Edit tour

Windows Analysis Report
b5JCISnBV1.exe

Overview

General Information

Sample name:	b5JCISnBV1.exe renamed because original name is a hash value
Original sample name:	fddda3fca32418809de1c3b11f02df63878154d67c89054938a413f6d8bd667a.exe
Analysis ID:	1587689
MD5:	e9002e32b4e6094a3ef6550fd5351141
SHA1:	3359aa914cf67c5638de17746adaed1a1b36f246
SHA256:	fddda3fca32418809de1c3b11f02df63878154d67c89054938a413f6d8bd667a
Tags:	exeuser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

AI detected suspicious sample

Machine Learning detection for sample

Self deletion via cmd or bat file

Tries to detect the country of the analysis system (by using the IP)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

b5JCISnBV1.exe (PID: 7728 cmdline: "C:\Users\user\Desktop\b5JCISnBV1.exe" MD5: E9002E32B4E6094A3EF6550FD5351141)

b5JCISnBV1.exe (PID: 7796 cmdline: "C:\Users\user\Desktop\b5JCISnBV1.exe" MD5: E9002E32B4E6094A3EF6550FD5351141)

cmd.exe (PID: 8108 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\b5JCISnBV1.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 8164 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "clienti@damaz.it", "Password": "348cli", "Host": "mail.damaz.it", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14967:$a1: get_encryptedPassword 0x14c53:$a2: get_encryptedUsername 0x14773:$a3: get_timePasswordChanged 0x1486e:$a4: get_passwordField 0x1497d:$a5: set_encryptedPassword 0x16045:$a7: get_logins 0x15fa8:$a10: KeyLoggerEventArgs 0x15c13:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182d0:$x1: $%SMTPDV$ 0x18336:$x2: $#TheHashHere%& 0x1992f:$x3: %FTPDV$ 0x19a23:$x4: $%TelegramDv$ 0x15c13:$x5: KeyLoggerEventArgs 0x15fa8:$x5: KeyLoggerEventArgs 0x19953:$m2: Clipboard Logs ID 0x19b73:$m2: Screenshot Logs ID 0x19c83:$m2: keystroke Logs ID 0x19f5d:$m3: SnakePW 0x19b4b:$m4: \SnakeKeylogger\
00000002.00000002.2559235970.0000000005950000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf4177:$a1: get_encryptedPassword 0x114da7:$a1: get_encryptedPassword 0x1357c7:$a1: get_encryptedPassword 0xf4463:$a2: get_encryptedUsername 0x115093:$a2: get_encryptedUsername 0x135ab3:$a2: get_encryptedUsername 0xf3f83:$a3: get_timePasswordChanged 0x114bb3:$a3: get_timePasswordChanged 0x1355d3:$a3: get_timePasswordChanged 0xf407e:$a4: get_passwordField 0x114cae:$a4: get_passwordField 0x1356ce:$a4: get_passwordField 0xf418d:$a5: set_encryptedPassword 0x114dbd:$a5: set_encryptedPassword 0x1357dd:$a5: set_encryptedPassword 0xf5855:$a7: get_logins 0x116485:$a7: get_logins 0x136ea5:$a7: get_logins 0xf57b8:$a10: KeyLoggerEventArgs 0x1163e8:$a10: KeyLoggerEventArgs 0x136e08:$a10: KeyLoggerEventArgs
00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf7ae0:$x1: $%SMTPDV$ 0x118710:$x1: $%SMTPDV$ 0x139130:$x1: $%SMTPDV$ 0xf7b46:$x2: $#TheHashHere%& 0x118776:$x2: $#TheHashHere%& 0x139196:$x2: $#TheHashHere%& 0xf913f:$x3: %FTPDV$ 0x119d6f:$x3: %FTPDV$ 0x13a78f:$x3: %FTPDV$ 0xf9233:$x4: $%TelegramDv$ 0x119e63:$x4: $%TelegramDv$ 0x13a883:$x4: $%TelegramDv$ 0xf5423:$x5: KeyLoggerEventArgs 0xf57b8:$x5: KeyLoggerEventArgs 0x116053:$x5: KeyLoggerEventArgs 0x1163e8:$x5: KeyLoggerEventArgs 0x136a73:$x5: KeyLoggerEventArgs 0x136e08:$x5: KeyLoggerEventArgs 0xf9163:$m2: Clipboard Logs ID 0xf9383:$m2: Screenshot Logs ID 0xf9493:$m2: keystroke Logs ID
00000004.00000002.1434816718.0000000002861000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: b5JCISnBV1.exe PID: 7728	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: b5JCISnBV1.exe PID: 7728	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: b5JCISnBV1.exe PID: 7728	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: b5JCISnBV1.exe PID: 7728	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7ca22:$a1: get_encryptedPassword 0x7cc6d:$a2: get_encryptedUsername 0x7c851:$a3: get_timePasswordChanged 0x7c933:$a4: get_passwordField 0x7ca38:$a5: set_encryptedPassword 0x7e94c:$a7: get_logins 0x7e8cd:$a10: KeyLoggerEventArgs 0x7e63b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: b5JCISnBV1.exe PID: 7728	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x7e63b:$x5: KeyLoggerEventArgs 0x7e8cd:$x5: KeyLoggerEventArgs 0x7f35b:$x5: KeyLoggerEventArgs 0x7f6bc:$x5: KeyLoggerEventArgs 0x809cd:$m2: Clipboard Logs ID 0x80ac4:$m2: Screenshot Logs ID 0x80b1a:$m2: keystroke Logs ID 0x80c4f:$m3: SnakePW 0x80ab0:$m4: \SnakeKeylogger\
Process Memory Space: b5JCISnBV1.exe PID: 7796	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: b5JCISnBV1.exe PID: 7796	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: b5JCISnBV1.exe PID: 7796	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x109b0:$a1: get_encryptedPassword 0x10c92:$a2: get_encryptedUsername 0x107c6:$a3: get_timePasswordChanged 0x108c1:$a4: get_passwordField 0x109c6:$a5: set_encryptedPassword 0x12ee1:$a7: get_logins 0x12e44:$a10: KeyLoggerEventArgs 0x12aaf:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: b5JCISnBV1.exe PID: 7796	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x12aaf:$x5: KeyLoggerEventArgs 0x12e44:$x5: KeyLoggerEventArgs 0x13a1d:$x5: KeyLoggerEventArgs 0x13d7e:$x5: KeyLoggerEventArgs 0x1508f:$m2: Clipboard Logs ID 0x15186:$m2: Screenshot Logs ID 0x151dc:$m2: keystroke Logs ID 0x15311:$m3: SnakePW 0x15172:$m4: \SnakeKeylogger\
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.b5JCISnBV1.exe.4377f70.2.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4906b:$x1: In$J$ct0r
2.2.b5JCISnBV1.exe.5950000.4.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
4.2.b5JCISnBV1.exe.5d0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.b5JCISnBV1.exe.5d0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.b5JCISnBV1.exe.5d0000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.b5JCISnBV1.exe.5d0000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b67:$a1: get_encryptedPassword 0x14e53:$a2: get_encryptedUsername 0x14973:$a3: get_timePasswordChanged 0x14a6e:$a4: get_passwordField 0x14b7d:$a5: set_encryptedPassword 0x16245:$a7: get_logins 0x161a8:$a10: KeyLoggerEventArgs 0x15e13:$a11: KeyLoggerEventArgsEventHandler
4.2.b5JCISnBV1.exe.5d0000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c52d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b75f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb92:$a4: \Orbitum\User Data\Default\Login Data 0x1cbd1:$a5: \Kometa\User Data\Default\Login Data
4.2.b5JCISnBV1.exe.5d0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15777:$s1: UnHook 0x1577e:$s2: SetHook 0x15786:$s3: CallNextHook 0x15793:$s4: _hook
4.2.b5JCISnBV1.exe.5d0000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x184d0:$x1: $%SMTPDV$ 0x18536:$x2: $#TheHashHere%& 0x19b2f:$x3: %FTPDV$ 0x19c23:$x4: $%TelegramDv$ 0x15e13:$x5: KeyLoggerEventArgs 0x161a8:$x5: KeyLoggerEventArgs 0x19b53:$m2: Clipboard Logs ID 0x19d73:$m2: Screenshot Logs ID 0x19e83:$m2: keystroke Logs ID 0x1a15d:$m3: SnakePW 0x19d4b:$m4: \SnakeKeylogger\
2.2.b5JCISnBV1.exe.5950000.4.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4906b:$x1: In$J$ct0r
2.2.b5JCISnBV1.exe.4408610.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.b5JCISnBV1.exe.4408610.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.b5JCISnBV1.exe.4408610.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d67:$a1: get_encryptedPassword 0x13053:$a2: get_encryptedUsername 0x12b73:$a3: get_timePasswordChanged 0x12c6e:$a4: get_passwordField 0x12d7d:$a5: set_encryptedPassword 0x14445:$a7: get_logins 0x143a8:$a10: KeyLoggerEventArgs 0x14013:$a11: KeyLoggerEventArgsEventHandler
2.2.b5JCISnBV1.exe.4408610.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a72d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1995f:$a3: \Google\Chrome\User Data\Default\Login Data 0x19d92:$a4: \Orbitum\User Data\Default\Login Data 0x1add1:$a5: \Kometa\User Data\Default\Login Data
2.2.b5JCISnBV1.exe.4408610.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13977:$s1: UnHook 0x1397e:$s2: SetHook 0x13986:$s3: CallNextHook 0x13993:$s4: _hook
2.2.b5JCISnBV1.exe.4408610.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x166d0:$x1: $%SMTPDV$ 0x16736:$x2: $#TheHashHere%& 0x17d2f:$x3: %FTPDV$ 0x17e23:$x4: $%TelegramDv$ 0x14013:$x5: KeyLoggerEventArgs 0x143a8:$x5: KeyLoggerEventArgs 0x17d53:$m2: Clipboard Logs ID 0x17f73:$m2: Screenshot Logs ID 0x18083:$m2: keystroke Logs ID 0x1835d:$m3: SnakePW 0x17f4b:$m4: \SnakeKeylogger\
2.2.b5JCISnBV1.exe.35728e0.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa48e4:$x1: In$J$ct0r 0xa57e4:$a1: WriteProcessMemory 0xa5870:$a1: WriteProcessMemory 0xa5944:$a4: VirtualAllocEx 0xa5b68:$a4: VirtualAllocEx 0xa5be8:$a4: VirtualAllocEx
2.2.b5JCISnBV1.exe.3575120.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa20a4:$x1: In$J$ct0r 0xa2fa4:$a1: WriteProcessMemory 0xa3030:$a1: WriteProcessMemory 0xa3104:$a4: VirtualAllocEx 0xa3328:$a4: VirtualAllocEx 0xa33a8:$a4: VirtualAllocEx
2.2.b5JCISnBV1.exe.4408610.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.b5JCISnBV1.exe.4408610.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.b5JCISnBV1.exe.4408610.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.b5JCISnBV1.exe.4408610.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b67:$a1: get_encryptedPassword 0x35797:$a1: get_encryptedPassword 0x561b7:$a1: get_encryptedPassword 0x14e53:$a2: get_encryptedUsername 0x35a83:$a2: get_encryptedUsername 0x564a3:$a2: get_encryptedUsername 0x14973:$a3: get_timePasswordChanged 0x355a3:$a3: get_timePasswordChanged 0x55fc3:$a3: get_timePasswordChanged 0x14a6e:$a4: get_passwordField 0x3569e:$a4: get_passwordField 0x560be:$a4: get_passwordField 0x14b7d:$a5: set_encryptedPassword 0x357ad:$a5: set_encryptedPassword 0x561cd:$a5: set_encryptedPassword 0x16245:$a7: get_logins 0x36e75:$a7: get_logins 0x57895:$a7: get_logins 0x161a8:$a10: KeyLoggerEventArgs 0x36dd8:$a10: KeyLoggerEventArgs 0x577f8:$a10: KeyLoggerEventArgs
2.2.b5JCISnBV1.exe.4408610.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c52d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d15d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5db7d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b75f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c38f:$a3: \Google\Chrome\User Data\Default\Login Data 0x5cdaf:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb92:$a4: \Orbitum\User Data\Default\Login Data 0x3c7c2:$a4: \Orbitum\User Data\Default\Login Data 0x5d1e2:$a4: \Orbitum\User Data\Default\Login Data 0x1cbd1:$a5: \Kometa\User Data\Default\Login Data 0x3d801:$a5: \Kometa\User Data\Default\Login Data 0x5e221:$a5: \Kometa\User Data\Default\Login Data
2.2.b5JCISnBV1.exe.4408610.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15777:$s1: UnHook 0x363a7:$s1: UnHook 0x56dc7:$s1: UnHook 0x1577e:$s2: SetHook 0x363ae:$s2: SetHook 0x56dce:$s2: SetHook 0x15786:$s3: CallNextHook 0x363b6:$s3: CallNextHook 0x56dd6:$s3: CallNextHook 0x15793:$s4: _hook 0x363c3:$s4: _hook 0x56de3:$s4: _hook
2.2.b5JCISnBV1.exe.4408610.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x184d0:$x1: $%SMTPDV$ 0x39100:$x1: $%SMTPDV$ 0x59b20:$x1: $%SMTPDV$ 0x18536:$x2: $#TheHashHere%& 0x39166:$x2: $#TheHashHere%& 0x59b86:$x2: $#TheHashHere%& 0x19b2f:$x3: %FTPDV$ 0x3a75f:$x3: %FTPDV$ 0x5b17f:$x3: %FTPDV$ 0x19c23:$x4: $%TelegramDv$ 0x3a853:$x4: $%TelegramDv$ 0x5b273:$x4: $%TelegramDv$ 0x15e13:$x5: KeyLoggerEventArgs 0x161a8:$x5: KeyLoggerEventArgs 0x36a43:$x5: KeyLoggerEventArgs 0x36dd8:$x5: KeyLoggerEventArgs 0x57463:$x5: KeyLoggerEventArgs 0x577f8:$x5: KeyLoggerEventArgs 0x19b53:$m2: Clipboard Logs ID 0x19d73:$m2: Screenshot Logs ID 0x19e83:$m2: keystroke Logs ID
2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa5207:$a1: get_encryptedPassword 0xc5e37:$a1: get_encryptedPassword 0xe6857:$a1: get_encryptedPassword 0xa54f3:$a2: get_encryptedUsername 0xc6123:$a2: get_encryptedUsername 0xe6b43:$a2: get_encryptedUsername 0xa5013:$a3: get_timePasswordChanged 0xc5c43:$a3: get_timePasswordChanged 0xe6663:$a3: get_timePasswordChanged 0xa510e:$a4: get_passwordField 0xc5d3e:$a4: get_passwordField 0xe675e:$a4: get_passwordField 0xa521d:$a5: set_encryptedPassword 0xc5e4d:$a5: set_encryptedPassword 0xe686d:$a5: set_encryptedPassword 0xa68e5:$a7: get_logins 0xc7515:$a7: get_logins 0xe7f35:$a7: get_logins 0xa6848:$a10: KeyLoggerEventArgs 0xc7478:$a10: KeyLoggerEventArgs 0xe7e98:$a10: KeyLoggerEventArgs
2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xa5e17:$s1: UnHook 0xc6a47:$s1: UnHook 0xe7467:$s1: UnHook 0xa5e1e:$s2: SetHook 0xc6a4e:$s2: SetHook 0xe746e:$s2: SetHook 0xa5e26:$s3: CallNextHook 0xc6a56:$s3: CallNextHook 0xe7476:$s3: CallNextHook 0xa5e33:$s4: _hook 0xc6a63:$s4: _hook 0xe7483:$s4: _hook
2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xa8b70:$x1: $%SMTPDV$ 0xc97a0:$x1: $%SMTPDV$ 0xea1c0:$x1: $%SMTPDV$ 0xa8bd6:$x2: $#TheHashHere%& 0xc9806:$x2: $#TheHashHere%& 0xea226:$x2: $#TheHashHere%& 0xaa1cf:$x3: %FTPDV$ 0xcadff:$x3: %FTPDV$ 0xeb81f:$x3: %FTPDV$ 0xaa2c3:$x4: $%TelegramDv$ 0xcaef3:$x4: $%TelegramDv$ 0xeb913:$x4: $%TelegramDv$ 0xa64b3:$x5: KeyLoggerEventArgs 0xa6848:$x5: KeyLoggerEventArgs 0xc70e3:$x5: KeyLoggerEventArgs 0xc7478:$x5: KeyLoggerEventArgs 0xe7b03:$x5: KeyLoggerEventArgs 0xe7e98:$x5: KeyLoggerEventArgs 0xaa1f3:$m2: Clipboard Logs ID 0xaa413:$m2: Screenshot Logs ID 0xaa523:$m2: keystroke Logs ID
2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
Click to see the 27 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:56:44.872335+0100	2803305	3	Unknown Traffic	192.168.2.11	49718	104.21.16.1	443	TCP
2025-01-10T16:56:49.297911+0100	2803305	3	Unknown Traffic	192.168.2.11	49757	104.21.16.1	443	TCP
2025-01-10T16:56:52.222265+0100	2803305	3	Unknown Traffic	192.168.2.11	49777	104.21.16.1	443	TCP
2025-01-10T16:56:53.673912+0100	2803305	3	Unknown Traffic	192.168.2.11	49789	104.21.16.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:56:43.069401+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49708	132.226.8.169	80	TCP
2025-01-10T16:56:44.178793+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49708	132.226.8.169	80	TCP
2025-01-10T16:56:45.772529+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49725	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: b5JCISnBV1.exe

Avira: detected

Found malware configuration

Source: 00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "clienti@damaz.it", "Password": "348cli", "Host": "mail.damaz.it", "Port": "587", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: b5JCISnBV1.exe	Virustotal: Detection: 74%			Perma Link
Source: b5JCISnBV1.exe	ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: b5JCISnBV1.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: b5JCISnBV1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.11:49712 version: TLS 1.0

Source: b5JCISnBV1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: b5JCISnBV1.exe, 00000002.00000002.2559815082.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp, b5JCISnBV1.exe, 00000002.00000002.2556884598.0000000003321000.00000004.00000800.00020000.00000000.sdmp

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.b5JCISnBV1.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.b5JCISnBV1.exe.4408610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49708 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49725 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49718 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49757 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49777 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49789 -> 104.21.16.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.11:49712 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: b5JCISnBV1.exe, 00000004.00000002.1434816718.000000000292A000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A22000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029E6000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029CA000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A13000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: b5JCISnBV1.exe, 00000004.00000002.1434816718.000000000296D000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.000000000292A000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A22000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029E6000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002917000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029CA000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A13000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002861000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: b5JCISnBV1.exe, 00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A22000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029E6000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002942000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029CA000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A13000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002861000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: b5JCISnBV1.exe, 00000004.00000002.1434816718.000000000296D000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.000000000292A000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A22000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029E6000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029CA000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A13000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: b5JCISnBV1.exe, 00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.000000000292A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: b5JCISnBV1.exe, 00000004.00000002.1434816718.000000000296D000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A22000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029E6000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029CA000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A13000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.b5JCISnBV1.exe.4377f70.2.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 2.2.b5JCISnBV1.exe.5950000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 4.2.b5JCISnBV1.exe.5d0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.b5JCISnBV1.exe.5d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.b5JCISnBV1.exe.5d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.b5JCISnBV1.exe.5d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.b5JCISnBV1.exe.5950000.4.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 2.2.b5JCISnBV1.exe.4408610.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.b5JCISnBV1.exe.4408610.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.b5JCISnBV1.exe.4408610.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.b5JCISnBV1.exe.4408610.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.b5JCISnBV1.exe.35728e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 2.2.b5JCISnBV1.exe.3575120.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 2.2.b5JCISnBV1.exe.4408610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.b5JCISnBV1.exe.4408610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.b5JCISnBV1.exe.4408610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.b5JCISnBV1.exe.4408610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.2559235970.0000000005950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: b5JCISnBV1.exe PID: 7728, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: b5JCISnBV1.exe PID: 7728, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: b5JCISnBV1.exe PID: 7796, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: b5JCISnBV1.exe PID: 7796, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Code function: 2_2_0145D304	2_2_0145D304
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Code function: 4_2_00A7C190	4_2_00A7C190
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Code function: 4_2_00A76108	4_2_00A76108
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Code function: 4_2_00A7B328	4_2_00A7B328
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Code function: 4_2_00A7C470	4_2_00A7C470
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Code function: 4_2_00A76730	4_2_00A76730
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Code function: 4_2_00A7C753	4_2_00A7C753
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Code function: 4_2_00A79858	4_2_00A79858
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Code function: 4_2_00A74AD9	4_2_00A74AD9
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Code function: 4_2_00A7CA33	4_2_00A7CA33
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Code function: 4_2_00A7BBD3	4_2_00A7BBD3
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Code function: 4_2_00A7BEB0	4_2_00A7BEB0
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Code function: 4_2_00A7B4F3	4_2_00A7B4F3
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Code function: 4_2_00A73573	4_2_00A73573

Source: b5JCISnBV1.exe, 00000002.00000002.2559815082.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs b5JCISnBV1.exe
Source: b5JCISnBV1.exe, 00000002.00000002.2556884598.0000000003321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs b5JCISnBV1.exe
Source: b5JCISnBV1.exe, 00000002.00000002.2556884598.0000000003321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs b5JCISnBV1.exe
Source: b5JCISnBV1.exe, 00000002.00000002.2555982528.00000000014EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs b5JCISnBV1.exe
Source: b5JCISnBV1.exe, 00000002.00000002.2559235970.0000000005950000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs b5JCISnBV1.exe
Source: b5JCISnBV1.exe, 00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs b5JCISnBV1.exe
Source: b5JCISnBV1.exe, 00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs b5JCISnBV1.exe
Source: b5JCISnBV1.exe, 00000002.00000000.1291795466.0000000000D52000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameFisa.exe* vs b5JCISnBV1.exe
Source: b5JCISnBV1.exe, 00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs b5JCISnBV1.exe
Source: b5JCISnBV1.exe	Binary or memory string: OriginalFilenameFisa.exe* vs b5JCISnBV1.exe

Source: b5JCISnBV1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.b5JCISnBV1.exe.4377f70.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 2.2.b5JCISnBV1.exe.5950000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 4.2.b5JCISnBV1.exe.5d0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.b5JCISnBV1.exe.5d0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.b5JCISnBV1.exe.5d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.b5JCISnBV1.exe.5d0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.b5JCISnBV1.exe.5950000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 2.2.b5JCISnBV1.exe.4408610.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.b5JCISnBV1.exe.4408610.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.b5JCISnBV1.exe.4408610.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.b5JCISnBV1.exe.4408610.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.b5JCISnBV1.exe.35728e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 2.2.b5JCISnBV1.exe.3575120.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 2.2.b5JCISnBV1.exe.4408610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.b5JCISnBV1.exe.4408610.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.b5JCISnBV1.exe.4408610.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.b5JCISnBV1.exe.4408610.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.2559235970.0000000005950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: b5JCISnBV1.exe PID: 7728, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: b5JCISnBV1.exe PID: 7728, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: b5JCISnBV1.exe PID: 7796, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: b5JCISnBV1.exe PID: 7796, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@2/2

Source: C:\Users\user\Desktop\b5JCISnBV1.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b5JCISnBV1.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8120:120:WilError_03

Source: b5JCISnBV1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: b5JCISnBV1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\b5JCISnBV1.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\b5JCISnBV1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: b5JCISnBV1.exe	Virustotal: Detection: 74%
Source: b5JCISnBV1.exe	ReversingLabs: Detection: 78%

Source: unknown	Process created: C:\Users\user\Desktop\b5JCISnBV1.exe "C:\Users\user\Desktop\b5JCISnBV1.exe"
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process created: C:\Users\user\Desktop\b5JCISnBV1.exe "C:\Users\user\Desktop\b5JCISnBV1.exe"
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\b5JCISnBV1.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process created: C:\Users\user\Desktop\b5JCISnBV1.exe "C:\Users\user\Desktop\b5JCISnBV1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\b5JCISnBV1.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\b5JCISnBV1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\b5JCISnBV1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: b5JCISnBV1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: b5JCISnBV1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: b5JCISnBV1.exe

Static PE information: 0xF79C3086 [Tue Aug 23 02:46:30 2101 UTC]

Source: b5JCISnBV1.exe

Static PE information: section name: .text entropy: 7.052942170189629

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\b5JCISnBV1.exe"
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\b5JCISnBV1.exe"			Jump to behavior

Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: b5JCISnBV1.exe PID: 7728, type: MEMORYSTR

Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Memory allocated: 1450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Memory allocated: 3320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Memory allocated: 16E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Memory allocated: A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Memory allocated: 2860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Memory allocated: E90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 599825	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 599701	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 599593	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 599374	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 599265	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 599156	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 599046	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 598718	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 598499	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 598171	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 597948	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 597608	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 597499	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 597171	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 596952	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 596843	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 596733	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 596623	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 596515	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 596296	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 595968	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 595749	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 594874	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 594545	Jump to behavior

Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Window / User API: threadDelayed 1379			Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Window / User API: threadDelayed 8470			Jump to behavior

Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 8004	Thread sleep count: 1379 > 30	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -599825s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 8004	Thread sleep count: 8470 > 30	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -599701s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -599593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -599484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -599374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -599265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -599156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -599046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -598937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -598718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -598609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -598499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -598390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -598171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -598062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -597948s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -597718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -597608s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -597499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -597390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -597281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -597171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -597062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -596952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -596843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -596733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -596623s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -596515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -596406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -596296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -596187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -595968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -595749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -595640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -595421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -595093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -594874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -594765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe TID: 7996	Thread sleep time: -594545s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 599825	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 599701	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 599593	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 599374	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 599265	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 599156	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 599046	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 598718	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 598499	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 598171	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 597948	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 597608	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 597499	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 597171	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 596952	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 596843	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 596733	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 596623	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 596515	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 596296	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 595968	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 595749	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 594874	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Thread delayed: delay time: 594545	Jump to behavior

Source: b5JCISnBV1.exe, 00000004.00000002.1434100189.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll W

Source: C:\Users\user\Desktop\b5JCISnBV1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\b5JCISnBV1.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\b5JCISnBV1.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process created: C:\Users\user\Desktop\b5JCISnBV1.exe "C:\Users\user\Desktop\b5JCISnBV1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\b5JCISnBV1.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Queries volume information: C:\Users\user\Desktop\b5JCISnBV1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Queries volume information: C:\Users\user\Desktop\b5JCISnBV1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b5JCISnBV1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\b5JCISnBV1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.b5JCISnBV1.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.b5JCISnBV1.exe.4408610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.b5JCISnBV1.exe.4408610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1434816718.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b5JCISnBV1.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: b5JCISnBV1.exe PID: 7796, type: MEMORYSTR

Source: Yara match	File source: 4.2.b5JCISnBV1.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.b5JCISnBV1.exe.4408610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.b5JCISnBV1.exe.4408610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b5JCISnBV1.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: b5JCISnBV1.exe PID: 7796, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.b5JCISnBV1.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.b5JCISnBV1.exe.4408610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.b5JCISnBV1.exe.4408610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.b5JCISnBV1.exe.4377f70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1434816718.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b5JCISnBV1.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: b5JCISnBV1.exe PID: 7796, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
b5JCISnBV1.exe	75%	Virustotal		Browse
b5JCISnBV1.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
b5JCISnBV1.exe	100%	Avira	HEUR/AGEN.1309847
b5JCISnBV1.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.16.1	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	b5JCISnBV1.exe, 00000004.00000002.1434816718.000000000296D000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.000000000292A000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A22000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029E6000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029CA000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A13000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029D8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	b5JCISnBV1.exe, 00000004.00000002.1434816718.000000000296D000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.000000000292A000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A22000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029E6000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002917000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029CA000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A13000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029D8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	b5JCISnBV1.exe, 00000004.00000002.1434816718.000000000292A000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A22000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029E6000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029CA000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A13000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029D8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002861000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	b5JCISnBV1.exe, 00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	b5JCISnBV1.exe, 00000004.00000002.1434816718.000000000296D000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A22000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029E6000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029CA000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A13000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029D8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A22000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029E6000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002942000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029CA000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.0000000002A13000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.00000000029D8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	b5JCISnBV1.exe, 00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp, b5JCISnBV1.exe, 00000004.00000002.1434816718.000000000292A000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
104.21.16.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587689
Start date and time:	2025-01-10 16:55:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	b5JCISnBV1.exe renamed because original name is a hash value
Original Sample Name:	fddda3fca32418809de1c3b11f02df63878154d67c89054938a413f6d8bd667a.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 65 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.23.242.162, 4.175.87.197
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target b5JCISnBV1.exe, PID 7796 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:56:43	API Interceptor	90x Sleep call for process: b5JCISnBV1.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	jqxrkk.ps1	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Order_List.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
104.21.16.1	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
checkip.dyndns.com	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	https://cjerichmond.jimdosite.com/	Get hash	malicious	Unknown	Browse	162.159.128.70
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	https://zfrmz.com/3GiGYUP4BArW2NBgkPU3	Get hash	malicious	Unknown	Browse	104.18.94.41
	Play_VM-NowTingrammAudiowav011.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://theleadking2435063.emlnk.com/lt.php?x=3DZy~GDHJaLL5a37-gxLhhGf13JRv_MkkPo2jHPMKXOh5XR.-Uy.xuO-2I2imNf	Get hash	malicious	Unknown	Browse	104.17.203.31
UTMEMUS	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	1C24TDP_000000029.jse	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	jqxrkk.ps1	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Order_List.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.16.1
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1

Process:	C:\Users\user\Desktop\b5JCISnBV1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.045831684819192
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	b5JCISnBV1.exe
File size:	826'368 bytes
MD5:	e9002e32b4e6094a3ef6550fd5351141
SHA1:	3359aa914cf67c5638de17746adaed1a1b36f246
SHA256:	fddda3fca32418809de1c3b11f02df63878154d67c89054938a413f6d8bd667a
SHA512:	1974654313429951a2255134dbcf3673a0f681a2b42c8fd85cef3695fba1a9f99b9fce4a107deea347bd2ba76ee90682d1b5665f14d8512196525cd147ee5794
SSDEEP:	24576:5MaSSKy2/SPNc3cMezC30i3ThYImbY/G:5RQJ3NCg0hxbY/
TLSH:	3F056B453A6045F8C53289F7A8E7813C6E74BD6162E2C46624CF2E8D7CC9F8046D76AF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4cb0ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF79C3086 [Tue Aug 23 02:46:30 2101 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcb054	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcc000	0x586	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xce000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc90b4	0xc9200	a4864dd604830d817d0190550ecdcd1d	False	0.43443010992852704	data	7.052942170189629	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xcc000	0x586	0x600	023f933e236ce25e662698bcb26c192d	False	0.4134114583333333	data	4.009208314844858	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xce000	0xc	0x200	727b93468c891e185699debc43ee745f	False	0.044921875	data	0.09409792566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xcc0a0	0x2fc	data			0.43455497382198954
RT_MANIFEST	0xcc39c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T16:56:43.069401+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49708	132.226.8.169	80	TCP
2025-01-10T16:56:44.178793+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49708	132.226.8.169	80	TCP
2025-01-10T16:56:44.872335+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49718	104.21.16.1	443	TCP
2025-01-10T16:56:45.772529+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49725	132.226.8.169	80	TCP
2025-01-10T16:56:49.297911+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49757	104.21.16.1	443	TCP
2025-01-10T16:56:52.222265+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49777	104.21.16.1	443	TCP
2025-01-10T16:56:53.673912+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49789	104.21.16.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:56:41.887332916 CET	49708	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:41.892297983 CET	80	49708	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:41.892369986 CET	49708	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:41.892745972 CET	49708	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:41.897546053 CET	80	49708	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:42.737411022 CET	80	49708	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:42.741377115 CET	49708	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:42.746287107 CET	80	49708	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:43.023540020 CET	80	49708	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:43.069401026 CET	49708	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:43.092609882 CET	49712	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:43.092664003 CET	443	49712	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:43.092737913 CET	49712	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:43.099417925 CET	49712	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:43.099433899 CET	443	49712	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:43.591070890 CET	443	49712	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:43.591181040 CET	49712	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:43.622431040 CET	49712	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:43.622452974 CET	443	49712	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:43.622849941 CET	443	49712	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:43.663167953 CET	49712	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:43.698402882 CET	49712	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:43.739331007 CET	443	49712	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:43.823308945 CET	443	49712	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:43.823487997 CET	443	49712	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:43.823759079 CET	49712	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:43.829997063 CET	49712	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:43.843983889 CET	49708	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:43.848854065 CET	80	49708	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:44.137701035 CET	80	49708	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:44.178792953 CET	49708	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:44.190805912 CET	49718	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:44.190850973 CET	443	49718	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:44.190933943 CET	49718	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:44.191266060 CET	49718	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:44.191287994 CET	443	49718	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:44.713402033 CET	443	49718	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:44.716377020 CET	49718	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:44.716393948 CET	443	49718	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:44.872342110 CET	443	49718	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:44.872401953 CET	443	49718	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:44.872661114 CET	49718	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:44.875340939 CET	49718	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:44.876353025 CET	49708	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:44.877609015 CET	49725	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:44.881489038 CET	80	49708	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:44.881560087 CET	49708	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:44.882486105 CET	80	49725	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:44.882610083 CET	49725	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:44.882697105 CET	49725	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:44.887573004 CET	80	49725	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:45.721842051 CET	80	49725	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:45.723170996 CET	49731	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:45.723222017 CET	443	49731	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:45.723472118 CET	49731	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:45.723711014 CET	49731	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:45.723730087 CET	443	49731	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:45.772528887 CET	49725	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:46.179627895 CET	443	49731	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:46.183620930 CET	49731	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:46.183640957 CET	443	49731	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:46.349579096 CET	443	49731	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:46.349643946 CET	443	49731	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:46.349693060 CET	49731	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:46.350138903 CET	49731	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:46.354944944 CET	49738	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:46.359745026 CET	80	49738	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:46.359826088 CET	49738	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:46.359941006 CET	49738	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:46.364773989 CET	80	49738	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:47.189932108 CET	80	49738	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:47.193572998 CET	49744	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:47.193638086 CET	443	49744	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:47.196666002 CET	49744	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:47.196666002 CET	49744	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:47.196736097 CET	443	49744	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:47.241295099 CET	49738	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:47.679500103 CET	443	49744	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:47.681499004 CET	49744	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:47.681515932 CET	443	49744	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:47.835369110 CET	443	49744	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:47.835438967 CET	443	49744	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:47.835773945 CET	49744	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:47.835998058 CET	49744	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:47.840142965 CET	49738	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:47.841237068 CET	49750	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:47.845180035 CET	80	49738	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:47.845290899 CET	49738	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:47.846085072 CET	80	49750	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:47.847341061 CET	49750	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:47.847341061 CET	49750	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:47.852494001 CET	80	49750	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:48.684674025 CET	80	49750	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:48.686152935 CET	49757	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:48.686196089 CET	443	49757	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:48.686275959 CET	49757	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:48.686840057 CET	49757	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:48.686851025 CET	443	49757	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:48.725662947 CET	49750	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:49.150401115 CET	443	49757	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:49.152189016 CET	49757	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:49.152211905 CET	443	49757	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:49.297997952 CET	443	49757	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:49.298171997 CET	443	49757	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:49.298506021 CET	49757	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:49.299190044 CET	49757	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:49.307091951 CET	49750	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:49.307733059 CET	49759	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:49.312227011 CET	80	49750	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:49.312479973 CET	49750	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:49.312617064 CET	80	49759	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:49.312751055 CET	49759	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:49.312858105 CET	49759	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:49.317636013 CET	80	49759	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:50.149401903 CET	80	49759	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:50.150629997 CET	49769	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:50.150655985 CET	443	49769	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:50.150738955 CET	49769	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:50.150959969 CET	49769	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:50.150969982 CET	443	49769	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:50.194417953 CET	49759	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:50.611516953 CET	443	49769	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:50.613328934 CET	49769	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:50.613368034 CET	443	49769	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:50.757075071 CET	443	49769	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:50.757266998 CET	443	49769	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:50.757323980 CET	49769	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:50.757618904 CET	49769	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:50.761137962 CET	49759	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:50.762340069 CET	49771	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:50.766187906 CET	80	49759	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:50.766246080 CET	49759	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:50.767142057 CET	80	49771	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:50.767205954 CET	49771	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:50.767299891 CET	49771	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:50.772133112 CET	80	49771	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:51.593275070 CET	80	49771	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:51.594645977 CET	49777	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:51.594697952 CET	443	49777	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:51.594866037 CET	49777	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:51.595124006 CET	49777	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:51.595139027 CET	443	49777	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:51.647696972 CET	49771	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:52.046457052 CET	443	49777	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:52.048115969 CET	49777	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:52.048152924 CET	443	49777	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:52.222270966 CET	443	49777	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:52.222318888 CET	443	49777	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:52.222390890 CET	49777	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:52.223021984 CET	49777	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:52.226701975 CET	49771	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:52.227824926 CET	49782	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:52.231690884 CET	80	49771	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:52.231738091 CET	49771	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:52.232620001 CET	80	49782	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:52.232752085 CET	49782	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:52.232861996 CET	49782	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:52.237543106 CET	80	49782	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:53.049822092 CET	80	49782	132.226.8.169	192.168.2.11
Jan 10, 2025 16:56:53.051129103 CET	49789	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:53.051165104 CET	443	49789	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:53.051255941 CET	49789	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:53.051543951 CET	49789	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:53.051554918 CET	443	49789	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:53.100660086 CET	49782	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:53.523607969 CET	443	49789	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:53.525417089 CET	49789	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:53.525454998 CET	443	49789	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:53.673966885 CET	443	49789	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:53.674114943 CET	443	49789	104.21.16.1	192.168.2.11
Jan 10, 2025 16:56:53.674205065 CET	49789	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:53.674659967 CET	49789	443	192.168.2.11	104.21.16.1
Jan 10, 2025 16:56:53.887989998 CET	49782	80	192.168.2.11	132.226.8.169
Jan 10, 2025 16:56:53.888056040 CET	49725	80	192.168.2.11	132.226.8.169

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:56:41.871520996 CET	52945	53	192.168.2.11	1.1.1.1
Jan 10, 2025 16:56:41.878591061 CET	53	52945	1.1.1.1	192.168.2.11
Jan 10, 2025 16:56:43.084929943 CET	59593	53	192.168.2.11	1.1.1.1
Jan 10, 2025 16:56:43.091855049 CET	53	59593	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 16:56:41.871520996 CET	192.168.2.11	1.1.1.1	0x24ad	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:56:43.084929943 CET	192.168.2.11	1.1.1.1	0x922c	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 16:56:41.878591061 CET	1.1.1.1	192.168.2.11	0x24ad	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:56:41.878591061 CET	1.1.1.1	192.168.2.11	0x24ad	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:56:41.878591061 CET	1.1.1.1	192.168.2.11	0x24ad	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:56:41.878591061 CET	1.1.1.1	192.168.2.11	0x24ad	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:56:41.878591061 CET	1.1.1.1	192.168.2.11	0x24ad	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:56:41.878591061 CET	1.1.1.1	192.168.2.11	0x24ad	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:56:43.091855049 CET	1.1.1.1	192.168.2.11	0x922c	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:56:43.091855049 CET	1.1.1.1	192.168.2.11	0x922c	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:56:43.091855049 CET	1.1.1.1	192.168.2.11	0x922c	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:56:43.091855049 CET	1.1.1.1	192.168.2.11	0x922c	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:56:43.091855049 CET	1.1.1.1	192.168.2.11	0x922c	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:56:43.091855049 CET	1.1.1.1	192.168.2.11	0x922c	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:56:43.091855049 CET	1.1.1.1	192.168.2.11	0x922c	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49708	132.226.8.169	80	7796	C:\Users\user\Desktop\b5JCISnBV1.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:56:41.892745972 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:56:42.737411022 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:56:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 16:56:42.741377115 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 16:56:43.023540020 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:56:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 16:56:43.843983889 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 16:56:44.137701035 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:56:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49725	132.226.8.169	80	7796	C:\Users\user\Desktop\b5JCISnBV1.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:56:44.882697105 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 16:56:45.721842051 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:56:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49738	132.226.8.169	80	7796	C:\Users\user\Desktop\b5JCISnBV1.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:56:46.359941006 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:56:47.189932108 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:56:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49750	132.226.8.169	80	7796	C:\Users\user\Desktop\b5JCISnBV1.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:56:47.847341061 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:56:48.684674025 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:56:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.11	49759	132.226.8.169	80	7796	C:\Users\user\Desktop\b5JCISnBV1.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:56:49.312858105 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:56:50.149401903 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:56:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.11	49771	132.226.8.169	80	7796	C:\Users\user\Desktop\b5JCISnBV1.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:56:50.767299891 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:56:51.593275070 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:56:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.11	49782	132.226.8.169	80	7796	C:\Users\user\Desktop\b5JCISnBV1.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:56:52.232861996 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:56:53.049822092 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:56:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49712	104.21.16.1	443	7796	C:\Users\user\Desktop\b5JCISnBV1.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:56:43 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 15:56:43 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:56:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839392 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fkwd853IrGTOPPc61cHZDgGB7mv43NMLVuTkyOe9LGqqD9eMKoYxiiuDu7ShHdKcsY6TTSRVArcsOYLgpf7O%2BIhx2yZbTBZ3nv9h7I1lfKm2vyfZleRC%2BI0EVJkmgn3qBjohkO2W"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffddbd57dfe8ce3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3085&min_rtt=2482&rtt_var=2137&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=399616&cwnd=252&unsent_bytes=0&cid=0ea4c77cbac47c6d&ts=250&x=0"
2025-01-10 15:56:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49718	104.21.16.1	443	7796	C:\Users\user\Desktop\b5JCISnBV1.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:56:44 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 15:56:44 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:56:44 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839393 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pEIDQ0Fqu8X1Gs0Ul8emTWZkgPyLRUYGVQxmmuFMSjlgNS8YaqNEVTu0WQqjkiq72EC9MmO8mms%2FKN9FCllfR9CRrYT3il23Mt%2FBsV%2FDXMKoovsQq3b9o4Ry3YbrQJKp%2B%2F7eU3aK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffddbdc09731899-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1609&min_rtt=1596&rtt_var=626&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1711606&cwnd=153&unsent_bytes=0&cid=1cb1913c2ab395f5&ts=167&x=0"
2025-01-10 15:56:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49731	104.21.16.1	443	7796	C:\Users\user\Desktop\b5JCISnBV1.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:56:46 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 15:56:46 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:56:46 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839395 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YRdT30lLckY1fKAmPjJUV4yuBt7TQ64EjpeqASKdAVQQ41pdapn2w%2BKuIs7bK%2FmXvfpbBPkjy2VP3bxWbEN%2FljRwvxKyIZeRyFtpKDENmIkgS4UGbCXog7Q%2FUxNsFE%2FM3DoiOUWm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffddbe52d3a7293-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1961&min_rtt=1952&rtt_var=750&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1441263&cwnd=158&unsent_bytes=0&cid=bc6d77b2d707ea09&ts=148&x=0"
2025-01-10 15:56:46 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49744	104.21.16.1	443	7796	C:\Users\user\Desktop\b5JCISnBV1.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:56:47 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 15:56:47 UTC	865	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:56:47 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839396 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z%2BmTizOVJoQAeVKLr%2Fy%2FNsiqz5fBmnqyJuY6K7VvKztx3ldKwkzULcM%2BEeN5khtI9qYRrsmUoxxMw6CoWAT2eEruJLS3W8hP6sKqUBpePR2%2F8LHQn0qLLi16bZD%2BBxt%2FLeT5h%2Fmp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffddbee9fa60fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1554&min_rtt=1527&rtt_var=627&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1674311&cwnd=252&unsent_bytes=0&cid=5de0400040fb74ca&ts=169&x=0"
2025-01-10 15:56:47 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.11	49757	104.21.16.1	443	7796	C:\Users\user\Desktop\b5JCISnBV1.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:56:49 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 15:56:49 UTC	856	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:56:49 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839398 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O6P06hCGvmohU57y7QLQ8EADVsFk5nBR%2BEVjmpkV%2BT8RP7OuIYqDmrJc0Y3KzqjGEnpkqj6glh4gJreSIjATLFXpkOuIXWYX5zaGT%2FKWuCh6WqduAeFEDkkH%2BIlRxwZ14LKT0g4w"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffddbf7cdfb1899-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1663&min_rtt=1663&rtt_var=831&sent=5&recv=7&lost=0&retrans=1&sent_bytes=4236&recv_bytes=699&delivery_rate=407309&cwnd=153&unsent_bytes=0&cid=bd2e1d5deca543b4&ts=156&x=0"
2025-01-10 15:56:49 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.11	49769	104.21.16.1	443	7796	C:\Users\user\Desktop\b5JCISnBV1.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:56:50 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 15:56:50 UTC	863	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:56:50 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839399 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FGbY0MB8MXcB9JFB32TryTbeA%2F1CH35YuDuSFJTSn%2BoDiNr6qyR2oul4YHytESYYorUEqQzolrBdYrsvq%2FiNpFusCCXr9cGfwvkwPvQn%2FNBerPBVTfkpgqLz8VW%2BZRU%2Fs9v2hlUR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffddc00dadb4388-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1634&rtt_var=619&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1756919&cwnd=221&unsent_bytes=0&cid=8505b063f89d42dd&ts=156&x=0"
2025-01-10 15:56:50 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.11	49777	104.21.16.1	443	7796	C:\Users\user\Desktop\b5JCISnBV1.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:56:52 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 15:56:52 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:56:52 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839401 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=asOKASlE84mFlArjzC%2FFCv7fwjDHQPHAu2SIo6NvdnWNqhzjyIfKDBa5%2FixjnaedTBvqKGQZX03ymF1Y8r6f7yTHQXTD70JcVS%2FKLtHBHaenPyQgyd925tBcrggdqOb0ai%2FCMDRd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffddc09c80e4388-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1575&min_rtt=1568&rtt_var=602&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1794714&cwnd=221&unsent_bytes=0&cid=8d6da90e13e46ae6&ts=163&x=0"
2025-01-10 15:56:52 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.11	49789	104.21.16.1	443	7796	C:\Users\user\Desktop\b5JCISnBV1.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:56:53 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 15:56:53 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:56:53 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839402 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cO5O2BpGsE4c%2BUH0Ldu23yRerWkRQTXCQjNCYjLBADm1h2%2FOE9zkiDQn894sES1HyD1IUxTCX21sC1nMh4feVnjLHA%2Fly2qKDZxnVhjqn%2FBw83N5HxiWJlL2OrEMnw7JyImLnnTg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffddc130eec41ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1748&min_rtt=1737&rtt_var=674&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1598248&cwnd=192&unsent_bytes=0&cid=8fbad8ce55d58722&ts=163&x=0"
2025-01-10 15:56:53 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	2
Start time:	10:56:38
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\b5JCISnBV1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\b5JCISnBV1.exe"
Imagebase:	0xd50000
File size:	826'368 bytes
MD5 hash:	E9002E32B4E6094A3EF6550FD5351141
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000002.00000002.2559235970.0000000005950000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.2558290313.0000000004329000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	10:56:39
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\b5JCISnBV1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\b5JCISnBV1.exe"
Imagebase:	0x340000
File size:	826'368 bytes
MD5 hash:	E9002E32B4E6094A3EF6550FD5351141
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.1433336655.00000000005D2000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.1434816718.0000000002861000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:56:52
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\b5JCISnBV1.exe"
Imagebase:	0xc30000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:56:52
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:56:52
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x240000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	80
Total number of Limit Nodes:	6

Executed Functions

Function 0145D3C9 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0145D456
GetCurrentThread.KERNEL32 ref: 0145D493
GetCurrentProcess.KERNEL32 ref: 0145D4D0
GetCurrentThreadId.KERNEL32 ref: 0145D529

Memory Dump Source

Source File: 00000002.00000002.2555665390.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1450000_b5JCISnBV1.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e9aed8eab4453296e0b166cc6e44dc37f4fa5b9d332e8c230a4b624491eb0f4e
Instruction ID: 71123162646e8a13185e5ea6dca7efcb59b2d849dc58f8cc1580beb2e643b229
Opcode Fuzzy Hash: e9aed8eab4453296e0b166cc6e44dc37f4fa5b9d332e8c230a4b624491eb0f4e
Instruction Fuzzy Hash: 985176B09002498FDB54CFA9D948BEEBFF1EF49314F24C06AE519A73A1D7346944CB61

Function 0145D3D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0145D456
GetCurrentThread.KERNEL32 ref: 0145D493
GetCurrentProcess.KERNEL32 ref: 0145D4D0
GetCurrentThreadId.KERNEL32 ref: 0145D529

Memory Dump Source

Source File: 00000002.00000002.2555665390.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1450000_b5JCISnBV1.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 31f018ab07aa05d39f7ac9a31822925d5505706526ae5d5fe40e56807a5733fe
Instruction ID: 16db2e947559fcb10a818d8a7ec47fa775af0ff85f2af6e6b98ba472d161cd29
Opcode Fuzzy Hash: 31f018ab07aa05d39f7ac9a31822925d5505706526ae5d5fe40e56807a5733fe
Instruction Fuzzy Hash: C35165B09002098FDB54CFAAD948BAEBFF1FF49314F24C46AE519A7361D7346984CB61

Function 0145AD48 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0145AF9E

Memory Dump Source

Source File: 00000002.00000002.2555665390.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1450000_b5JCISnBV1.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 222761f1d34c70cded8b3c3663a0ebd5470938f2270948fb956bf27536e8df46
Instruction ID: aa226d61e792bb0976a2d39e20a34764a16f19a80edae1554284e4b14867ee86
Opcode Fuzzy Hash: 222761f1d34c70cded8b3c3663a0ebd5470938f2270948fb956bf27536e8df46
Instruction Fuzzy Hash: 7B8157B0A00B058FD764DF29C55475ABBF1FF88314F108A2ED9469BB62D735E84ACB90

Function 0145590D Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014559C9

Memory Dump Source

Source File: 00000002.00000002.2555665390.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1450000_b5JCISnBV1.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bdbf140dddfa2a92915076aa96ae2d8eb7613d5cc6d7103e5556eb6a58953b04
Instruction ID: 0a081b8da8574e56e647db55cd4c0c103be0ffeda1a2e32c625c7ee2388f4e07
Opcode Fuzzy Hash: bdbf140dddfa2a92915076aa96ae2d8eb7613d5cc6d7103e5556eb6a58953b04
Instruction Fuzzy Hash: F741E0B0D00719CADB24DFA9C884A9EBBF5BF49304F20816AD508AB261DB75694ACF50

Function 01454248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014559C9

Memory Dump Source

Source File: 00000002.00000002.2555665390.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1450000_b5JCISnBV1.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 20c31cf0e03841683071e0eac7e5a5823aa5207a97fc77502721d0995002cfc1
Instruction ID: 80be1aaac04c5b865b6c72282c91188fdbef1b5410c54caff858e5892cfe93b5
Opcode Fuzzy Hash: 20c31cf0e03841683071e0eac7e5a5823aa5207a97fc77502721d0995002cfc1
Instruction Fuzzy Hash: 5341C2B0D00719CBDB24DFA9C884B9EBBF5FF49304F20816AD409AB265DB756949CF90

Function 0145D619 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0145D6A7

Memory Dump Source

Source File: 00000002.00000002.2555665390.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1450000_b5JCISnBV1.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c3e0c5a8da533a8f429c914cbdb6f8349c8c9f78adaf5548a739753af134ce29
Instruction ID: e1f6cd9389df41de11e2e1d53ddacf49c62fb9116a7f684335d5720d8de0af8e
Opcode Fuzzy Hash: c3e0c5a8da533a8f429c914cbdb6f8349c8c9f78adaf5548a739753af134ce29
Instruction Fuzzy Hash: 4A21E0B5900249DFDB10CFAAD984ADEBFF5EF48310F14841AE958A7310C378A941DF64

Function 0145D620 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0145D6A7

Memory Dump Source

Source File: 00000002.00000002.2555665390.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1450000_b5JCISnBV1.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7e15ab46c2f16c475fbf40034a1c40fa3abb2bd78a764300b6fb2864b6ae6079
Instruction ID: 3ae52b3b5097a0790bcc5209fc061c3c66e50cb615c51c25e82e3e286f988b3c
Opcode Fuzzy Hash: 7e15ab46c2f16c475fbf40034a1c40fa3abb2bd78a764300b6fb2864b6ae6079
Instruction Fuzzy Hash: 9E21E3B5900248DFDB10CF9AD984ADEBBF8EF48310F14841AE918A3310C374A940CF64

Function 0145AF38 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0145AF9E

Memory Dump Source

Source File: 00000002.00000002.2555665390.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1450000_b5JCISnBV1.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: abfd1546f8b71fb1cdbcac7909edcf1bbc10402154ed528d401ef6bf11cbfa28
Instruction ID: 3d976ed66ae8e4569e05909afe38e02fda4008a958bf532ddc06bd4501c6dab6
Opcode Fuzzy Hash: abfd1546f8b71fb1cdbcac7909edcf1bbc10402154ed528d401ef6bf11cbfa28
Instruction Fuzzy Hash: 7B1110B6C006498FDB10CF9AC844ADEFBF4EF88324F20851AD919A7350C379A545CFA1

Function 013FD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2555311446.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13fd000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af904a1f4cb90b90dd25eabeef56a492086f2161ed50f175bb302763021baba
Instruction ID: 2bb6d859b82d23a9b2473fc5b4c17cab8655795d4a1b14a985c88274d5180c4d
Opcode Fuzzy Hash: 6af904a1f4cb90b90dd25eabeef56a492086f2161ed50f175bb302763021baba
Instruction Fuzzy Hash: 822125B1504244DFDB06DF98D9C8B26BF65FB8832CF24C56DEA090B256C336D416CAA2

Function 0140D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2555398603.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140d000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1741865c292ba8ac41b2e45da5915e8a3c2fa8436c9371afff3728476a4c91a
Instruction ID: 11e6061fee9230394e1b62d63e42b1e4e0f99c54cd5a974c9b73f98711148b7e
Opcode Fuzzy Hash: d1741865c292ba8ac41b2e45da5915e8a3c2fa8436c9371afff3728476a4c91a
Instruction Fuzzy Hash: A02128B1904200DFDB16DF98D980B16BB65EB84318F20C57ED90D4B3A6C33BD40BCA61

Function 0140D2BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2555398603.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140d000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e286e65d117826484528c4cac85e4b5764302bad7b743ec026692e2db2194a4f
Instruction ID: 2057fa71181e39713137da7c237db08c12b5c4d1f053559dbfe40ffad71686dc
Opcode Fuzzy Hash: e286e65d117826484528c4cac85e4b5764302bad7b743ec026692e2db2194a4f
Instruction Fuzzy Hash: 1A21F6B5904344DFDB02DF99D9C0B2ABB65FB84324F24C57ED8494B396C33AD44ACAA1

Function 0140D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2555398603.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140d000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10e23f80ba23d2d4ede199789aa8b9f08b122c7c2ba6052f49afb703d5a52e2
Instruction ID: 1b38a12a957ef4ae3c0d809bc7e53601f46ac35063a768d6262c082f31eb16ef
Opcode Fuzzy Hash: b10e23f80ba23d2d4ede199789aa8b9f08b122c7c2ba6052f49afb703d5a52e2
Instruction Fuzzy Hash: C92180755093808FDB03CF64D994716BF71EB46214F28C5EBD8498B6A7C33A980ACB62

Function 013FD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2555311446.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13fd000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: f370570fc9793215e8e2ec7477d0fce2d21371624750f367d060af86a2fedb18
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: 8711E176404280CFCB02CF54D5C8B16BF71FB84328F24C6ADD9090B256C33AD45ACBA2

Function 0140D2B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2555398603.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140d000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ca1e03a89bf6502059eb4096cb2751f98ce07bc6b40026132c113bb1690e3e
Instruction ID: 3a114ef64c92839a0ad64034baffa0b37359caa0e714443f646129a324090afc
Opcode Fuzzy Hash: f0ca1e03a89bf6502059eb4096cb2751f98ce07bc6b40026132c113bb1690e3e
Instruction Fuzzy Hash: 6711B276904280CFDB12CF54D5C4B1AFF61FB84324F24C6AAD8494B796C33AD40ACB91

Non-executed Functions

Function 0145D304 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2555665390.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1450000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c83bd0b11f0e0fed116073b8fdb111f6c60b3797639413dc10ee6bdb8778ee3
Instruction ID: e07119cb301c5f83a0edd5e919b4c2767d22d750023a09ba909e1489839bc8fa
Opcode Fuzzy Hash: 3c83bd0b11f0e0fed116073b8fdb111f6c60b3797639413dc10ee6bdb8778ee3
Instruction Fuzzy Hash: 14A18136E00209CFCF55DFB5C84459EBBB2FF95300B1545AAED05AB266DB31E90ACB40

Analysis Process: b5JCISnBV1.exePID: 7796, Parent PID: 7728COMMON

Executed Functions

Function 00A7C470 Relevance: 9.0, Strings: 7, Instructions: 236COMMON

Download Yara Rule

Strings

LjBp, xrefs: 00A7C64F
PHeq, xrefs: 00A7C6C7
0oBp, xrefs: 00A7C4E2
PHeq, xrefs: 00A7C3F8
PHeq, xrefs: 00A7C3E7
LjBp, xrefs: 00A7C665
PHeq, xrefs: 00A7C6D8

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: 0oBp$LjBp$LjBp$PHeq$PHeq$PHeq$PHeq
API String ID: 0-6260628
Opcode ID: a16d71500de1d415fd515284e9949fcce7f668951ca86fb26b8bca2b1d375674
Instruction ID: c3dad82da7af366149ebe9e10d165daac65079bdf805cf92069e0d702fe6e053
Opcode Fuzzy Hash: a16d71500de1d415fd515284e9949fcce7f668951ca86fb26b8bca2b1d375674
Instruction Fuzzy Hash: C3A1D374E00218DFDB14DFA9D994AADBBF2BF89310F24D069E819AB265DB349941CF10

Function 00A76730 Relevance: 6.7, Strings: 5, Instructions: 466COMMON

Download Yara Rule

Strings

,iq, xrefs: 00A769F2
,iq, xrefs: 00A76A00
(oeq, xrefs: 00A76CA5
(oeq, xrefs: 00A7697A
(oeq, xrefs: 00A76988

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: (oeq$(oeq$(oeq$,iq$,iq
API String ID: 0-1557207691
Opcode ID: 0861e6888a195656502fcdcc5d5f301b86b6c461de8f29046118e9ba916d93b4
Instruction ID: 53115f059bb7beb214e302fefad254e99abb915559ff830f4b826897ff4a0a66
Opcode Fuzzy Hash: 0861e6888a195656502fcdcc5d5f301b86b6c461de8f29046118e9ba916d93b4
Instruction Fuzzy Hash: 5D121871A006199FCB15CFA9CD84BAEBBB2FF89344F15C06AE449AB2A1D730DD41CB51

Function 00A7B328 Relevance: 6.6, Strings: 5, Instructions: 357COMMON

Download Yara Rule

Strings

PHeq, xrefs: 00A7B747
LjBp, xrefs: 00A7B6CF
PHeq, xrefs: 00A7B758
LjBp, xrefs: 00A7B6E5
0oBp, xrefs: 00A7B562

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: 0oBp$LjBp$LjBp$PHeq$PHeq
API String ID: 0-3540050204
Opcode ID: f0e7fbf9797ea5e783d68daa4c1c2c2cfc61ff559ecea7c0a68eefef8b0e4872
Instruction ID: 9a713235e1539f54990eaf3bc10c94ff6dbcbe2ca1fbab5e090c024b91e00e8a
Opcode Fuzzy Hash: f0e7fbf9797ea5e783d68daa4c1c2c2cfc61ff559ecea7c0a68eefef8b0e4872
Instruction Fuzzy Hash: 20E109B5A10658CFDB14CFA9C994A9DBBB1FF49310F15C0A9E819AB362D730AD41CF60

Function 00A7C753 Relevance: 6.4, Strings: 5, Instructions: 190COMMON

Download Yara Rule

Strings

LjBp, xrefs: 00A7C92F
PHeq, xrefs: 00A7C9B8
LjBp, xrefs: 00A7C945
0oBp, xrefs: 00A7C7C2
PHeq, xrefs: 00A7C9A7

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: 0oBp$LjBp$LjBp$PHeq$PHeq
API String ID: 0-3540050204
Opcode ID: 2a70764e43bf80b6ab739251f05c6325f2f9b31dc1c70cc3e2b6135fa7646e33
Instruction ID: a84e93edfceea74891ace23ef3e104d5bc9e8d01991454534936b7af0d1d2446
Opcode Fuzzy Hash: 2a70764e43bf80b6ab739251f05c6325f2f9b31dc1c70cc3e2b6135fa7646e33
Instruction Fuzzy Hash: B781D474E00218DFDB54DFAAD994A9DBBF2BF88310F24D069E809AB365DB349941CF10

Function 00A74AD9 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

PHeq, xrefs: 00A74D41
PHeq, xrefs: 00A74D30
0oBp, xrefs: 00A74B4A
LjBp, xrefs: 00A74CCE
LjBp, xrefs: 00A74CB8

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: 0oBp$LjBp$LjBp$PHeq$PHeq
API String ID: 0-3540050204
Opcode ID: c309b60046989b4bc3ea4bc422f7f1f638b4626b2b41f03c16736836417e5267
Instruction ID: 6b0220fd51539dbfbb9f4915f107627cd3ff60c4486a9b5299975bc1e9d6e460
Opcode Fuzzy Hash: c309b60046989b4bc3ea4bc422f7f1f638b4626b2b41f03c16736836417e5267
Instruction Fuzzy Hash: 44819374E01618DFDB54DFA9D984A9DBBF2BF88300F24D069E819AB365DB349981CF10

Function 00A7BBD3 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

LjBp, xrefs: 00A7BDAF
0oBp, xrefs: 00A7BC42
PHeq, xrefs: 00A7BE38
LjBp, xrefs: 00A7BDC5
PHeq, xrefs: 00A7BE27

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: 0oBp$LjBp$LjBp$PHeq$PHeq
API String ID: 0-3540050204
Opcode ID: 45cacb4ed5687eae2c63a26d2604d13568c2a06ae59014a5f2f49c5a75549378
Instruction ID: 985f8c1e823090af5da9c0e984c97745281a1273d324eaaeb0e8d7daaebbce14
Opcode Fuzzy Hash: 45cacb4ed5687eae2c63a26d2604d13568c2a06ae59014a5f2f49c5a75549378
Instruction Fuzzy Hash: B581A3B4E00218DFDB54DFAAD994A9DBBF2BF89300F24C169E819AB365DB345941CF10

Function 00A7BEB0 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

LjBp, xrefs: 00A7C0A5
PHeq, xrefs: 00A7C118
0oBp, xrefs: 00A7BF22
PHeq, xrefs: 00A7C107
LjBp, xrefs: 00A7C08F

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: 0oBp$LjBp$LjBp$PHeq$PHeq
API String ID: 0-3540050204
Opcode ID: 606cf39eaf67e154a8f6a8cb288decae2a684ba333b1b84b5ceb44bcef5b2a60
Instruction ID: 5d0f941190cb5563380f0753ddf96f48ac19b8bd31ea8958ccf1d45f7f4c8041
Opcode Fuzzy Hash: 606cf39eaf67e154a8f6a8cb288decae2a684ba333b1b84b5ceb44bcef5b2a60
Instruction Fuzzy Hash: 8F81C674E00218DFDB14DFA9D994A9DBBF2BF89310F14C069E819AB365DB349982CF50

Function 00A7C190 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

0oBp, xrefs: 00A7C202
LjBp, xrefs: 00A7C36F
PHeq, xrefs: 00A7C3F8
PHeq, xrefs: 00A7C3E7
LjBp, xrefs: 00A7C385

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: 0oBp$LjBp$LjBp$PHeq$PHeq
API String ID: 0-3540050204
Opcode ID: daba1454e59b43d29d91b5d8e6c224a742e7f3d7c15bbd3e6568398d87bd70bc
Instruction ID: e25e057b75d2f1f7645c0074e8156edc80a7d5d6ef68652db0940edeeb57fdf6
Opcode Fuzzy Hash: daba1454e59b43d29d91b5d8e6c224a742e7f3d7c15bbd3e6568398d87bd70bc
Instruction Fuzzy Hash: 2181B274E00218DFDB54DFAAD984A9DBBF2BF88310F14C069E819AB265DB349981CF50

Function 00A7CA33 Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

LjBp, xrefs: 00A7CC0F
LjBp, xrefs: 00A7CC25
PHeq, xrefs: 00A7CC98
PHeq, xrefs: 00A7CC87
0oBp, xrefs: 00A7CAA2

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: 0oBp$LjBp$LjBp$PHeq$PHeq
API String ID: 0-3540050204
Opcode ID: eb734d7a86f43c75d8b02c50c4f5db7f095034905ec5cf29170d0ef60c1ddf65
Instruction ID: a9798023a6cbb94b6f289222759a3f3c9190dea275dfe3fcedcdb23cdaa66049
Opcode Fuzzy Hash: eb734d7a86f43c75d8b02c50c4f5db7f095034905ec5cf29170d0ef60c1ddf65
Instruction Fuzzy Hash: C381A374E00218DFDB14DFAAD994A9DBBF2BF88310F24D069E819AB365DB349941CF10

Function 00A7B4F3 Relevance: 3.9, Strings: 3, Instructions: 152COMMON

Download Yara Rule

Strings

PHeq, xrefs: 00A7B747
PHeq, xrefs: 00A7B758
0oBp, xrefs: 00A7B562

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: 0oBp$PHeq$PHeq
API String ID: 0-414534512
Opcode ID: 95f71077b0954e41287c952050f250741453c6a88a8fd8606e10834b56733db0
Instruction ID: f5b77d4201f20abc0b70a7efc712ad8036ecd9b5ec9b3c326e7106c4c1db2cf5
Opcode Fuzzy Hash: 95f71077b0954e41287c952050f250741453c6a88a8fd8606e10834b56733db0
Instruction Fuzzy Hash: C661B3B4E00648DFDB18DFAAD954A9EBBF2BF89300F14D069E419AB365DB345941CF10

Function 00A79858 Relevance: 3.4, Strings: 2, Instructions: 856COMMON

Download Yara Rule

Strings

(oeq, xrefs: 00A79C78
4'eq, xrefs: 00A7A273

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: (oeq$4'eq
API String ID: 0-2258195259
Opcode ID: 63c9502c98ece84e4152560e94c633db96e45a70c67f080753ea5892ad2be7a6
Instruction ID: de7d75a433d58205d0d4581c579751c69f24d6e2de631d74516c21236a3c228f
Opcode Fuzzy Hash: 63c9502c98ece84e4152560e94c633db96e45a70c67f080753ea5892ad2be7a6
Instruction Fuzzy Hash: 46723D75A00609DFDB15CF68CD84AAEBBB2FF98310F15C55AE8099B2A1D730ED81CB51

Function 00A76108 Relevance: 3.0, Strings: 2, Instructions: 513COMMON

Download Yara Rule

Strings

Hiq, xrefs: 00A7650E
(oeq, xrefs: 00A76642

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: (oeq$Hiq
API String ID: 0-1760408109
Opcode ID: 0f6f59ac2d39001cf9d8b647879506a8584108cf0d3778415d275d815dae48cc
Instruction ID: 81d56d8ecf7b9cc96375158613c96e515210fddcf4d1646914a3069c4279d2d4
Opcode Fuzzy Hash: 0f6f59ac2d39001cf9d8b647879506a8584108cf0d3778415d275d815dae48cc
Instruction Fuzzy Hash: E7128C71A006189FDB14DFA9C954BAEBBF6BF88300F20C569E4099B391DB349D81CB90

Function 00A73573 Relevance: 2.9, Strings: 2, Instructions: 434COMMON

Download Yara Rule

Strings

$eq, xrefs: 00A73596
Xiq, xrefs: 00A735AF

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: Xiq$$eq
API String ID: 0-3760103188
Opcode ID: 1daa258e3eee6a5bbc0a912a0f7314625b72fe8cfacec63975ede4a1610f1a6a
Instruction ID: 4f9e2cdf81d805aa94c693cd6bd8c804def0966d38873d56ba06b4d876e1dd2e
Opcode Fuzzy Hash: 1daa258e3eee6a5bbc0a912a0f7314625b72fe8cfacec63975ede4a1610f1a6a
Instruction Fuzzy Hash: 2FF16D75E012589FCF08DFB8DD549AEBBB2BF88300B15C5AAE40AA7354DF349902DB51

Function 00A76E58 Relevance: 10.5, Strings: 8, Instructions: 474COMMON

Download Yara Rule

Strings

,iq, xrefs: 00A772F8
(oeq, xrefs: 00A7701A
(oeq, xrefs: 00A76F51
,iq, xrefs: 00A77308
(oeq, xrefs: 00A76F7D
(oeq, xrefs: 00A77367
(oeq, xrefs: 00A76E96
(oeq, xrefs: 00A77377

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: (oeq$(oeq$(oeq$(oeq$(oeq$(oeq$,iq$,iq
API String ID: 0-4181857939
Opcode ID: 8f3bd4f1a93e2dcaec67692a2e1a172d7f44a83c05e8d445bb58b57b6e89a75d
Instruction ID: 2a19dbacabffce6e3e2bc133b50b467f89aad14c133ab0ccf6f2b76cb7ce5b20
Opcode Fuzzy Hash: 8f3bd4f1a93e2dcaec67692a2e1a172d7f44a83c05e8d445bb58b57b6e89a75d
Instruction Fuzzy Hash: 69124A31A046498FCB15CF69D984AAEBBF2FF48314F15C599E819DB2A2D730ED41CB90

Function 00A787E9 Relevance: 4.2, Strings: 3, Instructions: 500COMMON

Download Yara Rule

Strings

4'eq, xrefs: 00A78837
4'eq, xrefs: 00A78811
;eq, xrefs: 00A78C2C

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$;eq
API String ID: 0-1536740294
Opcode ID: c327511a4847919814f2023c797f1639039cc5069c4d297eb4ed5e10fcd0c82e
Instruction ID: 424d8fd29644d0ae0ce33094a99a72a40813a190004c411583ba7f7eb66f444a
Opcode Fuzzy Hash: c327511a4847919814f2023c797f1639039cc5069c4d297eb4ed5e10fcd0c82e
Instruction Fuzzy Hash: FAF172713941018FDB259B29CD5C73E36A6AF95740F25C0AAE50ACF3B2EE2DCC419752

Function 00A777F0 Relevance: 3.2, Strings: 2, Instructions: 702COMMON

Download Yara Rule

Strings

$eq, xrefs: 00A78337
$eq, xrefs: 00A78314

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: $eq$$eq
API String ID: 0-2246304398
Opcode ID: 1bc8668d905dc7e6a468e68841d5e2889cc50de62c7e0fa9126549df5dd3d2a9
Instruction ID: 430f7180af0bec5973e170f09536815bb8044d4e3b308f54f73849656a0b3098
Opcode Fuzzy Hash: 1bc8668d905dc7e6a468e68841d5e2889cc50de62c7e0fa9126549df5dd3d2a9
Instruction Fuzzy Hash: 3F524178A00658CFEB559BA4C860BEEBB73EF84300F1081A9D10A6B795DF385E85DF51

Function 00A756A8 Relevance: 2.8, Strings: 2, Instructions: 324COMMON

Download Yara Rule

Strings

Hiq, xrefs: 00A75793
Hiq, xrefs: 00A757C6

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: Hiq$Hiq
API String ID: 0-2624443307
Opcode ID: 491e733bbd6365b9bf094a2c7b6e13c4a19bd160ec3a726ec05ad5804a941a3a
Instruction ID: 507e1c17c2e64289755fffd5552a1546b560e637bd4ee7d520f0371687ad73e8
Opcode Fuzzy Hash: 491e733bbd6365b9bf094a2c7b6e13c4a19bd160ec3a726ec05ad5804a941a3a
Instruction Fuzzy Hash: 86B1CF71B046548FCB159F78CC58B2A7BE2AF89350F14C96AE40ACB2A1DFB4DC42D791

Function 00A75C08 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

,iq, xrefs: 00A75CE8
,iq, xrefs: 00A75CDE

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: ,iq$,iq
API String ID: 0-3242339887
Opcode ID: b9df4b4a21ccf72bd34fd83e01a5ae4565e94a59b280e2e63b1baeb73b15f711
Instruction ID: ce9d7893958cc3a9c3ef24f7e7c1371cb20793022adc26914fabd6ebcd3654ab
Opcode Fuzzy Hash: b9df4b4a21ccf72bd34fd83e01a5ae4565e94a59b280e2e63b1baeb73b15f711
Instruction Fuzzy Hash: FA816C75E00A058FDB14CF79CC88A6AB7B2BF89301B29C169D40ADB365DB71ED41CB91

Function 00A73428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xiq, xrefs: 00A73435
Xiq, xrefs: 00A7345E

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: Xiq$Xiq
API String ID: 0-733771754
Opcode ID: a401f2cd6bbd50a75bb83bf540fb1a949fbb5481049814633ed43528ecba748b
Instruction ID: 2890fc857e566c73ac1f9b16ddab1c3c033dd2b034a1f006b35205297e096378
Opcode Fuzzy Hash: a401f2cd6bbd50a75bb83bf540fb1a949fbb5481049814633ed43528ecba748b
Instruction Fuzzy Hash: B431D577B003248BDF1D9BAA4D9427F66AAABC4311F25C439D80EC3390DFB4CE41A661

Function 00A70C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

LReq, xrefs: 00A70E5E

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: LReq
API String ID: 0-2687900687
Opcode ID: 467468666fb8092a78175cc88e41abefc183010eefc2d93c86264c9e94cdf550
Instruction ID: cee18ede00cd34038f56824ceecb2cddcf134857e190efdd6c71cf8d81cb12e0
Opcode Fuzzy Hash: 467468666fb8092a78175cc88e41abefc183010eefc2d93c86264c9e94cdf550
Instruction Fuzzy Hash: 1322D574A0061ACFCB55EF64E994A9DBBB2FF88301F1096EAD409A7365DB305D86CF40

Function 00A70CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LReq, xrefs: 00A70E5E

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: LReq
API String ID: 0-2687900687
Opcode ID: f4468aa97ac431b06be361a9b8eaed3e9f308a671dd870685f16ea78addecf98
Instruction ID: ae98199029f4df4915dab6fcb6c3d6aaf65a55ea671ec77476fab9a1c3c4ecba
Opcode Fuzzy Hash: f4468aa97ac431b06be361a9b8eaed3e9f308a671dd870685f16ea78addecf98
Instruction Fuzzy Hash: 0A22D674A0061ACFCB55EF64ED94A9DBBB2FF88301F1095AAD409A7365DB306D86CF40

Function 00A7A650 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

(oeq, xrefs: 00A7A7D9

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: (oeq
API String ID: 0-952175256
Opcode ID: ec25e52fc4938a26de962a413f55c64af962c480a07de7c52d099009dfae6a1c
Instruction ID: c8110e4a7ea77a2c1ff7ca4a796f11912b6c96b135afe34a84fe7765a8299309
Opcode Fuzzy Hash: ec25e52fc4938a26de962a413f55c64af962c480a07de7c52d099009dfae6a1c
Instruction Fuzzy Hash: 3241C236700644AFCB199B69DD146AF7BB6ABD8310F28806AE50AD73A1DE309D02C791

Function 00A7A818 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01cd7846a692a9a70f8fdbd804d60cf8aa868367079ce76206e60f8496b07d64
Instruction ID: 637488dd4bb5823673655183fc42d499acd941263ffee5778f4c04707004b724
Opcode Fuzzy Hash: 01cd7846a692a9a70f8fdbd804d60cf8aa868367079ce76206e60f8496b07d64
Instruction Fuzzy Hash: 55F1F875A00515AFCB05CFA9C984AADBBF2FFD8310B1AC059E519AB361CB35EC81CB51

Function 00A77438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80967cfed5e5fe8d6a1889b79a4f963cf9b38e9aa926153d7ebd9eb265a8c468
Instruction ID: b55e25e7685ad5c480710e6c46873761d673decc7d7b55f8234aff407f743911
Opcode Fuzzy Hash: 80967cfed5e5fe8d6a1889b79a4f963cf9b38e9aa926153d7ebd9eb265a8c468
Instruction Fuzzy Hash: DF71F8347046458FCB15DF69C898AAE7BEAAF49700F1580A9E90ACB3B1DB74DC41CB91

Function 00A7CEC7 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef0f41d1334e95e005b97e901cf3bc9766209b75eeba343427616eec7b70f65
Instruction ID: 7024edcb9252b7dcad849801e2e3a3f723177c054a4a93db26c74f4fabc87032
Opcode Fuzzy Hash: 4ef0f41d1334e95e005b97e901cf3bc9766209b75eeba343427616eec7b70f65
Instruction Fuzzy Hash: 1D51C4346217439FC314ABB8EAAC17BBBA5FB4F3177416D16E10E8A025CF705487DA51

Function 00A7CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f32bc397643ee34037920b83dcb7b541ec9291497bd08007ae35abc1f1e0f3
Instruction ID: 676eeca0b8698da9aec6351e6ed157caf175c72cff059691ad99f4c71d229070
Opcode Fuzzy Hash: 71f32bc397643ee34037920b83dcb7b541ec9291497bd08007ae35abc1f1e0f3
Instruction Fuzzy Hash: 4851AF346217079FC614ABB8AAAC17BBBA5FB4F3277416D16A10E89025CF705487DE22

Function 00A7CD10 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26f42da7c0bf74164a2d8f9327d55237f4256a95989dd50429fe69e6574853f
Instruction ID: 1124c8205a82a1652957fefe443f55459123dba1a85547f55672400a44d00857
Opcode Fuzzy Hash: a26f42da7c0bf74164a2d8f9327d55237f4256a95989dd50429fe69e6574853f
Instruction Fuzzy Hash: 76519274E01208DFDB54DFA9D9849DDBBF2BF89310F24816AE819AB365DB30A905CF50

Function 00A73908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf894856209ea1d0eea26477a1c7acb0d9a2c91cc2df1022cc0ba99336d3842
Instruction ID: 32d546b8c3931e228aa596b5ec7b48d03a8468fa3e9856c45f0eb00e1e61d156
Opcode Fuzzy Hash: 0bf894856209ea1d0eea26477a1c7acb0d9a2c91cc2df1022cc0ba99336d3842
Instruction Fuzzy Hash: F951A775E01608CFCB48DFA9D99499DBBF2FF89300B209469E809AB364DB319D45CF50

Function 00A79A63 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3154d956dbedfaf57136d039d35546b47f793c4e558d4dd3c4cce2fb6ba6218
Instruction ID: 9d0501c7d4e1c193d194844cd994d01a755331ce2163bbbc20e263f1998685d5
Opcode Fuzzy Hash: f3154d956dbedfaf57136d039d35546b47f793c4e558d4dd3c4cce2fb6ba6218
Instruction Fuzzy Hash: AD416D31A04249DFCF12CFA8DC44A9EBBB2AF99350F14C157E819AB2A1D334D955DBA0

Function 00A74DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e247b896d85db15feade83716da50fb04199fd0d899bdacea1f01816162d2153
Instruction ID: 94383410da01e5b6cefad6cd23044d318e6b4b1b6d155d60aaa9aad5c4a054b8
Opcode Fuzzy Hash: e247b896d85db15feade83716da50fb04199fd0d899bdacea1f01816162d2153
Instruction Fuzzy Hash: C5313C71704109AFCF059FA4D854AAE3BA6FB8C315F108469F91A8B251CF35CD62DBE1

Function 00A776D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734d8a3f13e12906e8029488466377bf4262cfe03d167ff61971ecd5f00e266b
Instruction ID: efc67a6eb950c58410538dd58008c298bee98a7bf57457326d014fa6ef7fb011
Opcode Fuzzy Hash: 734d8a3f13e12906e8029488466377bf4262cfe03d167ff61971ecd5f00e266b
Instruction Fuzzy Hash: 57210A3530C2014BEB1A97399D94A3E36A79FD8719718C079D50ACF7A5EE25CC42D391

Function 00A7A809 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bdca00868bd9461415b763237114254d5e64eaabc70af43dd0f412d9788d299
Instruction ID: ccd1f2ecd05d1bfd9c25af400358b3613f3a8628462a7d7bc78dd12d972d3475
Opcode Fuzzy Hash: 5bdca00868bd9461415b763237114254d5e64eaabc70af43dd0f412d9788d299
Instruction Fuzzy Hash: 80317071B005099FCB04CF69CD849AFBBB2BFD4310B16C15AE5599B3A5CB309D52CB92

Function 00A776E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f6363760da59a583e9613bac0c401536035e7b811372cb98857b79cccbdec1
Instruction ID: 48856c30f4a106ecf577fdba4a9cee8e63b489f19b2f2cfb747942572bd4d1c1
Opcode Fuzzy Hash: a4f6363760da59a583e9613bac0c401536035e7b811372cb98857b79cccbdec1
Instruction Fuzzy Hash: 9521C2353082014BEB19573A9D94B7E32979FC8719F24C079D50ACF7A8EE25CC42A381

Function 00A72060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265d88c56586dfec94865ad21f9ccbbdd3106ce720aa88362a762149f259d656
Instruction ID: 8dd77a94a76e8c9dce4c59914c33c4a4defd88b9aebaf612fd95a788a416a1f8
Opcode Fuzzy Hash: 265d88c56586dfec94865ad21f9ccbbdd3106ce720aa88362a762149f259d656
Instruction Fuzzy Hash: B921B031A002159FCB14DB24D940AAE77A6EFD8360B60C559D80A8B268DF31EE42CBD1

Function 00A75A63 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8435b5969de27a85278f0fd449cea3e2031cb8e7c8302ba4455c3d94508a06b6
Instruction ID: 20fca9ec61abe50b0f3944bba24872495f29592b3f74b3180d21f9d349cc15d0
Opcode Fuzzy Hash: 8435b5969de27a85278f0fd449cea3e2031cb8e7c8302ba4455c3d94508a06b6
Instruction Fuzzy Hash: 1E21B031B05A118FC7159B79C8A852FB7A2EF89751715C2BAE80ACB365DE70DC02C7C0

Function 00A7D11B Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2869dbe119fe1eb2996f137889e6472bce074a7e1a6d13cd76d9f3933e5cb866
Instruction ID: d6f0d6bcb33a7ebb96a349fef9ede19071f0adb9ea4c9925880c4b910f5974f6
Opcode Fuzzy Hash: 2869dbe119fe1eb2996f137889e6472bce074a7e1a6d13cd76d9f3933e5cb866
Instruction Fuzzy Hash: 66212531C11609CECB11EFE8E9146ECBBB4FF5A301F509669E44477264EB30AA5ACB40

Function 00A7215C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eec4751a17ac720b8759eebbfe53a7642c60ddc7f9fb5177a6bc05f385d53ab
Instruction ID: 4eb859e2b879ff1a02040e858b465dbad528d4d0b13796e1cb35d383b84d05cb
Opcode Fuzzy Hash: 5eec4751a17ac720b8759eebbfe53a7642c60ddc7f9fb5177a6bc05f385d53ab
Instruction Fuzzy Hash: 27113B32E083599FCB029BB89C108DEBB30FFCA310B25C797D566B7191EA312945C7A1

Function 00A7D218 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96db8dc931f40681b668f166f89f4290a11cad20c89cf5ee340897f8bdd19cf
Instruction ID: c1d93f97119de663019827ceae8a980c3659db9baa5b4be8c99aab4097f910a1
Opcode Fuzzy Hash: a96db8dc931f40681b668f166f89f4290a11cad20c89cf5ee340897f8bdd19cf
Instruction Fuzzy Hash: F0216835A01248CFDB14DBB4E850AEDBBB2FF8A301F109469D815773A5DB399942CF64

Function 00A739ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60743cb2d6b23979fb04aa41309110d6de5f336685b0c6f6af76d7be8c1b8246
Instruction ID: 90f91187564f5f2d2425057844b7d0fc3845b97252327d2b6d4587fd62be5b63
Opcode Fuzzy Hash: 60743cb2d6b23979fb04aa41309110d6de5f336685b0c6f6af76d7be8c1b8246
Instruction Fuzzy Hash: 22318C75E11209DFCB44DFA8E59489DBBF6FF89301B2094A9E809AB368D731AD05CF40

Function 00A74DBB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5083c969750cbf32a31f37eea399c2577d90a62d972e1447b5ccd98b01f304ad
Instruction ID: 5daebf0a7c63ba11debeb9ab9c6fe770eaa5125a1fb29b6b9df79ad115ecec68
Opcode Fuzzy Hash: 5083c969750cbf32a31f37eea399c2577d90a62d972e1447b5ccd98b01f304ad
Instruction Fuzzy Hash: 602104317081448FCB119F78D854AAE3FA2FF48325F1480AAF90A8B251CB34CC52CBE1

Function 00A7D228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4920328cfc6e60b574b4ff9fdaec2b42beaee47f2c2c154d30eb05364e05de
Instruction ID: cfff4b1faa7242d43c66ff911608366c5c8f54bc1f4a0f584a995f5319b08b6c
Opcode Fuzzy Hash: 3d4920328cfc6e60b574b4ff9fdaec2b42beaee47f2c2c154d30eb05364e05de
Instruction Fuzzy Hash: 1321D634A012088FCB18DFB4E851AEDB7B2FF89305F10A469D415773A4DB39A942CF65

Function 00A75A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5955de56a3519c53057f0f227f4b6106e37c3f55a93687fa0bdb6ba8ce768ebc
Instruction ID: 46f2b1d5b07eb62bfb540957759961990bd41967f30aac58b5939c00161d56f4
Opcode Fuzzy Hash: 5955de56a3519c53057f0f227f4b6106e37c3f55a93687fa0bdb6ba8ce768ebc
Instruction Fuzzy Hash: 21113031B05A129BC7159B79D89852F77A6AFC47A171581B9E90ACB360DE60DC0287D0

Function 00A75607 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73afd97bb962f505ed5a6828b35b9cf0f42a58f890eb790b728f4bf4608533a4
Instruction ID: b6f6532d5ff104459b734a03668c58bbcf3a8287488d94fd5c3cae9f5b520d22
Opcode Fuzzy Hash: 73afd97bb962f505ed5a6828b35b9cf0f42a58f890eb790b728f4bf4608533a4
Instruction Fuzzy Hash: 1801D272B041116F9B168FA89C10AEE3BE7DFD9351B18C06BF919C7290CA71CD1287A1

Function 00A71F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaac067743923938767eb968740ad57e5550d73bfb004ee9dc064eb9cfc79655
Instruction ID: 28e6cd3955db8e991d96658c617aaecbc6d481d38c53daff66c183987da648e8
Opcode Fuzzy Hash: aaac067743923938767eb968740ad57e5550d73bfb004ee9dc064eb9cfc79655
Instruction Fuzzy Hash: E721F474D046098FCB10EFA8D9485EEBFF0FF4A310F1481AAD445B7264EB341A46CBA1

Function 00A71F61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280d47078510d29c3448a870dee75d3d887f32728bebd8cf325d86dd1f302a12
Instruction ID: 2f7757ac75c2a3d975f66f07f8f702837c68ff2ef0d7079d017129273e3f2853
Opcode Fuzzy Hash: 280d47078510d29c3448a870dee75d3d887f32728bebd8cf325d86dd1f302a12
Instruction Fuzzy Hash: 7921BF74D0520A8FCB41EFA8D9555EEBFF0BB4A301F1491AAD805F3221EB341A45CBA1

Function 00A72010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c24b342bbd850294160b462011898d4b15e68cdfdb8130eb21ce9e83e8a6488
Instruction ID: 91e66df10d96a72493a537bdbe825f1c058e3d759b85140cd80ae4fec9a96bac
Opcode Fuzzy Hash: 0c24b342bbd850294160b462011898d4b15e68cdfdb8130eb21ce9e83e8a6488
Instruction Fuzzy Hash: BFE0D831D283964FCB02A7709C150EEBF30ADD3210B5646BFD050A6092D730151AC762

Function 00A72020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8716f798be272e101d0473159354dcd33993de7a337b6f6e5f934488c2af5a7
Instruction ID: 029bc0a622d6c8ecf8e7d7f29d452ea5785f4d4c389dded27e885aa293771617
Opcode Fuzzy Hash: d8716f798be272e101d0473159354dcd33993de7a337b6f6e5f934488c2af5a7
Instruction Fuzzy Hash: AFD05E32D2032B97CB00EBA5EC048EFFB38EED6261B958626D52437154FB702659C6E1

Function 00A78258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 221649496a9cb0f4408fdf71deac181607cacff651a1e2d784fd7c4e43edd2f8
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 59C08C7328C1282AA634108F7C48EF3BB8CC7C17F5A258137FA2CE7200AC469C8001F8

Function 00A7A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24dd92dc46c98354f4548427e6351f23a8fd9e3f22891c7c293ff59e480114f8
Instruction ID: e9429e5c691aac8307ec34637a88819a2642104ec16a59011e042cd75df8e144
Opcode Fuzzy Hash: 24dd92dc46c98354f4548427e6351f23a8fd9e3f22891c7c293ff59e480114f8
Instruction Fuzzy Hash: 1BD0677AB510189FCF04DF98EC408DDB7B6FB9C321B048116E915A3261CA319961DB90

Function 00A75EA8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a1a8f7b5da1683c3a2087e92df2edd0390878237f2786de98c879072f7823e5
Instruction ID: 35e4a620d5296f98c072cb61d68affa516cd505ef9a2c9d1e009b0c2f0336952
Opcode Fuzzy Hash: 9a1a8f7b5da1683c3a2087e92df2edd0390878237f2786de98c879072f7823e5
Instruction Fuzzy Hash: 95D05EB051C7854BC603F7B0EB551143B26AF81309BC455E6F80B4A62BEEB5488947A2

Function 00A75EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0006069a27f46bf137513bfe76f0105a825850ff608ce1e01ef2b9e0073b0a4c
Instruction ID: bb0f3d6e8e6a0373f285f0f88ff90d1a63552215d39eaea3b1333e4dd081bf05
Opcode Fuzzy Hash: 0006069a27f46bf137513bfe76f0105a825850ff608ce1e01ef2b9e0073b0a4c
Instruction Fuzzy Hash: 31C01270214B0947C902F7B5EA45555372EEBC0304F805AA1F00B0A61ADEB4198546D1

Non-executed Functions

Function 00A76088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;eq, xrefs: 00A7609E
\;eq, xrefs: 00A76094
\;eq, xrefs: 00A760BA
\;eq, xrefs: 00A760C6

Memory Dump Source

Source File: 00000004.00000002.1433945141.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a70000_b5JCISnBV1.jbxd

Similarity

API ID:
String ID: \;eq$\;eq$\;eq$\;eq
API String ID: 0-3455962030
Opcode ID: bd963b0b9031f7600ee66409c9941ec3fc2ed60003b783b17054fbacb2170ab8
Instruction ID: ad718b8da83b7996869f720f8ea70fae7e8f279613086f0aa3f1a0f4f50e162f
Opcode Fuzzy Hash: bd963b0b9031f7600ee66409c9941ec3fc2ed60003b783b17054fbacb2170ab8
Instruction Fuzzy Hash: A30178317108188F8B649F3DC844A2A77E6AF98B60725C17AE509CB3B4EB72DC428790

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report b5JCISnBV1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b5JCISnBV1.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
b5JCISnBV1.exe

Function 0145D3C9 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Function 0145D3D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0145AD48 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Function 0145590D Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Function 01454248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0145D619 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 0145D620 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 0145AF38 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON