Hash: 7915df2fbba6444854668d07f656135a97fed49ffa64bb21c05547377807c4df
Instruction Fuzzy Hash: 2721F4343047004BEB2E973E9898A7D7B9B9FC9A1675844A9D506CB7D6EF24CC4393C1

Function 011476E0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

b, xrefs: 011476EA

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: b
API String ID: 0-2387849686
Opcode ID: 1fbe5322a771dd166e2a20bc58db1f17e4acc18645ced91547e1250069c816c0
Instruction ID: 3a2d5243edf2e53f7099f2a7ded1e30adda020eb1c3217ea90707bb754c894ea
Opcode Fuzzy Hash: 1fbe5322a771dd166e2a20bc58db1f17e4acc18645ced91547e1250069c816c0
Instruction Fuzzy Hash: 0A21BD393047004BEB2D972A8858B7A769BAFC4B1AF548078D506CBBD9EF25CC4292D1

Function 01145A60 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

b, xrefs: 01145AFA, 01145B17

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: b
API String ID: 0-2387849686
Opcode ID: 36f092749db6fe99a526be9e96a11bd8cb6ed7f71251507de9c9b33e98825996
Instruction ID: 2cc4c0dc8bbe401b74e6df2b9645a152470bbec00a9182659bec9c25de3ae8f5
Opcode Fuzzy Hash: 36f092749db6fe99a526be9e96a11bd8cb6ed7f71251507de9c9b33e98825996
Instruction Fuzzy Hash: 2721D0357047118FD71A9A69C4A863EBBB3EF89A60B1584A9E906CF355CF30DC02CBC0

Function 01144DB9 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

b, xrefs: 01144DD9, 01144DF6, 01144E13

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: b
API String ID: 0-2387849686
Opcode ID: 83ed9e0c548facb8f221d50aae870c90770c1614d5aeda4bfed754b939f0ebc7
Instruction ID: 92fcfea56b9c21f5fb1604d9bfe7d9a1dc9a1efcb936b4fd46b5822f8d0edb92
Opcode Fuzzy Hash: 83ed9e0c548facb8f221d50aae870c90770c1614d5aeda4bfed754b939f0ebc7
Instruction Fuzzy Hash: 88210471A082558FCB2A9F68E4657AB3FF2EF85614F104469F8458F651CB38CC16CBE0

Function 01145A70 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

b, xrefs: 01145AFA

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: b
API String ID: 0-2387849686
Opcode ID: 58aa166978660050d658d7b855c1ce4cfb29aeff0aae76b4b38704ba7cfe9a9c
Instruction ID: 227276d76f1e8397bcac5dd709376096b1428481af35c0bef8d6529290ad6847
Opcode Fuzzy Hash: 58aa166978660050d658d7b855c1ce4cfb29aeff0aae76b4b38704ba7cfe9a9c
Instruction Fuzzy Hash: 491182317447119FD7595A2DC49893EBBA7BF89A617154568E906CB350DF20DC02CBD0

Function 0114A818 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb0bd8e2196cc6e331ee30c84b4bd8631766190cd9e7e4ef97094425a9d93467
Instruction ID: 11f85c27ebc6b9f958c6e5ef89ed208c62f60cde4ad60dd6ed3d64ec6cdfb426
Opcode Fuzzy Hash: eb0bd8e2196cc6e331ee30c84b4bd8631766190cd9e7e4ef97094425a9d93467
Instruction Fuzzy Hash: 99F14B75A802158FCB09CF6CD594AADBBF6FF88714B1A8459E506EB361CB31EC41CB50

Function 01147438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6621826766ab7e24e5a9be7e822b3a3acf0925e0eab4879cc73dde71b1041a1
Instruction ID: 914723e17075d5d98e0d86a4662ff14a495abad92fc14427153ed441e91b1604
Opcode Fuzzy Hash: e6621826766ab7e24e5a9be7e822b3a3acf0925e0eab4879cc73dde71b1041a1
Instruction Fuzzy Hash: CC711A347002458FEB19DF2CC898ABD7BE6AF49A04F1940A9E906CB3B1DB70DC51CB91

Function 0114CEC7 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf45909aa9f5bb3b65e424475dae7a0ff48e9510ed5efb0b47b14f3cf8d47eb
Instruction ID: d6fa33ddfedf703c66ffb86aa6bb402f185c16aa5252415c1cf9313f745eff78
Opcode Fuzzy Hash: caf45909aa9f5bb3b65e424475dae7a0ff48e9510ed5efb0b47b14f3cf8d47eb
Instruction Fuzzy Hash: 1151CF308A93039FC3142F24A5AD17EBBA4FF4F32BB456C08A48E918599F755469CBA0

Function 0114CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f046b9ce310799b9fa513569b612603683abf77b8e35bfba5d730cb6c175bc4
Instruction ID: dab24e47f413e331d86fdce7193c45caf6f512ceef7bea89f1ceda63e4b317a8
Opcode Fuzzy Hash: 2f046b9ce310799b9fa513569b612603683abf77b8e35bfba5d730cb6c175bc4
Instruction Fuzzy Hash: B651C0308A93039FC3542F24E6AD17EBBA4FF4F32BB456C08B44E918589F755465CBA0

Function 0114E2D8 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c42fc1cea80024c1e106aaf94cea363290fd897a31d6008250857ae8cdb0ba
Instruction ID: 825bb4e29b73e2bf8385bcd708221d4bb63feeed1b57e4a6431c835aff6ec107
Opcode Fuzzy Hash: b0c42fc1cea80024c1e106aaf94cea363290fd897a31d6008250857ae8cdb0ba
Instruction Fuzzy Hash: 2461CF74E01318CFDB15DFA5D9987AEBBB2FF88300F208529D805AB259DB399945CF50

Function 0114CD10 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc779908df1457944bb27c36a694d7c696e33d8c575555329a30d7312166292
Instruction ID: 0b920a90208ef971fef02297c354b573e1e081cf1da655b97697636fb6aa36e7
Opcode Fuzzy Hash: ccc779908df1457944bb27c36a694d7c696e33d8c575555329a30d7312166292
Instruction Fuzzy Hash: C2518374E01208DFDB58DFAAD5849DDBBF2BF89300F248169E819AB365DB30A941CF50

Function 067CDCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c0df917765088b14743713ed69b3d849c6b4506b897588f7ff4b2c4c50c36e
Instruction ID: 7660881c8efc8ab7378b28282090602214c5ca5c1b7b18b36352de81c279f8af
Opcode Fuzzy Hash: 51c0df917765088b14743713ed69b3d849c6b4506b897588f7ff4b2c4c50c36e
Instruction Fuzzy Hash: D9417834905319CFDB18AFB5D45D7EEBBB1FB4A326F108869D201A7698CB790A44CF90

Function 01143908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f70d5094a8391cb5df03dc67d36e5451dc4abf3401f2bcd3c3a238de1dc9cf
Instruction ID: 64e6a96392113c8888c211b6451194178159aa85b6432a599c27dee1e60ba668
Opcode Fuzzy Hash: 47f70d5094a8391cb5df03dc67d36e5451dc4abf3401f2bcd3c3a238de1dc9cf
Instruction Fuzzy Hash: 33519374E01308CFDB18EFA9D59499DBBF2FF89314B208469E815AB364DB35A945CF40

Function 067C9A49 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67fdc4e14d363362d59c365936c14671cb82c00b1252ddcaffd7611fa7683303
Instruction ID: 8a84311e545d1b4fe82130aa399db2f0ade7880614ae488f6dd6cfc78bc3091b
Opcode Fuzzy Hash: 67fdc4e14d363362d59c365936c14671cb82c00b1252ddcaffd7611fa7683303
Instruction Fuzzy Hash: AC51F279E00208CFDB54DFA9D5847EDBBF2EF89310F20902AD815A7298DB349A46CF50

Function 01149A63 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f39d297d16fd7a5764ebdfff8a647e4c53753316198150847a69c8c22dbf22ee
Instruction ID: d91737815d8d0c7dfe9eac50001b55c2bdc7326633f7eeb90485e12aa06de9ba
Opcode Fuzzy Hash: f39d297d16fd7a5764ebdfff8a647e4c53753316198150847a69c8c22dbf22ee
Instruction Fuzzy Hash: CB41C331A0424DDFCF1ACFA8C844A9EBFB2AF8D318F148556E915AB2A5D330D914CB91

Function 067C9500 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3e4fbb8482ae533fbd5d20bb30aaeaf17686e0e5a69e270dd898ffd585f0ad
Instruction ID: 341c78e2b2339f5ccba3b0d64cf7508f5eef07b1753ac84ffbd42592c37c9d13
Opcode Fuzzy Hash: 7b3e4fbb8482ae533fbd5d20bb30aaeaf17686e0e5a69e270dd898ffd585f0ad
Instruction Fuzzy Hash: F8414131E007199BDB54CFA9C890AEEFBF5AF88710F14812DE515B7284EB70A945CB90

Function 0114D7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e065fe3fc14efc539bbb9522c0e3ecc035b947ea474c6a892361e296c4d09cb
Instruction ID: 3ae2a1c2ba4798ec767f2c18bc21012580d8aba693f5373945473e732959fa6d
Opcode Fuzzy Hash: 7e065fe3fc14efc539bbb9522c0e3ecc035b947ea474c6a892361e296c4d09cb
Instruction Fuzzy Hash: 53413274D04609CFEF08DFA8E4946ADBBF2BF5A709F218129D41AAB244D7349842CF65

Function 067C9A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf93c1c445467e208b5fb532ea8dc7038f5071c7dbbb2491cdd1709ff75a6aa
Instruction ID: f8ce5dc80278dbf85f19dee627ddd78b9c218794619750957ec255a0a2abda50
Opcode Fuzzy Hash: dbf93c1c445467e208b5fb532ea8dc7038f5071c7dbbb2491cdd1709ff75a6aa
Instruction Fuzzy Hash: D241C078E00208DFDB44DFA9D5947EDBBF2BF89310F10902AD815A7298EB349A46CF50

Function 0114D76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5270f1071509ca20e402327f315117f5e36bd7649fad647ab386caaacef668
Instruction ID: b09fff1dae10a3376898096da297e24b17d6f5b48e4d52ae9adac7d0a756f5fa
Opcode Fuzzy Hash: 4a5270f1071509ca20e402327f315117f5e36bd7649fad647ab386caaacef668
Instruction Fuzzy Hash: CB410F74D04609CFEF08DFA8E4846ADBBF2BF5A709F219129E419AB284D7349841CF54

Function 0114D620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366d2bd8e135ff0d894bb22e48685107095163c2cf55cb4717a9b60a046abb7c
Instruction ID: d488ec35776f2db60417f7a74ea96d9256291b5f8d874800cff2180fbb9dd3bb
Opcode Fuzzy Hash: 366d2bd8e135ff0d894bb22e48685107095163c2cf55cb4717a9b60a046abb7c
Instruction Fuzzy Hash: 88411370E002098BDF08DFA9E548AEEBBF2BF99305F14D129D418AB254DB759841CF64

Function 067CDCB1 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71051092c4b48efdc09c4385be9aed8fbe73f28259f66e1239e04609bf0433f
Instruction ID: de24ae8f636c095c04cfa9f85fc4f0e5e73ebff682c09f5c804fa25abbf2f499
Opcode Fuzzy Hash: d71051092c4b48efdc09c4385be9aed8fbe73f28259f66e1239e04609bf0433f
Instruction Fuzzy Hash: 93318B34805309DFDB14AFB5D4683FEBBB1EF4A325F148869D101A7698CB790A48CF90

Function 01149080 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef67360abd041fa934dcaa3c1c091fef1565baee8b1ab5c7ca4a9101f15a373
Instruction ID: 3314695c62b59491d568c951c5e3cd157612dceee9bdcb04a2079b352c1c0d84
Opcode Fuzzy Hash: 3ef67360abd041fa934dcaa3c1c091fef1565baee8b1ab5c7ca4a9101f15a373
Instruction Fuzzy Hash: 4631D6315016459FD318CB2CC888962BBB9AF85B3CB18875DC9794B6D6D731E813C7D0

Function 0114A809 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9614153360435a98c259ef472ca3f013f8f23689ef55b6a9c305f79cd6a9d510
Instruction ID: f6b1cda7729ee635b7d180c6b87c056d47e202273a1bf7772da72b3ec4ad6dbf
Opcode Fuzzy Hash: 9614153360435a98c259ef472ca3f013f8f23689ef55b6a9c305f79cd6a9d510
Instruction Fuzzy Hash: 2F31B574E406058FCB08CF6DD8849AEBFF6FF85710B1A8559E5569B3A1DB30AC12CB90

Function 01142060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4334cb8d9a59a553101b1a3ca67e8d55625e3e111e550299f6d764a52fb2be4
Instruction ID: dc9139f05ee80daf6895258735b328e90c093db97a9009a31127af8c032b229e
Opcode Fuzzy Hash: a4334cb8d9a59a553101b1a3ca67e8d55625e3e111e550299f6d764a52fb2be4
Instruction Fuzzy Hash: DE219535A003149FCB18DF2CD840AAE7BB6EF99760B50C519E9159B344DB31EE85CBD1

Function 01141F08 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace1f8ad08f45f4333a1cc15a390942f805b38b35f38b3feac96e2b5d7544793
Instruction ID: 2f205a884214d3e1ff7fb98eba891530d3356d1dab42f2788597e4fe2f04f6c5
Opcode Fuzzy Hash: ace1f8ad08f45f4333a1cc15a390942f805b38b35f38b3feac96e2b5d7544793
Instruction Fuzzy Hash: 9A2159B4C086199FDB26EFA8C4541EEBFF4FF49310F40456AD441B7254EB316689CBA2

Function 010ED404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3690687799.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10ed000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ebf0e97dbf9707163fe7aa3caaa0d0b7d941fceaaa9210044bd4e7a8a9a4a7
Instruction ID: f0276e04f8defb897968f0aca219defefc088dabf476cca00e79ddaa08812eec
Opcode Fuzzy Hash: e0ebf0e97dbf9707163fe7aa3caaa0d0b7d941fceaaa9210044bd4e7a8a9a4a7
Instruction Fuzzy Hash: EE2145B1500200EFDF15DF94D9C8B5ABBE5FB94314F20C1A9E9490F246C736E446CBA2

Function 01149079 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f781222a084fd327a40c6f085f9ec96b96c1d1c7dc6f35847bf7213936d99bb
Instruction ID: 92c70ee35a38e36276b966b170d8a6090572b103eff7db2cfdeae107947e5f89
Opcode Fuzzy Hash: 7f781222a084fd327a40c6f085f9ec96b96c1d1c7dc6f35847bf7213936d99bb
Instruction Fuzzy Hash: 3821D3714019055BC22CCB2CC888962BBBABF89F3CB54871CC9794B6D5D732E812CBD0

Function 010FD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3690766786.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10fd000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448870542df616d478443c8b397d481ee43b53b5b2313e13f9b0a7cc3db89065
Instruction ID: c338b513434c6c7f39827661ef59dc21000dcf2fda03d0880e79b5b9d8c7291d
Opcode Fuzzy Hash: 448870542df616d478443c8b397d481ee43b53b5b2313e13f9b0a7cc3db89065
Instruction Fuzzy Hash: D7212271504204AFDB25CFA4D9C1B26BBA5FB84314F20C9ADEA894F642C736D447CB62

Function 067C96F0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742c303a05ae0c5eb3897cc556baa8c8ecc05b5824f33cd7f7cbbd65a00f29e6
Instruction ID: f7bb56c714209bec7a7f0860bb64e9f2d8ae127fcc9365b85c9c19bbfe8c185f
Opcode Fuzzy Hash: 742c303a05ae0c5eb3897cc556baa8c8ecc05b5824f33cd7f7cbbd65a00f29e6
Instruction Fuzzy Hash: 60115B317043541FDB466EB898243AE3EA3EFC9350B14442EE50ADB381DE348D05C3E2

Function 0114215C Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93a5348fde7755b7a4753cfe5adf39e0f761b2938702e25db2a88d9a84f16de
Instruction ID: ddede3e2fcda1e3c57c9b59533ae4eb61a8f31b9185fea3939fbfb90ad67bfd7
Opcode Fuzzy Hash: a93a5348fde7755b7a4753cfe5adf39e0f761b2938702e25db2a88d9a84f16de
Instruction Fuzzy Hash: C9113631E043599FCB01DBBCAC005EEFBB1FF89210B248796E625B7151EB311946C791

Function 0114D60F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1864eb86342b6bb498a4d5ceb2137d57beba14ccc312ce75c88d0c30066d145e
Instruction ID: ca0f6fb4f07a891489a77615de8601f5f5e9328c96cb59e0cc910e206dec378f
Opcode Fuzzy Hash: 1864eb86342b6bb498a4d5ceb2137d57beba14ccc312ce75c88d0c30066d145e
Instruction Fuzzy Hash: B2117C74E042498BEF08CFAAE4452EEBBF2AFC9311F08C165C818A7256D73055168F54

Function 067CE0C0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0cc9d032ed21accc5b0dba43f7a3eb41976022e1c17fc65a4007409b3df19b
Instruction ID: c8029619b24cd6a423dba495a95e48022e1504bd259f272015b7d9e44b140874
Opcode Fuzzy Hash: 8e0cc9d032ed21accc5b0dba43f7a3eb41976022e1c17fc65a4007409b3df19b
Instruction Fuzzy Hash: 5211C8357082548FE7050BB95C586BBBAABBFCA320B18887FE146C7295CD248C1683B1

Function 0114E1F8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76bfbd2a386bb809abbd6483154f492277fa7c5fbc68e8da12365b41406f949a
Instruction ID: f8a1860817b421db6840bde9a624fbe7085f43445054329f2e352ef7d5673a53
Opcode Fuzzy Hash: 76bfbd2a386bb809abbd6483154f492277fa7c5fbc68e8da12365b41406f949a
Instruction Fuzzy Hash: 9F21A17490434A9FDB55DFB8D64469EBFF2FF45304F0482A9C0989F269DB341906CB81

Function 067C9999 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee43fce839404b6af5d0058cddfb7ac8de2e05a5963d9a60326833709e3fc65
Instruction ID: 85467045fc57f4e25db5b15168bf2f8e303e9e0068f11b092ecce5ed8991563a
Opcode Fuzzy Hash: 8ee43fce839404b6af5d0058cddfb7ac8de2e05a5963d9a60326833709e3fc65
Instruction Fuzzy Hash: F2112976800249DFDB50CF99C845BEEBFF4EB88324F14841DE654A7250C339A554DFA5

Function 010ED3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3690687799.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10ed000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
Instruction ID: 3e42c7f863adadb964409f3120e85ccdc3efd5a7de7e0ad3dab3d36a9c3bb1cb
Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
Instruction Fuzzy Hash: 2D11DFB2404280CFCB12CF54D5C8B56BFB2FB94324F24C5A9D9490B657C33AE456CBA1

Function 067C9350 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ff01563fb8a1e78b6b13d2417a4514c2ff1cd40da80dcebc6601d78aaecd5a
Instruction ID: f83695414a622a5aff391a3cc2c51514df2174608153185f7cab76a6bc064b25
Opcode Fuzzy Hash: 55ff01563fb8a1e78b6b13d2417a4514c2ff1cd40da80dcebc6601d78aaecd5a
Instruction Fuzzy Hash: 281126B6800249DFDB50DF99C944BEEBBF4EB48320F148419EA14A7250C339A954DFA9

Function 067C8EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c0d9eeb02d6d9917335d8c8952149c0e648d67513e5a0e8fd5a32da205b134
Instruction ID: 4890262e8935463a2d8bde7468764b8b3debacf1ad37164e9269c81556c58aa9
Opcode Fuzzy Hash: 65c0d9eeb02d6d9917335d8c8952149c0e648d67513e5a0e8fd5a32da205b134
Instruction Fuzzy Hash: 28110074F401498FEB00DFE8D954BAEBFF6AB49321F508069D908AB345E63099428F51

Function 0114E208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ea2616c179007ede4a60816b908fd5170429b6ca40dbde39455a4998286e8b
Instruction ID: d824e92f63365091fa09356c2ca1637b1226a55e59fbbd6e6d5da2748a85cb42
Opcode Fuzzy Hash: b9ea2616c179007ede4a60816b908fd5170429b6ca40dbde39455a4998286e8b
Instruction Fuzzy Hash: 99114C74E003099FEB44EFB9D64579EBBF2FB44304F0086A9C0489F658EB745A058B91

Function 01141F61 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3d7705a5a690775a84bcaf1f895bea31d2d7a5029444bc3eecfa20eca23fe22
Instruction ID: 07b09231986a13636b079aac169c239ad583d4ebd37521f078ac385321c464db
Opcode Fuzzy Hash: d3d7705a5a690775a84bcaf1f895bea31d2d7a5029444bc3eecfa20eca23fe22
Instruction Fuzzy Hash: 6F21CBB4C1920A8FCB54EFA8D9955EEBFF0BF09300F10456AD805B7214EB345A99CFA1

Function 067C2670 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf69b0f4ac20915983b0e4ee92920c6c30a3c97894aae485f8628239c43607e6
Instruction ID: a2ece068960e8bb3b5d3cf497f421f705192c8487520a48f5869f6bfa0f2610c
Opcode Fuzzy Hash: bf69b0f4ac20915983b0e4ee92920c6c30a3c97894aae485f8628239c43607e6
Instruction Fuzzy Hash: A011A579B002118FC790ABB8E54866977F0FF88721711446DE515D7726EB32CE15CBE0

Function 010FD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3690766786.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10fd000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
Instruction ID: 7c2c36183ada0bc3add8ad24e2c40fa446a10f4bc8523c6256daf8bb90ad92b1
Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
Instruction Fuzzy Hash: 3911DD75504284DFCB12CF54D9C4B15BFA2FB84314F24CAADEA894BA52C33AD44ACF62

Function 01145607 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6de9bf8d1192b4720ff9d99ad21979f733ef39efc5c7ae056048396c82f99aa
Instruction ID: 9628f6d78f993e23c7f94b8bac2ad914fabdefa4cb6ba7ae12c2447002520b0b
Opcode Fuzzy Hash: e6de9bf8d1192b4720ff9d99ad21979f733ef39efc5c7ae056048396c82f99aa
Instruction Fuzzy Hash: 4501F571B001055FCB558E69A810AFF7FE7EFD8650F188029F508CB240CF318812CBA0

Function 067C25E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da274508b896adb9020d1a019eb383c2713e610feab74635a4263349f189b4e0
Instruction ID: 642c4ff60ead18f592b5ec4e84f51a3400f7cbc35805c715464e7f45b0cc664c
Opcode Fuzzy Hash: da274508b896adb9020d1a019eb383c2713e610feab74635a4263349f189b4e0
Instruction Fuzzy Hash: 7401A470E007199FDF94EFB9D804AAEBBF5AF48210F10856AD419F7254E7749A018BA4

Function 0114DF08 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d169b4c23589c5dfe14dd297516ad4ca2f167be3c3523d03be4b386a203e0f7f
Instruction ID: 6a8def887b65168cf9f5fd46d6f4d1b7efab83d0d9a25acfc13843f8f73f28b5
Opcode Fuzzy Hash: d169b4c23589c5dfe14dd297516ad4ca2f167be3c3523d03be4b386a203e0f7f
Instruction Fuzzy Hash: 57E0E5359042068FCF188AB8B81A2EABBF5EB87711F009428D905A3452CBB1952F9A81

Function 0114D449 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785d1bc97e1eee901a9c57b28a3345c2b0001284e0d0825dcca6925818612440
Instruction ID: f7f37692ba63f8d1bc3509797d9321adb6826e468913ac788c7dd601d3efea13
Opcode Fuzzy Hash: 785d1bc97e1eee901a9c57b28a3345c2b0001284e0d0825dcca6925818612440
Instruction Fuzzy Hash: E1E0E5349081458BCB148BB5B81A2EABBF59B86311F049168C951A7546C775252B8B41

Function 01144F09 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9464025e111c9387d3ece030c26a4dd7d3bc718eec95f03bcb6bcf6a38b48b9
Instruction ID: 18c00c8c95467abf3e5d3458be036d49a5b5dfa81863df1a0ff39c9b93f27a2b
Opcode Fuzzy Hash: d9464025e111c9387d3ece030c26a4dd7d3bc718eec95f03bcb6bcf6a38b48b9
Instruction Fuzzy Hash: 6EF0523720D2888FCB021BA898204E9BFB18F821347084387D0B5D21E3C225421EABE5

Function 0114D4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f710d36552ae67ec18bb6262867f68a4832af94da16af303a49a754911ac0665
Instruction ID: ba8d6cad478003de63523fccfed99710bdd87650fdd3648d8e42ee3897d7e497
Opcode Fuzzy Hash: f710d36552ae67ec18bb6262867f68a4832af94da16af303a49a754911ac0665
Instruction Fuzzy Hash: CDE0D8E2C082408BEF188BE574160F57FB0CEE7611749508780859BD25D714D1069712

Function 01142010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d5e6016295a7d9d3787095e1bd7933c6d374d9ef627b86648a12a2116cf6dca
Instruction ID: ba37e7ab6b6e097f8fdce9a04a359c08cf2ba047a5906456f77e6b703b4a7340
Opcode Fuzzy Hash: 0d5e6016295a7d9d3787095e1bd7933c6d374d9ef627b86648a12a2116cf6dca
Instruction Fuzzy Hash: B5E068308253E21BCB2297749C040EEBF709DC3310B1546ABD49067041DF30155BC390

Function 01142020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c3efc6586c3c0993ce0924a75ff777a26687c17a8bf31635027d4748c185d1
Instruction ID: 01bee33d49dbe891f419d92e91c8902dac4829102c03bb42200e91b9da9e6017
Opcode Fuzzy Hash: a8c3efc6586c3c0993ce0924a75ff777a26687c17a8bf31635027d4748c185d1
Instruction Fuzzy Hash: 46D05B31D2033A57CB10E7A5DC044DFFB38EED5321B514666D51437144FB706659C6E1

Function 01148258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 85ac0cf176744c0088d107a7ba5a5e44c495a2c4228bc2d6ff15a1c2767af774
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 56C0123320C1282BA629208E7C40EA3AB8CC3C1AF4A260137F91CA3200AA429C8041B9

Function 0114A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890e3f92a5dfabe5ef1d12f5dc9e530d023593dcf1aef0c3ecaffb9d58f6d841
Instruction ID: 6d28f67fddd0a48ff7b90c797cd176a42656d98dde872cb0afe29dc814ea7289
Opcode Fuzzy Hash: 890e3f92a5dfabe5ef1d12f5dc9e530d023593dcf1aef0c3ecaffb9d58f6d841
Instruction Fuzzy Hash: A7D0677BB511089FDB049F98E8409DDB7B6FB9C221B548526E925A3260C6319921DBA0

Function 01149050 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0d0bf1820b5276af92e7a852223a181fb7a582d1d382c27d5ef1853fee4ac3
Instruction ID: b0160796299bc1164b14286dc7f182f50741fc9df843419d9a9d30ec16233a23
Opcode Fuzzy Hash: 2c0d0bf1820b5276af92e7a852223a181fb7a582d1d382c27d5ef1853fee4ac3
Instruction Fuzzy Hash: 6CC0020805D7C55ED317437828765B67FF89C4724239D59C798C1CA1A7D408682A9365

Function 01145EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d054570cc58e2a5f002a3b639099f7607c4785282629230ebf8917850f9381
Instruction ID: 0540b6982d453f11c34fdfacd5e80a9592dd26844a24bd6cb27bc57e4fa2795b
Opcode Fuzzy Hash: e1d054570cc58e2a5f002a3b639099f7607c4785282629230ebf8917850f9381
Instruction Fuzzy Hash: EDC01234D043064BD551F775FA4599533BAAAC0618F404954A1090F5199F74584A46B2

Non-executed Functions

Function 067C2809 Relevance: 12.9, Strings: 10, Instructions: 420COMMON

Download Yara Rule

Strings

PHq, xrefs: 067C2BEA
PHq, xrefs: 067C2ED2
PHq, xrefs: 067C2DD7
PHq, xrefs: 067C2CF6
", xrefs: 067C3087
Hq, xrefs: 067C2869
PHq, xrefs: 067C2EE6
PHq, xrefs: 067C2BFE
PHq, xrefs: 067C2DEB
PHq, xrefs: 067C2CE2

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: "$Hq$PHq$PHq$PHq$PHq$PHq$PHq$PHq$PHq
API String ID: 0-2204202469
Opcode ID: 9299e148b6ab996d4fd855291ce51f707f7907a65f19d0e4f18e3a2f4ce6222a
Instruction ID: a3846857fd2876e99ec05ce956e94bc4008b96baf372ae624b65dd58f8a99c65
Opcode Fuzzy Hash: 9299e148b6ab996d4fd855291ce51f707f7907a65f19d0e4f18e3a2f4ce6222a
Instruction Fuzzy Hash: BD12D074E002188FDB68DF69D944B9DBBF2BF89310F2080A9D419AB365DB719E81CF50

Function 067C2807 Relevance: 12.9, Strings: 10, Instructions: 389COMMON

Download Yara Rule

Strings

PHq, xrefs: 067C2BEA
PHq, xrefs: 067C2ED2
PHq, xrefs: 067C2DD7
PHq, xrefs: 067C2CF6
", xrefs: 067C3087
Hq, xrefs: 067C2869
PHq, xrefs: 067C2EE6
PHq, xrefs: 067C2BFE
PHq, xrefs: 067C2DEB
PHq, xrefs: 067C2CE2

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: "$Hq$PHq$PHq$PHq$PHq$PHq$PHq$PHq$PHq
API String ID: 0-2204202469
Opcode ID: 61e99b3ce8b9d9e6c80ea2d2ec12e82a7c47056e27c7fb1003296387dc182e28
Instruction ID: 6d38c5ab523d184c153311ca4fa1b2c95aded6c7f73ca64ed8c8f86755f30c3c
Opcode Fuzzy Hash: 61e99b3ce8b9d9e6c80ea2d2ec12e82a7c47056e27c7fb1003296387dc182e28
Instruction Fuzzy Hash: 2412B074E002188FDB68DF69D944B9DBBF2BF89300F2081A9D419AB355DB715E81CF50

Function 067C28B0 Relevance: 11.7, Strings: 9, Instructions: 461COMMON

Download Yara Rule

Strings

PHq, xrefs: 067C2BEA
PHq, xrefs: 067C2ED2
PHq, xrefs: 067C2DD7
PHq, xrefs: 067C2CF6
", xrefs: 067C3087
PHq, xrefs: 067C2EE6
PHq, xrefs: 067C2BFE
PHq, xrefs: 067C2DEB
PHq, xrefs: 067C2CE2

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: "$PHq$PHq$PHq$PHq$PHq$PHq$PHq$PHq
API String ID: 0-4082700204
Opcode ID: 8a89822458d3a81f29b2178379bffa359554388c2e92a2d5fa0471044dddea7a
Instruction ID: 30c01d6328ca9b5fff4b2df391534ca5e40ceb4d077432f391afdf7e11c932e6
Opcode Fuzzy Hash: 8a89822458d3a81f29b2178379bffa359554388c2e92a2d5fa0471044dddea7a
Instruction Fuzzy Hash: 2E329074E00218CFDB68DF69C984B9DBBB2BF89310F1080A9D819AB355DB719E85CF54

Function 0114E528 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9adc3632c6029370fd276f7ecf697686321c6b90f6208693c41059ebbe81be
Instruction ID: 48d9c6d94dc7f9b6212904b63a3575dc00df5ca2d6b404b531feda2873fea4b4
Opcode Fuzzy Hash: 8f9adc3632c6029370fd276f7ecf697686321c6b90f6208693c41059ebbe81be
Instruction Fuzzy Hash: AB528B74E012298FDB68DF69C984BDDBBB2BB89300F1085E9D409AB254DB359E81CF51

Function 067C5A70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3098682cec6c0194d50857f743c51f14f109743ba0e3edc28e318bddd31a5e3c
Instruction ID: e07d832c0fa4f9832480c715e07ac97ccd5dac1f87c1ebf91dc15bda9fee182f
Opcode Fuzzy Hash: 3098682cec6c0194d50857f743c51f14f109743ba0e3edc28e318bddd31a5e3c
Instruction Fuzzy Hash: 91C1B174E00218CFEB54DFA5D994B9DBBB2BF89304F2080A9D419AB359DB359E81CF50

Function 067C5618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1592fdede010e8e035eae4a750ff462a56655f26915fba6f884e4360182d815d
Instruction ID: ae8428e98713b00672302594c5868d31640895a188ef9f242c746faba5f75ae0
Opcode Fuzzy Hash: 1592fdede010e8e035eae4a750ff462a56655f26915fba6f884e4360182d815d
Instruction Fuzzy Hash: B4C1A174E00218CFEB54DFA5D994B9DBBB2BF89304F2081A9D409AB359DB359E81CF50

Function 067C5EC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b7645f7da9f5095c98c590de5db0dcbabb204b44e0e3a4646f38f828d592dc
Instruction ID: f7124faebf58ea29e38197d10c7cf5556a2bb38985e20c00bb67192380e26d5f
Opcode Fuzzy Hash: 59b7645f7da9f5095c98c590de5db0dcbabb204b44e0e3a4646f38f828d592dc
Instruction Fuzzy Hash: 24C1A274E00218CFDB54DFA5D994B9DBBB2BF89304F2080A9D809AB359DB359E85CF50

Function 067C6778 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8cfa8eb5fe1715377210e0b23db63a8f7e99f3da77c163bf77bd79794bd160
Instruction ID: a6c2b2a5e002470ffc1c35d50e4b6b4a479f0f9e84f84cbbbf8e220cf33fb20b
Opcode Fuzzy Hash: 6e8cfa8eb5fe1715377210e0b23db63a8f7e99f3da77c163bf77bd79794bd160
Instruction Fuzzy Hash: C5C1A174E00218CFDB54DFA5D994B9DBBF2AF89304F2080A9D419AB359DB359E81CF50

Function 067C6320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb556c104316429b93ad8876a9041ca628092648be9da187d6cac4535bc33500
Instruction ID: febe8cc883fc539cc8596964baa09353f54449e2e81ac3be7050983113ac8454
Opcode Fuzzy Hash: eb556c104316429b93ad8876a9041ca628092648be9da187d6cac4535bc33500
Instruction Fuzzy Hash: B7C19174E00218CFDB54DFA5D994BADBBB2BF89304F2080A9D419AB359DB359E81CF50

Function 067C6BD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c7a9d52142be2f549f01785f05e5dce8df0f59eb140395f63ef187fd665952
Instruction ID: 9ba82464f228e18fc677e0079e23b250e177d30873f8f9ef303194e76faab995
Opcode Fuzzy Hash: d5c7a9d52142be2f549f01785f05e5dce8df0f59eb140395f63ef187fd665952
Instruction Fuzzy Hash: 94C1A174E00218CFDB54DFA5D994B9DBBB2BF89304F2080A9D409AB359DB359E81CF50

Function 067C7050 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f789ad6fe2b305b328cb300ab8e2a35cefb9d91b4fe2541869bfd7abdcf0da9
Instruction ID: 302edf9320596f88048e6157c1cef3bbc5eb4e12afa1e7b6465c892fd09934cb
Opcode Fuzzy Hash: 5f789ad6fe2b305b328cb300ab8e2a35cefb9d91b4fe2541869bfd7abdcf0da9
Instruction Fuzzy Hash: C4C19274E00218CFDB54DFA5D954B9DBBB2BF89304F2080A9D419AB359DB359E81CF50

Function 067C0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60ffc38468135c28206265d79414666b58f2684fc530003e97cff012cd48758
Instruction ID: e60a0294d10660bf2643f25babb3352300d5ae1ba39e496e70e765b08c776dab
Opcode Fuzzy Hash: d60ffc38468135c28206265d79414666b58f2684fc530003e97cff012cd48758
Instruction Fuzzy Hash: D5C1A074E00218CFDB54DFA5D954BADBBB2BF89304F2081A9D809AB359DB359E81CF50

Function 067C08F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 385b819f4f56f52206bcb2dc0c75ce67dae25ee6c36d014c970f06f8c2259dd9
Instruction ID: 97c81583706e4f38c2ea122c0c761e235c7e82cf085b7dcf133fa36b71931edc
Opcode Fuzzy Hash: 385b819f4f56f52206bcb2dc0c75ce67dae25ee6c36d014c970f06f8c2259dd9
Instruction Fuzzy Hash: 57C1B174E00218CFDB54DFA5D954BADBBB2BF89304F2081A9D809AB359DB359E81CF50

Function 067C74A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de52fa5a4464fdc57f07d569694dc4b6bd7cda192c5875f87c2b3b57c5c1d3d4
Instruction ID: 4fd4b54b86848db30f7da10cab656bcf55597a8e12382bafcab46273c6e1541d
Opcode Fuzzy Hash: de52fa5a4464fdc57f07d569694dc4b6bd7cda192c5875f87c2b3b57c5c1d3d4
Instruction Fuzzy Hash: 65C19074E00218CFDB54DFA5D954BADBBB2AF89304F2080A9D809AB359DB359E81CF50

Function 067C0498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7b3ac586141abb6f60be15db17ff6d42f331d76ddbf0b3534b5030266ffa02
Instruction ID: 2b9b43fe899aa5bf1645644c5f70f0a1b8269d2da296320356f79359243486f1
Opcode Fuzzy Hash: 1e7b3ac586141abb6f60be15db17ff6d42f331d76ddbf0b3534b5030266ffa02
Instruction Fuzzy Hash: B4C1B074E00218CFDB54DFA5D954BADBBF2AF89304F2080A9D809AB359DB359E81CF50

Function 067C7D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96cb21fb8457953d1852bf3a28dade25340df2c7412deb32bcd7ccdb1cedeb5e
Instruction ID: ec33faa051ece7cb24e8d684303109ef6f85526ed5053fbeb66c2203978fbb84
Opcode Fuzzy Hash: 96cb21fb8457953d1852bf3a28dade25340df2c7412deb32bcd7ccdb1cedeb5e
Instruction Fuzzy Hash: 4DC19074E00218CFDB54DFA5D994BADBBF2AF89304F2080A9D419AB359DB359E81CF50

Function 067C0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a79a28da95782fc3ca4b4f2c07698c9f2c16227a719ca65c5d8115bfc65426
Instruction ID: 13d731ea90ee35f605e69cad38ded625d524175c5ba60848dcb53bd39aac492e
Opcode Fuzzy Hash: 69a79a28da95782fc3ca4b4f2c07698c9f2c16227a719ca65c5d8115bfc65426
Instruction Fuzzy Hash: 13C19074E00218CFDB54DFA5D954BADBBB2BF89304F2080A9D809AB359DB359E85CF50

Function 067C7900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7596ea4d9f19ea4749700621cd5875186470f9515e3d1728633eb77682c0f3e3
Instruction ID: c33d8b56a484564ebfedd37d755d012f4a9e511d710e492aed6fe9f19c419586
Opcode Fuzzy Hash: 7596ea4d9f19ea4749700621cd5875186470f9515e3d1728633eb77682c0f3e3
Instruction Fuzzy Hash: 15C1A174E00218CFDB54DFA5D954BADBBB2BF89304F2081A9D809AB359DB359E81CF50

Function 067C81B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3304c89335e639a66c2245b1e8222ac4634a5c9b9d69edb8574b4a7952645c83
Instruction ID: eb388db26ec660f8c217c9fd55e73363b0df8e470c5853974bdd3d9ec85a2f0d
Opcode Fuzzy Hash: 3304c89335e639a66c2245b1e8222ac4634a5c9b9d69edb8574b4a7952645c83
Instruction Fuzzy Hash: 53C1A174E00218CFDB54DFA5D954BADBBB2BF89304F2080A9D819AB359DB359E81CF50

Function 067C5198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956d5b5bc639288275fc8a9ebde3d58bf183ca2802d7dad40f54dced2baeb574
Instruction ID: 702836cf84bb2c729727102e3bc172fc75e01f5c69987a33932c330009d0bf01
Opcode Fuzzy Hash: 956d5b5bc639288275fc8a9ebde3d58bf183ca2802d7dad40f54dced2baeb574
Instruction Fuzzy Hash: 14C19174E00218CFEB54DFA5D994B9DBBF2AF89304F2080A9D419AB359DB359E81CF50

Function 0679FA68 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed55971198d4bac0dcd656e92cb37bf31c8eac6109e7a653f905914f4d7aabb
Instruction ID: a58f38b57e6cabee3ab03147deb83c79a22efb0fed7e77e39a0ebd3f8fd570a5
Opcode Fuzzy Hash: 3ed55971198d4bac0dcd656e92cb37bf31c8eac6109e7a653f905914f4d7aabb
Instruction Fuzzy Hash: 4DC19074E00218CFDB54DFA5D954BADBBF2AF89304F2080A9D809AB359DB359E81CF50

Function 0679C648 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a6e01d9fba2896e4958a3e2ad2d74937a2860e4e6b19b88cdf20da2b26f641
Instruction ID: b3d187b7f3bbc9844734c1979be6c4cae0439904e08c5e226a06faf20a2a4141
Opcode Fuzzy Hash: 48a6e01d9fba2896e4958a3e2ad2d74937a2860e4e6b19b88cdf20da2b26f641
Instruction Fuzzy Hash: 3BC18F74E00218CFDB54DFA5D994BADBBF2AF89304F2080A9D419AB359DB359E81CF50

Function 0679F610 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9dd100530182f8128fd1b8df6ffa818ad595fa3cbda356db712fc7d0c8b6e08
Instruction ID: 06f634d8efa6a55a5b0514cafebd76a9b8d61a7ce4f95ce70bb9524eac681189
Opcode Fuzzy Hash: e9dd100530182f8128fd1b8df6ffa818ad595fa3cbda356db712fc7d0c8b6e08
Instruction Fuzzy Hash: 17C19F74E00218CFDB54DFA5D954BADBBF2AF89304F2080A9D819AB359DB359E81CF50

Function 0679CEF8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce9c8655988b52e0e7746784a96b58f4133277ff6178e7ace63c50cafb777f0
Instruction ID: 681c46b55844b47b768f9a09187e348a84552ddc07dfe45cd7f0bc3d45546735
Opcode Fuzzy Hash: cce9c8655988b52e0e7746784a96b58f4133277ff6178e7ace63c50cafb777f0
Instruction Fuzzy Hash: 03C19074E00218CFDB54DFA5D954BADBBF2AF89304F2080A9D409AB359DB359E81CF50

Function 0679CAA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ef4122ed917d8de2c49cc7c43515e62098dad4e0b740c2a44dfef09bc8b3d7
Instruction ID: 42a73a1b1b08f67acec98aecfdbbc675c4d79bcdd30eb41f1b53f092891dbc0f
Opcode Fuzzy Hash: d0ef4122ed917d8de2c49cc7c43515e62098dad4e0b740c2a44dfef09bc8b3d7
Instruction Fuzzy Hash: 53C19F74E00218CFDB54DFA5D954BADBBF2AF89304F2080A9D809AB359DB359E81CF50

Function 0679D350 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd431e12ed774371962a3fec398bc4d6072db8dd216afe861a5821cb0140f0d
Instruction ID: 64dfff6f9960a91f440f781fd4960c3b15a4707442e951a387002024a2c5f43d
Opcode Fuzzy Hash: 5fd431e12ed774371962a3fec398bc4d6072db8dd216afe861a5821cb0140f0d
Instruction Fuzzy Hash: D9C19174E00218CFDB54DFA5D954B9DBBF2AF89304F2080A9D419AB359DB359E81CF50

Function 0679D7A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4664b631ff0dadc658cc3a13b6e3dc9992e0bc62dcda084b9a769072d9fc373
Instruction ID: eb3e7b83879729d06ca194df98b24c58c917829802428f7b79e66427a463a106
Opcode Fuzzy Hash: c4664b631ff0dadc658cc3a13b6e3dc9992e0bc62dcda084b9a769072d9fc373
Instruction Fuzzy Hash: A6C19174E00218CFDB54DFA5D954BADBBF2AF89304F2080A9D409AB359DB359E81CF50

Function 0679E058 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e302fbc33112da3b10c4c6ef0d41a71a3fc2101b64a03aa505afab536a807f63
Instruction ID: 930807df247f4e41763b602da2f29abdc757b6eedffc29ddd5647069de606dd6
Opcode Fuzzy Hash: e302fbc33112da3b10c4c6ef0d41a71a3fc2101b64a03aa505afab536a807f63
Instruction Fuzzy Hash: FAC19074E00218CFDB54DFA5D954BADBBF2AF89304F2080A9D819AB359DB359E81CF50

Function 0679DC00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c8827be526b8bdc8de3552bc757d20cb83c84ab6d3ea597cfbeea675a7c1489
Instruction ID: eed19b3cdd61ac1b6b55b7ff82befa2fd24371add396cde0c4fb4cff6bb59f18
Opcode Fuzzy Hash: 4c8827be526b8bdc8de3552bc757d20cb83c84ab6d3ea597cfbeea675a7c1489
Instruction Fuzzy Hash: E6C1A074E00218CFDB54DFA5D994BADBBF2AF89304F2080A9D419AB359DB359E81CF50

Function 0679B4E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140f0f2efefc17d49674fa952d3ba8f1f15e94c9ee000a80dce44279dff852e4
Instruction ID: 2b0237ce870837a2fdc24a5ef9e632370c8b7dd5d934c813639e76927e6bea1e
Opcode Fuzzy Hash: 140f0f2efefc17d49674fa952d3ba8f1f15e94c9ee000a80dce44279dff852e4
Instruction Fuzzy Hash: 5FC1A074E00218CFDB54DFA5D994BADBBF2AF89304F2080A9D409AB359DB359E85CF50

Function 0679E4B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e465bfb085f1118c41f7698ead5fcefef67ec3ec4ec8db7e172b280951ec92
Instruction ID: 22bd97ec1e74c5f1caf0bc3c9916e70b5f9a74a85482d1a977db49d61cc272b0
Opcode Fuzzy Hash: 15e465bfb085f1118c41f7698ead5fcefef67ec3ec4ec8db7e172b280951ec92
Instruction Fuzzy Hash: 64C19074E00218CFDB54DFA5D954BADBBF2AF89304F2080A9D819AB359DB359E81CF50

Function 067904A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc8250fbab95f5212e298d6c429ecdb364f6b5779e6e2d11138e7df4f259cae
Instruction ID: e070de34382919b8c27af27bad7e679b96a535c774a4f647b785fe7f98fc4956
Opcode Fuzzy Hash: 8cc8250fbab95f5212e298d6c429ecdb364f6b5779e6e2d11138e7df4f259cae
Instruction Fuzzy Hash: 86C18F74E00318CFDB54DFA5D954BADBBB2BF89304F1081A9D809AB359DB359A81CF50

Function 06790D60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6bff775d2458b19eadbaf00a872f0ff8c1d0edd2e1bed559e96051b4af49a1
Instruction ID: 0d0fe7579b0479a3278a4b2805af726d4d7169d3e206b4abd3d8a456e837724c
Opcode Fuzzy Hash: ed6bff775d2458b19eadbaf00a872f0ff8c1d0edd2e1bed559e96051b4af49a1
Instruction Fuzzy Hash: C8C19F74E00318CFDB54DFA5D954BADBBB2BF89304F2080A9D809AB359DB359A85CF50

Function 0679ED60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00faeb1211c038ffa77c76ad7756b3152b626d6d86c7e2aa6a14035dffef1856
Instruction ID: 4cd78fe83b516b5846dee1b17ab89335ead727bca478b71f06b730e3ec6d3870
Opcode Fuzzy Hash: 00faeb1211c038ffa77c76ad7756b3152b626d6d86c7e2aa6a14035dffef1856
Instruction Fuzzy Hash: 93C19074E00218CFDB54DFA5D954BADBBF2AF89304F2080A9D409AB359DB359E85CF50

Function 0679B940 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20bd9aeffe86c78c1dce731e87f19c17943372277a01218f95fb6dfcdf6ffb2b
Instruction ID: e68b0d17e6c052cd682d3cf84b8bc3669301989e857a4e944f6f87c108f7da50
Opcode Fuzzy Hash: 20bd9aeffe86c78c1dce731e87f19c17943372277a01218f95fb6dfcdf6ffb2b
Instruction Fuzzy Hash: A1C19174E00218CFDB54DFA5D994B9DBBF2AF89304F2080A9D409AB359DB359E85CF50

Function 0679E908 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e974152596de393a8bfb471ddb81037e452da3c25d065527d9c96ac34cf78f
Instruction ID: 24b76e20ad35e68c2869eb9ef702a0e556ee86c0d30d5a8ae00eb880d06a3fa1
Opcode Fuzzy Hash: 76e974152596de393a8bfb471ddb81037e452da3c25d065527d9c96ac34cf78f
Instruction Fuzzy Hash: DCC19F74E00218CFDB54DFA5D954BADBBF2AF89304F2081A9D809AB359DB359E81CF50

Function 06790900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49ff27e4c62848c685e50a6bcdce8f4f04e35ad222ee662dae3b79e23ff72e7
Instruction ID: ce21840bd287aabfe8582570c617997ba80f2aed18b6488e02429dc8280ad8ef
Opcode Fuzzy Hash: b49ff27e4c62848c685e50a6bcdce8f4f04e35ad222ee662dae3b79e23ff72e7
Instruction Fuzzy Hash: 21C19E74E00218CFDB54DFA5D954BADBBB2BF89304F2081A9D809AB359DB359E81CF50

Function 0679C1F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d3d29fbb5f847ff9cf24015598470efbd4aad45b54da19253d506baaec8bc2
Instruction ID: 02bbcade10f734ffcdd57e22efdb9abb84f43e111ae3a30ab5ead390a221a7f6
Opcode Fuzzy Hash: a0d3d29fbb5f847ff9cf24015598470efbd4aad45b54da19253d506baaec8bc2
Instruction Fuzzy Hash: 76C1A074E00218CFDB55DFA5D954BADBBF2AF89304F2080A9D809AB359DB359E81CF50

Function 0679F1B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6760debb712ec3a12f3596db1018893ca37f7414424da9a3aad7e2012379b550
Instruction ID: 53d11c338f1aa267cdc35afcd519aa6141c099aaa8e46f59e446622cc6247d55
Opcode Fuzzy Hash: 6760debb712ec3a12f3596db1018893ca37f7414424da9a3aad7e2012379b550
Instruction Fuzzy Hash: ACC19074E00218CFDB54DFA5D954BADBBF2AF89304F2080A9D809AB359DB359E85CF50

Function 0679BD98 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694634274.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6790000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41985c3aaec63a3fb6800af5b60962435f219402289882c0b4f1f5af5c4ac5bd
Instruction ID: 8416d4f618adedf642b297a70eb1392b36369a920722f8f14516ce951c699d0a
Opcode Fuzzy Hash: 41985c3aaec63a3fb6800af5b60962435f219402289882c0b4f1f5af5c4ac5bd
Instruction Fuzzy Hash: B2C19074E00218CFDB54DFA5D994BADBBF2AF89304F2080A9D409AB359DB359E81CF50

Function 067C33B8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b8dccd1a1c238776a1a8a40aef14e8f94227495435b4c2adadbdc660c1342b
Instruction ID: c039c2e998005484f502d5c4863e28e7f7182bab9f2146ff5ecaeccf14ff523b
Opcode Fuzzy Hash: 12b8dccd1a1c238776a1a8a40aef14e8f94227495435b4c2adadbdc660c1342b
Instruction Fuzzy Hash: A2B17378E00218CFDB54DFA9D994A9DBBB2FF89310F1081A9D819AB365DB31AD41CF50

Function 067C33AF Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79463cd35faca190a3febc1a1b1de51dd4e02b4c210c9d3451b8a6e8fc122b3
Instruction ID: 5c638dccdde4589d9a1f202e011049cb323076c208eb20e458af84fcbc8b1097
Opcode Fuzzy Hash: a79463cd35faca190a3febc1a1b1de51dd4e02b4c210c9d3451b8a6e8fc122b3
Instruction Fuzzy Hash: 07519274E006088FDB48DFAAD984A9DBBF2FF89310F14C169D818AB365DB349941CF50

Function 067C36CE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3694886923.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67c0000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa9a1ee114565083473bbb14994f896f484b43fc73aca6112c832fb2d54da04
Instruction ID: 5c6cd917154415267abddd2fa1fa9535f118f16785ba6403964ea486e37503e5
Opcode Fuzzy Hash: cfa9a1ee114565083473bbb14994f896f484b43fc73aca6112c832fb2d54da04
Instruction Fuzzy Hash: E9D09234D0425DDBDF24EFA8E8407AEB3B2FF96324F0024AAC508B7240D7309E518A16

Function 01146088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 011460BA
\;q, xrefs: 01146094
\;q, xrefs: 011460C6
\;q, xrefs: 0114609E

Memory Dump Source

Source File: 00000002.00000002.3691056160.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1140000_MV GOLDEN SCHULTE DETAILS.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: d6ffbf002ee9bf003ef2bed5e875f159fd5f980423d0bc8fd198816a3ae7a607
Instruction ID: f70ac9301fcd488a6a0156a7fdad521b6d4ccc2274e55fd441aeda7092df9a79
Opcode Fuzzy Hash: d6ffbf002ee9bf003ef2bed5e875f159fd5f980423d0bc8fd198816a3ae7a607
Instruction Fuzzy Hash: 8C0171317001158F9B2C8A2DC45492A77F7AF9AA68719427AE502CF3B5DF71DC42C751

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MV GOLDEN SCHULTE DETAILS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
MV GOLDEN SCHULTE DETAILS.exe

Function 062A9680 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Function 02D9D3C9 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Function 02D9D3D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 02D9AD48 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 02D94248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02D9590D Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 02D9D619 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 02D9D620 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 062A0563 Relevance: 1.6, APIs: 1, Instructions: 59
windowCOMMON

Function 062A7A30 Relevance: 1.6, APIs: 1, Instructions: 55
windowCOMMON

Function 062A9C43 Relevance: 1.6, APIs: 1, Instructions: 53
windowCOMMON

Function 062A0588 Relevance: 1.5, APIs: 1, Instructions: 48
windowCOMMON

Function 02D9AF38 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre