Edit tour

Windows Analysis Report
MtxN2qEWpW.exe

Overview

General Information

Sample name:	MtxN2qEWpW.exe renamed because original name is a hash value
Original sample name:	d1c53df36c1b25b7deb62dbfcfa8553f130c03e9724ba0e53ff668e998385202.exe
Analysis ID:	1587691
MD5:	adf463bbc04d413a0b20ebdd4e48e94b
SHA1:	249d82052bb7bbd7dad5251581a1152d2a1dd4ea
SHA256:	d1c53df36c1b25b7deb62dbfcfa8553f130c03e9724ba0e53ff668e998385202
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

AI detected suspicious sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Self deletion via cmd or bat file

Tries to detect the country of the analysis system (by using the IP)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

MtxN2qEWpW.exe (PID: 5784 cmdline: "C:\Users\user\Desktop\MtxN2qEWpW.exe" MD5: ADF463BBC04D413A0B20EBDD4E48E94B)

MtxN2qEWpW.exe (PID: 5952 cmdline: "C:\Users\user\Desktop\MtxN2qEWpW.exe" MD5: ADF463BBC04D413A0B20EBDD4E48E94B)

cmd.exe (PID: 5428 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\MtxN2qEWpW.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 6020 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "clienti@damaz.it", "Password": "348cli", "Host": "mail.damaz.it", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2348568485.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.3293522957.0000000005600000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14967:$a1: get_encryptedPassword 0x14c53:$a2: get_encryptedUsername 0x14773:$a3: get_timePasswordChanged 0x1486e:$a4: get_passwordField 0x1497d:$a5: set_encryptedPassword 0x16045:$a7: get_logins 0x15fa8:$a10: KeyLoggerEventArgs 0x15c13:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182d0:$x1: $%SMTPDV$ 0x18336:$x2: $#TheHashHere%& 0x1992f:$x3: %FTPDV$ 0x19a23:$x4: $%TelegramDv$ 0x15c13:$x5: KeyLoggerEventArgs 0x15fa8:$x5: KeyLoggerEventArgs 0x19953:$m2: Clipboard Logs ID 0x19b73:$m2: Screenshot Logs ID 0x19c83:$m2: keystroke Logs ID 0x19f5d:$m3: SnakePW 0x19b4b:$m4: \SnakeKeylogger\
00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf4177:$a1: get_encryptedPassword 0x114da7:$a1: get_encryptedPassword 0x1357c7:$a1: get_encryptedPassword 0xf4463:$a2: get_encryptedUsername 0x115093:$a2: get_encryptedUsername 0x135ab3:$a2: get_encryptedUsername 0xf3f83:$a3: get_timePasswordChanged 0x114bb3:$a3: get_timePasswordChanged 0x1355d3:$a3: get_timePasswordChanged 0xf407e:$a4: get_passwordField 0x114cae:$a4: get_passwordField 0x1356ce:$a4: get_passwordField 0xf418d:$a5: set_encryptedPassword 0x114dbd:$a5: set_encryptedPassword 0x1357dd:$a5: set_encryptedPassword 0xf5855:$a7: get_logins 0x116485:$a7: get_logins 0x136ea5:$a7: get_logins 0xf57b8:$a10: KeyLoggerEventArgs 0x1163e8:$a10: KeyLoggerEventArgs 0x136e08:$a10: KeyLoggerEventArgs
00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf7ae0:$x1: $%SMTPDV$ 0x118710:$x1: $%SMTPDV$ 0x139130:$x1: $%SMTPDV$ 0xf7b46:$x2: $#TheHashHere%& 0x118776:$x2: $#TheHashHere%& 0x139196:$x2: $#TheHashHere%& 0xf913f:$x3: %FTPDV$ 0x119d6f:$x3: %FTPDV$ 0x13a78f:$x3: %FTPDV$ 0xf9233:$x4: $%TelegramDv$ 0x119e63:$x4: $%TelegramDv$ 0x13a883:$x4: $%TelegramDv$ 0xf5423:$x5: KeyLoggerEventArgs 0xf57b8:$x5: KeyLoggerEventArgs 0x116053:$x5: KeyLoggerEventArgs 0x1163e8:$x5: KeyLoggerEventArgs 0x136a73:$x5: KeyLoggerEventArgs 0x136e08:$x5: KeyLoggerEventArgs 0xf9163:$m2: Clipboard Logs ID 0xf9383:$m2: Screenshot Logs ID 0xf9493:$m2: keystroke Logs ID
00000002.00000002.2348568485.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: MtxN2qEWpW.exe PID: 5784	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MtxN2qEWpW.exe PID: 5784	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MtxN2qEWpW.exe PID: 5784	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: MtxN2qEWpW.exe PID: 5784	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x43e6b:$a1: get_encryptedPassword 0x440b6:$a2: get_encryptedUsername 0x43c9a:$a3: get_timePasswordChanged 0x43d7c:$a4: get_passwordField 0x43e81:$a5: set_encryptedPassword 0x45d95:$a7: get_logins 0x45d16:$a10: KeyLoggerEventArgs 0x45a84:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: MtxN2qEWpW.exe PID: 5784	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x45a84:$x5: KeyLoggerEventArgs 0x45d16:$x5: KeyLoggerEventArgs 0x467a4:$x5: KeyLoggerEventArgs 0x46b05:$x5: KeyLoggerEventArgs 0x47e16:$m2: Clipboard Logs ID 0x47f0d:$m2: Screenshot Logs ID 0x47f63:$m2: keystroke Logs ID 0x48098:$m3: SnakePW 0x47ef9:$m4: \SnakeKeylogger\
Process Memory Space: MtxN2qEWpW.exe PID: 5952	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MtxN2qEWpW.exe PID: 5952	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: MtxN2qEWpW.exe PID: 5952	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x29ec4:$a1: get_encryptedPassword 0x2a1a6:$a2: get_encryptedUsername 0x29cda:$a3: get_timePasswordChanged 0x29dd5:$a4: get_passwordField 0x29eda:$a5: set_encryptedPassword 0x2c3f5:$a7: get_logins 0x2c358:$a10: KeyLoggerEventArgs 0x2bfc3:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: MtxN2qEWpW.exe PID: 5952	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2bfc3:$x5: KeyLoggerEventArgs 0x2c358:$x5: KeyLoggerEventArgs 0x2cf31:$x5: KeyLoggerEventArgs 0x2d292:$x5: KeyLoggerEventArgs 0x2e5a3:$m2: Clipboard Logs ID 0x2e69a:$m2: Screenshot Logs ID 0x2e6f0:$m2: keystroke Logs ID 0x2e825:$m3: SnakePW 0x2e686:$m4: \SnakeKeylogger\
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.MtxN2qEWpW.exe.5600000.5.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
0.2.MtxN2qEWpW.exe.3ea7f70.3.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4906b:$x1: In$J$ct0r
0.2.MtxN2qEWpW.exe.3f38610.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MtxN2qEWpW.exe.3f38610.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.MtxN2qEWpW.exe.3f38610.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d67:$a1: get_encryptedPassword 0x13053:$a2: get_encryptedUsername 0x12b73:$a3: get_timePasswordChanged 0x12c6e:$a4: get_passwordField 0x12d7d:$a5: set_encryptedPassword 0x14445:$a7: get_logins 0x143a8:$a10: KeyLoggerEventArgs 0x14013:$a11: KeyLoggerEventArgsEventHandler
0.2.MtxN2qEWpW.exe.3f38610.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a72d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1995f:$a3: \Google\Chrome\User Data\Default\Login Data 0x19d92:$a4: \Orbitum\User Data\Default\Login Data 0x1add1:$a5: \Kometa\User Data\Default\Login Data
0.2.MtxN2qEWpW.exe.3f38610.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13977:$s1: UnHook 0x1397e:$s2: SetHook 0x13986:$s3: CallNextHook 0x13993:$s4: _hook
0.2.MtxN2qEWpW.exe.3f38610.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x166d0:$x1: $%SMTPDV$ 0x16736:$x2: $#TheHashHere%& 0x17d2f:$x3: %FTPDV$ 0x17e23:$x4: $%TelegramDv$ 0x14013:$x5: KeyLoggerEventArgs 0x143a8:$x5: KeyLoggerEventArgs 0x17d53:$m2: Clipboard Logs ID 0x17f73:$m2: Screenshot Logs ID 0x18083:$m2: keystroke Logs ID 0x1835d:$m3: SnakePW 0x17f4b:$m4: \SnakeKeylogger\
0.2.MtxN2qEWpW.exe.30a2a6c.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa48e4:$x1: In$J$ct0r 0xa57f4:$a1: WriteProcessMemory 0xa5880:$a1: WriteProcessMemory 0xa5954:$a4: VirtualAllocEx 0xa5b78:$a4: VirtualAllocEx 0xa5bf8:$a4: VirtualAllocEx
0.2.MtxN2qEWpW.exe.3f59240.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MtxN2qEWpW.exe.3f59240.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.MtxN2qEWpW.exe.3f59240.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d67:$a1: get_encryptedPassword 0x13053:$a2: get_encryptedUsername 0x12b73:$a3: get_timePasswordChanged 0x12c6e:$a4: get_passwordField 0x12d7d:$a5: set_encryptedPassword 0x14445:$a7: get_logins 0x143a8:$a10: KeyLoggerEventArgs 0x14013:$a11: KeyLoggerEventArgsEventHandler
0.2.MtxN2qEWpW.exe.3f59240.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a72d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1995f:$a3: \Google\Chrome\User Data\Default\Login Data 0x19d92:$a4: \Orbitum\User Data\Default\Login Data 0x1add1:$a5: \Kometa\User Data\Default\Login Data
0.2.MtxN2qEWpW.exe.3f59240.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13977:$s1: UnHook 0x1397e:$s2: SetHook 0x13986:$s3: CallNextHook 0x13993:$s4: _hook
0.2.MtxN2qEWpW.exe.3f59240.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x166d0:$x1: $%SMTPDV$ 0x16736:$x2: $#TheHashHere%& 0x17d2f:$x3: %FTPDV$ 0x17e23:$x4: $%TelegramDv$ 0x14013:$x5: KeyLoggerEventArgs 0x143a8:$x5: KeyLoggerEventArgs 0x17d53:$m2: Clipboard Logs ID 0x17f73:$m2: Screenshot Logs ID 0x18083:$m2: keystroke Logs ID 0x1835d:$m3: SnakePW 0x17f4b:$m4: \SnakeKeylogger\
0.2.MtxN2qEWpW.exe.5600000.5.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4906b:$x1: In$J$ct0r
2.2.MtxN2qEWpW.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.MtxN2qEWpW.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.MtxN2qEWpW.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.MtxN2qEWpW.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b67:$a1: get_encryptedPassword 0x14e53:$a2: get_encryptedUsername 0x14973:$a3: get_timePasswordChanged 0x14a6e:$a4: get_passwordField 0x14b7d:$a5: set_encryptedPassword 0x16245:$a7: get_logins 0x161a8:$a10: KeyLoggerEventArgs 0x15e13:$a11: KeyLoggerEventArgsEventHandler
2.2.MtxN2qEWpW.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c52d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b75f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb92:$a4: \Orbitum\User Data\Default\Login Data 0x1cbd1:$a5: \Kometa\User Data\Default\Login Data
2.2.MtxN2qEWpW.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15777:$s1: UnHook 0x1577e:$s2: SetHook 0x15786:$s3: CallNextHook 0x15793:$s4: _hook
2.2.MtxN2qEWpW.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x184d0:$x1: $%SMTPDV$ 0x18536:$x2: $#TheHashHere%& 0x19b2f:$x3: %FTPDV$ 0x19c23:$x4: $%TelegramDv$ 0x15e13:$x5: KeyLoggerEventArgs 0x161a8:$x5: KeyLoggerEventArgs 0x19b53:$m2: Clipboard Logs ID 0x19d73:$m2: Screenshot Logs ID 0x19e83:$m2: keystroke Logs ID 0x1a15d:$m3: SnakePW 0x19d4b:$m4: \SnakeKeylogger\
0.2.MtxN2qEWpW.exe.30a52ac.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa20a4:$x1: In$J$ct0r 0xa2fb4:$a1: WriteProcessMemory 0xa3040:$a1: WriteProcessMemory 0xa3114:$a4: VirtualAllocEx 0xa3338:$a4: VirtualAllocEx 0xa33b8:$a4: VirtualAllocEx
0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b67:$a1: get_encryptedPassword 0x35587:$a1: get_encryptedPassword 0x14e53:$a2: get_encryptedUsername 0x35873:$a2: get_encryptedUsername 0x14973:$a3: get_timePasswordChanged 0x35393:$a3: get_timePasswordChanged 0x14a6e:$a4: get_passwordField 0x3548e:$a4: get_passwordField 0x14b7d:$a5: set_encryptedPassword 0x3559d:$a5: set_encryptedPassword 0x16245:$a7: get_logins 0x36c65:$a7: get_logins 0x161a8:$a10: KeyLoggerEventArgs 0x36bc8:$a10: KeyLoggerEventArgs 0x15e13:$a11: KeyLoggerEventArgsEventHandler 0x36833:$a11: KeyLoggerEventArgsEventHandler
0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c52d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cf4d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b75f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c17f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb92:$a4: \Orbitum\User Data\Default\Login Data 0x3c5b2:$a4: \Orbitum\User Data\Default\Login Data 0x1cbd1:$a5: \Kometa\User Data\Default\Login Data 0x3d5f1:$a5: \Kometa\User Data\Default\Login Data
0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15777:$s1: UnHook 0x36197:$s1: UnHook 0x1577e:$s2: SetHook 0x3619e:$s2: SetHook 0x15786:$s3: CallNextHook 0x361a6:$s3: CallNextHook 0x15793:$s4: _hook 0x361b3:$s4: _hook
0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x184d0:$x1: $%SMTPDV$ 0x38ef0:$x1: $%SMTPDV$ 0x18536:$x2: $#TheHashHere%& 0x38f56:$x2: $#TheHashHere%& 0x19b2f:$x3: %FTPDV$ 0x3a54f:$x3: %FTPDV$ 0x19c23:$x4: $%TelegramDv$ 0x3a643:$x4: $%TelegramDv$ 0x15e13:$x5: KeyLoggerEventArgs 0x161a8:$x5: KeyLoggerEventArgs 0x36833:$x5: KeyLoggerEventArgs 0x36bc8:$x5: KeyLoggerEventArgs 0x19b53:$m2: Clipboard Logs ID 0x19d73:$m2: Screenshot Logs ID 0x19e83:$m2: keystroke Logs ID 0x3a573:$m2: Clipboard Logs ID 0x3a793:$m2: Screenshot Logs ID 0x3a8a3:$m2: keystroke Logs ID 0x1a15d:$m3: SnakePW 0x3ab7d:$m3: SnakePW 0x19d4b:$m4: \SnakeKeylogger\
0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b67:$a1: get_encryptedPassword 0x35797:$a1: get_encryptedPassword 0x561b7:$a1: get_encryptedPassword 0x14e53:$a2: get_encryptedUsername 0x35a83:$a2: get_encryptedUsername 0x564a3:$a2: get_encryptedUsername 0x14973:$a3: get_timePasswordChanged 0x355a3:$a3: get_timePasswordChanged 0x55fc3:$a3: get_timePasswordChanged 0x14a6e:$a4: get_passwordField 0x3569e:$a4: get_passwordField 0x560be:$a4: get_passwordField 0x14b7d:$a5: set_encryptedPassword 0x357ad:$a5: set_encryptedPassword 0x561cd:$a5: set_encryptedPassword 0x16245:$a7: get_logins 0x36e75:$a7: get_logins 0x57895:$a7: get_logins 0x161a8:$a10: KeyLoggerEventArgs 0x36dd8:$a10: KeyLoggerEventArgs 0x577f8:$a10: KeyLoggerEventArgs
0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c52d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d15d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5db7d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b75f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c38f:$a3: \Google\Chrome\User Data\Default\Login Data 0x5cdaf:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb92:$a4: \Orbitum\User Data\Default\Login Data 0x3c7c2:$a4: \Orbitum\User Data\Default\Login Data 0x5d1e2:$a4: \Orbitum\User Data\Default\Login Data 0x1cbd1:$a5: \Kometa\User Data\Default\Login Data 0x3d801:$a5: \Kometa\User Data\Default\Login Data 0x5e221:$a5: \Kometa\User Data\Default\Login Data
0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15777:$s1: UnHook 0x363a7:$s1: UnHook 0x56dc7:$s1: UnHook 0x1577e:$s2: SetHook 0x363ae:$s2: SetHook 0x56dce:$s2: SetHook 0x15786:$s3: CallNextHook 0x363b6:$s3: CallNextHook 0x56dd6:$s3: CallNextHook 0x15793:$s4: _hook 0x363c3:$s4: _hook 0x56de3:$s4: _hook
0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x184d0:$x1: $%SMTPDV$ 0x39100:$x1: $%SMTPDV$ 0x59b20:$x1: $%SMTPDV$ 0x18536:$x2: $#TheHashHere%& 0x39166:$x2: $#TheHashHere%& 0x59b86:$x2: $#TheHashHere%& 0x19b2f:$x3: %FTPDV$ 0x3a75f:$x3: %FTPDV$ 0x5b17f:$x3: %FTPDV$ 0x19c23:$x4: $%TelegramDv$ 0x3a853:$x4: $%TelegramDv$ 0x5b273:$x4: $%TelegramDv$ 0x15e13:$x5: KeyLoggerEventArgs 0x161a8:$x5: KeyLoggerEventArgs 0x36a43:$x5: KeyLoggerEventArgs 0x36dd8:$x5: KeyLoggerEventArgs 0x57463:$x5: KeyLoggerEventArgs 0x577f8:$x5: KeyLoggerEventArgs 0x19b53:$m2: Clipboard Logs ID 0x19d73:$m2: Screenshot Logs ID 0x19e83:$m2: keystroke Logs ID
0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa5207:$a1: get_encryptedPassword 0xc5e37:$a1: get_encryptedPassword 0xe6857:$a1: get_encryptedPassword 0xa54f3:$a2: get_encryptedUsername 0xc6123:$a2: get_encryptedUsername 0xe6b43:$a2: get_encryptedUsername 0xa5013:$a3: get_timePasswordChanged 0xc5c43:$a3: get_timePasswordChanged 0xe6663:$a3: get_timePasswordChanged 0xa510e:$a4: get_passwordField 0xc5d3e:$a4: get_passwordField 0xe675e:$a4: get_passwordField 0xa521d:$a5: set_encryptedPassword 0xc5e4d:$a5: set_encryptedPassword 0xe686d:$a5: set_encryptedPassword 0xa68e5:$a7: get_logins 0xc7515:$a7: get_logins 0xe7f35:$a7: get_logins 0xa6848:$a10: KeyLoggerEventArgs 0xc7478:$a10: KeyLoggerEventArgs 0xe7e98:$a10: KeyLoggerEventArgs
0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xa5e17:$s1: UnHook 0xc6a47:$s1: UnHook 0xe7467:$s1: UnHook 0xa5e1e:$s2: SetHook 0xc6a4e:$s2: SetHook 0xe746e:$s2: SetHook 0xa5e26:$s3: CallNextHook 0xc6a56:$s3: CallNextHook 0xe7476:$s3: CallNextHook 0xa5e33:$s4: _hook 0xc6a63:$s4: _hook 0xe7483:$s4: _hook
0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xa8b70:$x1: $%SMTPDV$ 0xc97a0:$x1: $%SMTPDV$ 0xea1c0:$x1: $%SMTPDV$ 0xa8bd6:$x2: $#TheHashHere%& 0xc9806:$x2: $#TheHashHere%& 0xea226:$x2: $#TheHashHere%& 0xaa1cf:$x3: %FTPDV$ 0xcadff:$x3: %FTPDV$ 0xeb81f:$x3: %FTPDV$ 0xaa2c3:$x4: $%TelegramDv$ 0xcaef3:$x4: $%TelegramDv$ 0xeb913:$x4: $%TelegramDv$ 0xa64b3:$x5: KeyLoggerEventArgs 0xa6848:$x5: KeyLoggerEventArgs 0xc70e3:$x5: KeyLoggerEventArgs 0xc7478:$x5: KeyLoggerEventArgs 0xe7b03:$x5: KeyLoggerEventArgs 0xe7e98:$x5: KeyLoggerEventArgs 0xaa1f3:$m2: Clipboard Logs ID 0xaa413:$m2: Screenshot Logs ID 0xaa523:$m2: keystroke Logs ID
0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
Click to see the 40 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T17:05:00.142704+0100	2803305	3	Unknown Traffic	192.168.2.5	49708	104.21.112.1	443	TCP
2025-01-10T17:05:25.887534+0100	2803305	3	Unknown Traffic	192.168.2.5	49790	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T17:04:58.528170+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-10T17:04:59.528192+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-10T17:05:01.809549+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: MtxN2qEWpW.exe

Avira: detected

Found malware configuration

Source: 00000002.00000002.2348568485.0000000002A71000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "clienti@damaz.it", "Password": "348cli", "Host": "mail.damaz.it", "Port": "587", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: MtxN2qEWpW.exe	Virustotal: Detection: 64%			Perma Link
Source: MtxN2qEWpW.exe	ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: MtxN2qEWpW.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: MtxN2qEWpW.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49707 version: TLS 1.0

Source: MtxN2qEWpW.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: MtxN2qEWpW.exe, 00000000.00000002.3291418274.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000000.00000002.3293729355.0000000005660000.00000004.08000000.00040000.00000000.sdmp

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.MtxN2qEWpW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49710 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49790 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49708 -> 104.21.112.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49707 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: MtxN2qEWpW.exe, 00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: MtxN2qEWpW.exe, 00000002.00000002.2350650221.0000000006310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MtxN2qEWpW.exe, 00000002.00000002.2350650221.0000000006310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coY
Source: MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: MtxN2qEWpW.exe, 00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.MtxN2qEWpW.exe.5600000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.MtxN2qEWpW.exe.3ea7f70.3.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.MtxN2qEWpW.exe.3f38610.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MtxN2qEWpW.exe.3f38610.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MtxN2qEWpW.exe.3f38610.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.MtxN2qEWpW.exe.3f38610.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.MtxN2qEWpW.exe.30a2a6c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.MtxN2qEWpW.exe.3f59240.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MtxN2qEWpW.exe.3f59240.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MtxN2qEWpW.exe.3f59240.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.MtxN2qEWpW.exe.3f59240.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.MtxN2qEWpW.exe.5600000.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 2.2.MtxN2qEWpW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.MtxN2qEWpW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.MtxN2qEWpW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.MtxN2qEWpW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.MtxN2qEWpW.exe.30a52ac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.3293522957.0000000005600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: MtxN2qEWpW.exe PID: 5784, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MtxN2qEWpW.exe PID: 5784, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: MtxN2qEWpW.exe PID: 5952, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MtxN2qEWpW.exe PID: 5952, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 0_2_0112D304	0_2_0112D304
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 0_2_02CF65B0	0_2_02CF65B0
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 0_2_02CFBF60	0_2_02CFBF60
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 0_2_02CF0040	0_2_02CF0040
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 0_2_02CF0007	0_2_02CF0007
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 0_2_02CFAD51	0_2_02CFAD51
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 2_2_04F5C470	2_2_04F5C470
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 2_2_04F5C751	2_2_04F5C751
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 2_2_04F56730	2_2_04F56730
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 2_2_04F5C190	2_2_04F5C190
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 2_2_04F56108	2_2_04F56108
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 2_2_04F5B328	2_2_04F5B328
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 2_2_04F5BEB0	2_2_04F5BEB0
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 2_2_04F59858	2_2_04F59858
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 2_2_04F54AD9	2_2_04F54AD9
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 2_2_04F5CA31	2_2_04F5CA31
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 2_2_04F5BBD2	2_2_04F5BBD2
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 2_2_04F5B4F3	2_2_04F5B4F3
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Code function: 2_2_04F53570	2_2_04F53570

Source: MtxN2qEWpW.exe, 00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs MtxN2qEWpW.exe
Source: MtxN2qEWpW.exe, 00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs MtxN2qEWpW.exe
Source: MtxN2qEWpW.exe, 00000000.00000000.2035339244.00000000008E2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFisa.exe* vs MtxN2qEWpW.exe
Source: MtxN2qEWpW.exe, 00000000.00000002.3293522957.0000000005600000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs MtxN2qEWpW.exe
Source: MtxN2qEWpW.exe, 00000000.00000002.3291418274.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs MtxN2qEWpW.exe
Source: MtxN2qEWpW.exe, 00000000.00000002.3291418274.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs MtxN2qEWpW.exe
Source: MtxN2qEWpW.exe, 00000000.00000002.3293729355.0000000005660000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs MtxN2qEWpW.exe
Source: MtxN2qEWpW.exe, 00000000.00000002.3289240805.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs MtxN2qEWpW.exe
Source: MtxN2qEWpW.exe, 00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs MtxN2qEWpW.exe
Source: MtxN2qEWpW.exe	Binary or memory string: OriginalFilenameFisa.exe* vs MtxN2qEWpW.exe

Source: MtxN2qEWpW.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.MtxN2qEWpW.exe.5600000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.MtxN2qEWpW.exe.3ea7f70.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.MtxN2qEWpW.exe.3f38610.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MtxN2qEWpW.exe.3f38610.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MtxN2qEWpW.exe.3f38610.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.MtxN2qEWpW.exe.3f38610.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.MtxN2qEWpW.exe.30a2a6c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.MtxN2qEWpW.exe.3f59240.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MtxN2qEWpW.exe.3f59240.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MtxN2qEWpW.exe.3f59240.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.MtxN2qEWpW.exe.3f59240.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.MtxN2qEWpW.exe.5600000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 2.2.MtxN2qEWpW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.MtxN2qEWpW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.MtxN2qEWpW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.MtxN2qEWpW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.MtxN2qEWpW.exe.30a52ac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.3293522957.0000000005600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: MtxN2qEWpW.exe PID: 5784, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MtxN2qEWpW.exe PID: 5784, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: MtxN2qEWpW.exe PID: 5952, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MtxN2qEWpW.exe PID: 5952, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@2/2

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MtxN2qEWpW.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03

Source: MtxN2qEWpW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: MtxN2qEWpW.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MtxN2qEWpW.exe	Virustotal: Detection: 64%
Source: MtxN2qEWpW.exe	ReversingLabs: Detection: 78%

Source: unknown	Process created: C:\Users\user\Desktop\MtxN2qEWpW.exe "C:\Users\user\Desktop\MtxN2qEWpW.exe"
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process created: C:\Users\user\Desktop\MtxN2qEWpW.exe "C:\Users\user\Desktop\MtxN2qEWpW.exe"
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\MtxN2qEWpW.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process created: C:\Users\user\Desktop\MtxN2qEWpW.exe "C:\Users\user\Desktop\MtxN2qEWpW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\MtxN2qEWpW.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: MtxN2qEWpW.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: MtxN2qEWpW.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: MtxN2qEWpW.exe

Static PE information: 0xF79C3086 [Tue Aug 23 02:46:30 2101 UTC]

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe

Code function: 0_2_02CFB518 pushfd ; iretd

0_2_02CFB521

Source: MtxN2qEWpW.exe

Static PE information: section name: .text entropy: 7.0175838630459575

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\MtxN2qEWpW.exe"
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\MtxN2qEWpW.exe"			Jump to behavior

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: MtxN2qEWpW.exe PID: 5784, type: MEMORYSTR

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Memory allocated: 1100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Memory allocated: 1340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Memory allocated: 2A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Memory allocated: 4A70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 599640	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 598978	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 598612	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 597582	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 597221	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 597096	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 596966	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 596857	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 596530	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 595857	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 595173	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 594827	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 594181	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 593997	Jump to behavior

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Window / User API: threadDelayed 6906			Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Window / User API: threadDelayed 2931			Jump to behavior

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -599859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 6200	Thread sleep count: 6906 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 6200	Thread sleep count: 2931 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -599750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -599640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -598978s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -598612s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -598484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -598265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -598047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -597582s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -597221s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -597096s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -596966s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -596857s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -596640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -596530s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -596422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -595857s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -595640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -595173s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -594827s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -594719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -594484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -594375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -594181s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe TID: 5808	Thread sleep time: -593997s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 599640	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 598978	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 598612	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 597582	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 597221	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 597096	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 596966	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 596857	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 596530	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 595857	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 595173	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 594827	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 594181	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Thread delayed: delay time: 593997	Jump to behavior

Source: MtxN2qEWpW.exe, 00000002.00000002.2347497374.0000000000CC7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe

Memory written: C:\Users\user\Desktop\MtxN2qEWpW.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process created: C:\Users\user\Desktop\MtxN2qEWpW.exe "C:\Users\user\Desktop\MtxN2qEWpW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\MtxN2qEWpW.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Queries volume information: C:\Users\user\Desktop\MtxN2qEWpW.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Queries volume information: C:\Users\user\Desktop\MtxN2qEWpW.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MtxN2qEWpW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\MtxN2qEWpW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.MtxN2qEWpW.exe.3f38610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MtxN2qEWpW.exe.3f59240.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MtxN2qEWpW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2348568485.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2348568485.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MtxN2qEWpW.exe PID: 5784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MtxN2qEWpW.exe PID: 5952, type: MEMORYSTR

Source: Yara match	File source: 0.2.MtxN2qEWpW.exe.3f38610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MtxN2qEWpW.exe.3f59240.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MtxN2qEWpW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MtxN2qEWpW.exe PID: 5784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MtxN2qEWpW.exe PID: 5952, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.MtxN2qEWpW.exe.3f38610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MtxN2qEWpW.exe.3f59240.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MtxN2qEWpW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MtxN2qEWpW.exe.3f59240.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MtxN2qEWpW.exe.3f38610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MtxN2qEWpW.exe.3ea7f70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2348568485.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2348568485.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MtxN2qEWpW.exe PID: 5784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MtxN2qEWpW.exe PID: 5952, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	12 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MtxN2qEWpW.exe	65%	Virustotal		Browse
MtxN2qEWpW.exe	79%	ReversingLabs	ByteCode-MSIL.Spyware.Snakekeylogger
MtxN2qEWpW.exe	100%	Avira	HEUR/AGEN.1309847
MtxN2qEWpW.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://www.microsoft.coY	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.112.1	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B34000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B34000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.coY	MtxN2qEWpW.exe, 00000002.00000002.2350650221.0000000006310000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B34000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	false		high
http://microsoft.co	MtxN2qEWpW.exe, 00000002.00000002.2350650221.0000000006310000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	MtxN2qEWpW.exe, 00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	MtxN2qEWpW.exe, 00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MtxN2qEWpW.exe, 00000002.00000002.2348568485.0000000002B34000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.112.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587691
Start date and time:	2025-01-10 17:04:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MtxN2qEWpW.exe renamed because original name is a hash value
Original Sample Name:	d1c53df36c1b25b7deb62dbfcfa8553f130c03e9724ba0e53ff668e998385202.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 86 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target MtxN2qEWpW.exe, PID 5952 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:04:58	API Interceptor	247x Sleep call for process: MtxN2qEWpW.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.112.1	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/w98i/
	wxl1r0lntg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	beammp.com/phpmyadmin/
132.226.247.73	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	1C24TDP_000000029.jse	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
reallyfreegeoip.org	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	1C24TDP_000000029.jse	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	jqxrkk.ps1	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Order_List.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
CLOUDFLARENETUS	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	https://cjerichmond.jimdosite.com/	Get hash	malicious	Unknown	Browse	162.159.128.70
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1

Process:	C:\Users\user\Desktop\MtxN2qEWpW.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.010557343398386
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	MtxN2qEWpW.exe
File size:	826'368 bytes
MD5:	adf463bbc04d413a0b20ebdd4e48e94b
SHA1:	249d82052bb7bbd7dad5251581a1152d2a1dd4ea
SHA256:	d1c53df36c1b25b7deb62dbfcfa8553f130c03e9724ba0e53ff668e998385202
SHA512:	50878f6f1fbbc4b048692abdad9f70011f7db13f983c7f8d511858bf819a861b404e5f52cc3c997db027dff598230a3d0cc00575ce0f1abc04bd4830f8fcdab0
SSDEEP:	12288:6aMaSzOKy2r7SPNp3jFQuTm8lc+mGmHM48lHj2VU:5MaSSKy2/SPNNjDTBecmHM48ls
TLSH:	75056C093A6048F8C531C9F6F8E7863D6970B961A2E2D42725CF2E5D7CC9B8046D71AF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4cb0ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF79C3086 [Tue Aug 23 02:46:30 2101 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcb054	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcc000	0x586	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xce000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc90b4	0xc9200	de5f7fd0d2ddf6c05262ba6bf9094f5b	False	0.4342820171690491	data	7.0175838630459575	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xcc000	0x586	0x600	023f933e236ce25e662698bcb26c192d	False	0.4134114583333333	data	4.009208314844858	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xce000	0xc	0x200	727b93468c891e185699debc43ee745f	False	0.044921875	data	0.09409792566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xcc0a0	0x2fc	data			0.43455497382198954
RT_MANIFEST	0xcc39c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T17:04:58.528170+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-10T17:04:59.528192+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-10T17:05:00.142704+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49708	104.21.112.1	443	TCP
2025-01-10T17:05:01.809549+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	132.226.247.73	80	TCP
2025-01-10T17:05:25.887534+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49790	104.21.112.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 17:04:57.567038059 CET	49704	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:04:57.572058916 CET	80	49704	132.226.247.73	192.168.2.5
Jan 10, 2025 17:04:57.572148085 CET	49704	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:04:57.572379112 CET	49704	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:04:57.577224016 CET	80	49704	132.226.247.73	192.168.2.5
Jan 10, 2025 17:04:58.271502018 CET	80	49704	132.226.247.73	192.168.2.5
Jan 10, 2025 17:04:58.275826931 CET	49704	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:04:58.280791998 CET	80	49704	132.226.247.73	192.168.2.5
Jan 10, 2025 17:04:58.485620975 CET	80	49704	132.226.247.73	192.168.2.5
Jan 10, 2025 17:04:58.528170109 CET	49704	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:04:58.541450024 CET	49707	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:04:58.541488886 CET	443	49707	104.21.112.1	192.168.2.5
Jan 10, 2025 17:04:58.541549921 CET	49707	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:04:58.546614885 CET	49707	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:04:58.546642065 CET	443	49707	104.21.112.1	192.168.2.5
Jan 10, 2025 17:04:59.018857956 CET	443	49707	104.21.112.1	192.168.2.5
Jan 10, 2025 17:04:59.019361019 CET	49707	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:04:59.025191069 CET	49707	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:04:59.025208950 CET	443	49707	104.21.112.1	192.168.2.5
Jan 10, 2025 17:04:59.025499105 CET	443	49707	104.21.112.1	192.168.2.5
Jan 10, 2025 17:04:59.075356960 CET	49707	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:04:59.102895975 CET	49707	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:04:59.147325039 CET	443	49707	104.21.112.1	192.168.2.5
Jan 10, 2025 17:04:59.240822077 CET	443	49707	104.21.112.1	192.168.2.5
Jan 10, 2025 17:04:59.240881920 CET	443	49707	104.21.112.1	192.168.2.5
Jan 10, 2025 17:04:59.241487026 CET	49707	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:04:59.250073910 CET	49707	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:04:59.251292944 CET	49704	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:04:59.256125927 CET	80	49704	132.226.247.73	192.168.2.5
Jan 10, 2025 17:04:59.475977898 CET	80	49704	132.226.247.73	192.168.2.5
Jan 10, 2025 17:04:59.503333092 CET	49708	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:04:59.503365993 CET	443	49708	104.21.112.1	192.168.2.5
Jan 10, 2025 17:04:59.503488064 CET	49708	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:04:59.504024029 CET	49708	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:04:59.504033089 CET	443	49708	104.21.112.1	192.168.2.5
Jan 10, 2025 17:04:59.528192043 CET	49704	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:04:59.988481998 CET	443	49708	104.21.112.1	192.168.2.5
Jan 10, 2025 17:04:59.993079901 CET	49708	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:04:59.993114948 CET	443	49708	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:00.142801046 CET	443	49708	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:00.142960072 CET	443	49708	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:00.143335104 CET	49708	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:00.143575907 CET	49708	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:00.146703959 CET	49704	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:00.147806883 CET	49710	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:00.151788950 CET	80	49704	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:00.151875019 CET	49704	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:00.152678967 CET	80	49710	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:00.152765036 CET	49710	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:00.152870893 CET	49710	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:00.157660007 CET	80	49710	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:01.762744904 CET	80	49710	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:01.764646053 CET	49711	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:01.764688969 CET	443	49711	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:01.764796019 CET	49711	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:01.765104055 CET	49711	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:01.765121937 CET	443	49711	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:01.809549093 CET	49710	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:02.244714975 CET	443	49711	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:02.274930954 CET	49711	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:02.274971008 CET	443	49711	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:02.402271986 CET	443	49711	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:02.402429104 CET	443	49711	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:02.402518034 CET	49711	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:02.408107042 CET	49711	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:02.434741020 CET	49713	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:02.439547062 CET	80	49713	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:02.439646006 CET	49713	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:02.439740896 CET	49713	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:02.444528103 CET	80	49713	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:14.210314989 CET	80	49713	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:14.212147951 CET	49720	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:14.212202072 CET	443	49720	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:14.212280989 CET	49720	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:14.212626934 CET	49720	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:14.212641001 CET	443	49720	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:14.262608051 CET	49713	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:14.701170921 CET	443	49720	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:14.711138964 CET	49720	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:14.711170912 CET	443	49720	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:14.869863033 CET	443	49720	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:14.869929075 CET	443	49720	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:14.870007992 CET	49720	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:14.870702982 CET	49720	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:14.878159046 CET	49713	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:14.879914045 CET	49722	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:14.883141994 CET	80	49713	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:14.883199930 CET	49713	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:14.884773016 CET	80	49722	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:14.884857893 CET	49722	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:14.884980917 CET	49722	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:14.889688969 CET	80	49722	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:21.832061052 CET	80	49722	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:21.835952044 CET	49765	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:21.836009979 CET	443	49765	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:21.836131096 CET	49765	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:21.836450100 CET	49765	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:21.836463928 CET	443	49765	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:21.887666941 CET	49722	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:22.293119907 CET	443	49765	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:22.302531004 CET	49765	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:22.302573919 CET	443	49765	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:22.431185961 CET	443	49765	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:22.431252003 CET	443	49765	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:22.431497097 CET	49765	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:22.432229042 CET	49765	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:22.438203096 CET	49722	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:22.439527988 CET	49770	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:22.443306923 CET	80	49722	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:22.443505049 CET	49722	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:22.444344044 CET	80	49770	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:22.444420099 CET	49770	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:22.444603920 CET	49770	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:22.449409962 CET	80	49770	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:23.942018986 CET	80	49770	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:23.943650007 CET	49779	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:23.943691969 CET	443	49779	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:23.943773031 CET	49779	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:23.944148064 CET	49779	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:23.944164038 CET	443	49779	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:23.981287956 CET	49770	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:24.422677994 CET	443	49779	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:24.426131010 CET	49779	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:24.426176071 CET	443	49779	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:24.562124014 CET	443	49779	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:24.562295914 CET	443	49779	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:24.562381029 CET	49779	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:24.563021898 CET	49779	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:24.566962957 CET	49770	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:24.568200111 CET	49785	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:24.572072983 CET	80	49770	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:24.572165966 CET	49770	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:24.573041916 CET	80	49785	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:24.573121071 CET	49785	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:24.573251963 CET	49785	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:24.578053951 CET	80	49785	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:25.272511959 CET	80	49785	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:25.273987055 CET	49790	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:25.274015903 CET	443	49790	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:25.274080992 CET	49790	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:25.274339914 CET	49790	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:25.274353027 CET	443	49790	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:25.325279951 CET	49785	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:25.750252962 CET	443	49790	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:25.751900911 CET	49790	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:25.751970053 CET	443	49790	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:25.887649059 CET	443	49790	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:25.887811899 CET	443	49790	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:25.887881041 CET	49790	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:25.888379097 CET	49790	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:25.891465902 CET	49785	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:25.892622948 CET	49793	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:25.896460056 CET	80	49785	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:25.896538019 CET	49785	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:25.897403002 CET	80	49793	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:25.897469044 CET	49793	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:25.897593021 CET	49793	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:25.902332067 CET	80	49793	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:26.593393087 CET	80	49793	132.226.247.73	192.168.2.5
Jan 10, 2025 17:05:26.594980955 CET	49797	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:26.595046043 CET	443	49797	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:26.595148087 CET	49797	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:26.595458984 CET	49797	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:26.595470905 CET	443	49797	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:26.637567997 CET	49793	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:27.063523054 CET	443	49797	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:27.065443039 CET	49797	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:27.065462112 CET	443	49797	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:27.236891985 CET	443	49797	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:27.236957073 CET	443	49797	104.21.112.1	192.168.2.5
Jan 10, 2025 17:05:27.237015963 CET	49797	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:27.237617970 CET	49797	443	192.168.2.5	104.21.112.1
Jan 10, 2025 17:05:27.431567907 CET	49793	80	192.168.2.5	132.226.247.73
Jan 10, 2025 17:05:27.431642056 CET	49710	80	192.168.2.5	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 17:04:57.549817085 CET	65384	53	192.168.2.5	1.1.1.1
Jan 10, 2025 17:04:57.557020903 CET	53	65384	1.1.1.1	192.168.2.5
Jan 10, 2025 17:04:58.533611059 CET	61697	53	192.168.2.5	1.1.1.1
Jan 10, 2025 17:04:58.540843010 CET	53	61697	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 17:04:57.549817085 CET	192.168.2.5	1.1.1.1	0xde48	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:58.533611059 CET	192.168.2.5	1.1.1.1	0x3aa3	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 17:04:57.557020903 CET	1.1.1.1	192.168.2.5	0xde48	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 17:04:57.557020903 CET	1.1.1.1	192.168.2.5	0xde48	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:57.557020903 CET	1.1.1.1	192.168.2.5	0xde48	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:57.557020903 CET	1.1.1.1	192.168.2.5	0xde48	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:57.557020903 CET	1.1.1.1	192.168.2.5	0xde48	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:57.557020903 CET	1.1.1.1	192.168.2.5	0xde48	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:58.540843010 CET	1.1.1.1	192.168.2.5	0x3aa3	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:58.540843010 CET	1.1.1.1	192.168.2.5	0x3aa3	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:58.540843010 CET	1.1.1.1	192.168.2.5	0x3aa3	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:58.540843010 CET	1.1.1.1	192.168.2.5	0x3aa3	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:58.540843010 CET	1.1.1.1	192.168.2.5	0x3aa3	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:58.540843010 CET	1.1.1.1	192.168.2.5	0x3aa3	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:58.540843010 CET	1.1.1.1	192.168.2.5	0x3aa3	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	132.226.247.73	80	5952	C:\Users\user\Desktop\MtxN2qEWpW.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:04:57.572379112 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:04:58.271502018 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 17:04:58.275826931 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 17:04:58.485620975 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 17:04:59.251292944 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 17:04:59.475977898 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	132.226.247.73	80	5952	C:\Users\user\Desktop\MtxN2qEWpW.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:05:00.152870893 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 17:05:01.762744904 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:05:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49713	132.226.247.73	80	5952	C:\Users\user\Desktop\MtxN2qEWpW.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:05:02.439740896 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:05:14.210314989 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:05:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49722	132.226.247.73	80	5952	C:\Users\user\Desktop\MtxN2qEWpW.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:05:14.884980917 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:05:21.832061052 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:05:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49770	132.226.247.73	80	5952	C:\Users\user\Desktop\MtxN2qEWpW.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:05:22.444603920 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:05:23.942018986 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:05:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49785	132.226.247.73	80	5952	C:\Users\user\Desktop\MtxN2qEWpW.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:05:24.573251963 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:05:25.272511959 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:05:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49793	132.226.247.73	80	5952	C:\Users\user\Desktop\MtxN2qEWpW.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:05:25.897593021 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:05:26.593393087 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:05:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	104.21.112.1	443	5952	C:\Users\user\Desktop\MtxN2qEWpW.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:04:59 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:04:59 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:59 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839888 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hffuHvNXl8RY9VYc0sGG8ljg9thz7DcWjvZ2KSexFxaiZ3%2BJZHushqDl%2BS0yvU6oSmw74z6CQYKnGb%2FcpbWg1XriSenxPWgGtz9HPyEsgeRNQVswzRFL91HOYGROE7wpOvBkih71"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffde7edbf5b424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1569&min_rtt=1561&rtt_var=602&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1794714&cwnd=248&unsent_bytes=0&cid=03324fe5dbfb5f65&ts=234&x=0"
2025-01-10 16:04:59 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	104.21.112.1	443	5952	C:\Users\user\Desktop\MtxN2qEWpW.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:04:59 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 16:05:00 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:05:00 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839889 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P8PIaSKirYDKvElJwkMkadP7%2FG7twGjpTQt5JALoqvQ3LuVqFA1Z92CSIMGtBThGw8q9RqLeEASp8Kb274DkjqMA%2B0Mej1nkODZsrX%2F9hFi5TqPalNq1VXx0TzYTWj7D6C3WVdms"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffde7f389b4c34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1500&min_rtt=1499&rtt_var=564&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1937624&cwnd=181&unsent_bytes=0&cid=883ee1fdd174fcf5&ts=162&x=0"
2025-01-10 16:05:00 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49711	104.21.112.1	443	5952	C:\Users\user\Desktop\MtxN2qEWpW.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:05:02 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:05:02 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:05:02 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839891 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uLcb3qGqks4aattwOt%2FKLep2TyTHNIbcwtDM%2BdFUyz5TDtls51naLk9KZZCdNw9qmT68FXZNT3%2F%2B4%2FKtiInbVzAZ6Aag0JPVzKSrtOMKWFgURqFrWk0KgKdd5ZEeYPmDzn1vpG0M"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffde80198f4727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2022&min_rtt=2011&rtt_var=776&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1389814&cwnd=234&unsent_bytes=0&cid=8e9d1939c4e73168&ts=165&x=0"
2025-01-10 16:05:02 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49720	104.21.112.1	443	5952	C:\Users\user\Desktop\MtxN2qEWpW.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:05:14 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:05:14 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:05:14 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839903 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fRO0g607VjBRaID8i189pKYzOIx7uofx5GoPUCysd6bU7pv42%2FjN712JwCRqhzsL8DOackf23%2FfpUK8TNQ9RoCbhXmLHEn5yLGFQhcEWktuLmYtxZpRurA8kKTVfXBSi31iL0WGg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffde84f7a6ac34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1547&min_rtt=1540&rtt_var=582&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1896103&cwnd=181&unsent_bytes=0&cid=188d1fce01147b06&ts=178&x=0"
2025-01-10 16:05:14 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49765	104.21.112.1	443	5952	C:\Users\user\Desktop\MtxN2qEWpW.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:05:22 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:05:22 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:05:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839911 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rYyE200jcl0F0hcSzH45aCj3%2BY%2BVrWpqqMVeeirs%2B9%2BPD5yaxOeJVK4dltFD%2B1ax%2BRogIeEIMYhXtkxUR2qc7UdBa9OPqFCg5kbd4XMd0By6K2CQFrsCNqK7yUC064kS6CtIjTyB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffde87ecda90f5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1616&min_rtt=1605&rtt_var=625&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1717647&cwnd=221&unsent_bytes=0&cid=716a80992b877044&ts=142&x=0"
2025-01-10 16:05:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49779	104.21.112.1	443	5952	C:\Users\user\Desktop\MtxN2qEWpW.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:05:24 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:05:24 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:05:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839913 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UP%2BU2x4aItv%2BeNqfpzVy0dkwwUx5fHsIbP4GohicZH3UnydxBwUbgsMk2rgxWYgASbAAwdoP6rYhM6T5gSpdULifuaPnoG%2Fff351Mcvju%2BbT7KbEUbWwYwOohy8i%2BFxgK04xM8dS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffde88c2dca424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1594&rtt_var=607&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1831869&cwnd=248&unsent_bytes=0&cid=ef051a7599ccb515&ts=148&x=0"
2025-01-10 16:05:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49790	104.21.112.1	443	5952	C:\Users\user\Desktop\MtxN2qEWpW.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:05:25 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 16:05:25 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:05:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839914 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H%2B9xFqt1rMFEy6VrX2mMT9LLnxmgWfYWxWZo5mbnrSE8GwQ0tpK%2FycqwotDFoX4Q%2B3FqppbXwVWDo%2FxUxjO1eAhViRiCUNWt7yO91XV5k4YyFF%2BNo6fAzdB7fUz6C7jE0gVu%2FJo3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffde8947a04424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1576&min_rtt=1575&rtt_var=593&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1843434&cwnd=248&unsent_bytes=0&cid=441093f7d65c6c79&ts=145&x=0"
2025-01-10 16:05:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49797	104.21.112.1	443	5952	C:\Users\user\Desktop\MtxN2qEWpW.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:05:27 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:05:27 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:05:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839916 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eSZvBzNs6IHwc0Dqli7Os1hqtUmUOAupbk58bOo5zLrBsGpaukca%2Bb1ClR%2BMjX4svyaoC7wx9QWtAnXI7LO59ze%2BS4KHHM%2BnT%2FBZd5vSDupGjIwLkI7RzN4oojYu8idzFkzMnDvd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffde89cb87343b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1645&min_rtt=1640&rtt_var=625&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1737061&cwnd=203&unsent_bytes=0&cid=7583d3a1ab6dd7ea&ts=178&x=0"
2025-01-10 16:05:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	11:04:54
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\MtxN2qEWpW.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MtxN2qEWpW.exe"
Imagebase:	0x8e0000
File size:	826'368 bytes
MD5 hash:	ADF463BBC04D413A0B20EBDD4E48E94B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.3293522957.0000000005600000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.3292867805.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	11:04:55
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\MtxN2qEWpW.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MtxN2qEWpW.exe"
Imagebase:	0x710000
File size:	826'368 bytes
MD5 hash:	ADF463BBC04D413A0B20EBDD4E48E94B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2348568485.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.2346970393.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2348568485.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:05:26
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\MtxN2qEWpW.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:05:26
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:05:26
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x470000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7.3%
Total number of Nodes:	164
Total number of Limit Nodes:	7

Executed Functions

Function 02CFBF60 Relevance: 1.9, Strings: 1, Instructions: 619
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 02CFC720

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 3aa77be9c3a0c456b684fff14423a2cad579e5e07fab301bacd309bb4c8e392b
Instruction ID: bcfedff243ee41cd06a2120f04982898a58f820c9ce5d25906c750bd80e52d13
Opcode Fuzzy Hash: 3aa77be9c3a0c456b684fff14423a2cad579e5e07fab301bacd309bb4c8e392b
Instruction Fuzzy Hash: 6A52C074E012288FDB68DF65C994BDDBBB2BF89304F1085EA950DAB291DB345E85CF40

Function 02CF65B0 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9779e81ca73f666dde6da8e85f423b3d7da8eb349b07ea66922012cbaf68269d
Instruction ID: 1135544b50196f6639a3cedaae9fa423b9b3a5ded44a7a7d1c14b4c94d0bcdd5
Opcode Fuzzy Hash: 9779e81ca73f666dde6da8e85f423b3d7da8eb349b07ea66922012cbaf68269d
Instruction Fuzzy Hash: 92A1DF74E002198FCB54DFAAD584A9DFBF2FF48314F2491AAE418AB356D734A981CF50

Function 0112AD48 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0112AF9E

Memory Dump Source

Source File: 00000000.00000002.3290162730.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_MtxN2qEWpW.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 368ff270f2ea386dd91e31836e6550591920ac4d4b83054b0bf92acc691564d3
Instruction ID: 0fa74926382014786003b2068eb08a61139f0ee2a878e25ebe5a38d1e3a760ca
Opcode Fuzzy Hash: 368ff270f2ea386dd91e31836e6550591920ac4d4b83054b0bf92acc691564d3
Instruction Fuzzy Hash: 70815770A00B158FD728DF29E54479ABBF1FF48304F008A2DD58ADBA51D735E85ACB91

Function 02CFCA96 Relevance: 1.6, APIs: 1, Instructions: 138
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 02CFCBDC

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 45f80f44f1a97713b74e2f1e3c3a3cc26e6760533e003650e6e652099541b1a6
Instruction ID: 09eb40650e4072b319297b74f8d4532a09e52e70dcaca49bf02e2c256acef8cb
Opcode Fuzzy Hash: 45f80f44f1a97713b74e2f1e3c3a3cc26e6760533e003650e6e652099541b1a6
Instruction Fuzzy Hash: 965126B5A00319DFDB64CF99C940BDDBBB1BF48304F10809AE908B7250C7759A89CF51

Function 02CFCAA0 Relevance: 1.6, APIs: 1, Instructions: 137
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 02CFCBDC

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4ee3a5f16a14a6dbdd46177c6e0c35fbf7e2333afa63788fbd6c4a163f771e97
Instruction ID: 86bc416d8552258a134e30fd948854fb0b490fe708aa2850a4465a9e3ee203d7
Opcode Fuzzy Hash: 4ee3a5f16a14a6dbdd46177c6e0c35fbf7e2333afa63788fbd6c4a163f771e97
Instruction Fuzzy Hash: 9F511571A0131DDFDB64CFA9C940BDDBBB6BF49304F10809AE908A7250C7759A89CF91

Function 02CF18E4 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02CF1A02

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: dfbbba6214f1953cbafbd35473d7c12f03cfcec12ad78e4c516480559e71f277
Instruction ID: ff6d86efe65defeeb32b93a67c2b3a918c16ccf3e9c92b8dc8438473728f80fe
Opcode Fuzzy Hash: dfbbba6214f1953cbafbd35473d7c12f03cfcec12ad78e4c516480559e71f277
Instruction Fuzzy Hash: 8751E3B1D00349DFDB54CF99C984ADEBFB5BF88310F24812AE419AB250D7759985CF90

Function 02CF18F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02CF1A02

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ec0b3c41e4714957bb7519b0280aa5a54c2d4da24f81928e73b74ce646738a77
Instruction ID: 201c758710a61469372bab6e247133f9d35fd7f1a1371a89cff557100fd0555a
Opcode Fuzzy Hash: ec0b3c41e4714957bb7519b0280aa5a54c2d4da24f81928e73b74ce646738a77
Instruction Fuzzy Hash: 7A41D2B1D00349DFDB54CF9AC984ADEBBB5FF88310F24812AE919AB210D7759945CF90

Function 0112590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011259C9

Memory Dump Source

Source File: 00000000.00000002.3290162730.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_MtxN2qEWpW.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1c9697bd3e4e84b42759aadc853283f9af819784cb88c22b21a94e23069dda11
Instruction ID: 2035bda5f77bea532555e92e37962a631e0fc3d10b37f47413bd52700f7b753f
Opcode Fuzzy Hash: 1c9697bd3e4e84b42759aadc853283f9af819784cb88c22b21a94e23069dda11
Instruction Fuzzy Hash: C141D4B0D00729CEDB18CFA9C8847DDBBB6FF49304F20816AD409AB255D7755946CF90

Function 01125A84 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3290162730.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e68f1fa9018d6060a1535634b6f00b5f9c63b57f5ea39e918e123ac2e2438241
Instruction ID: 88c8f2e758decab18406b5ed85ff35d796cebeedee90632ca7e3981cb4970573
Opcode Fuzzy Hash: e68f1fa9018d6060a1535634b6f00b5f9c63b57f5ea39e918e123ac2e2438241
Instruction Fuzzy Hash: F4412071804759CECF5ACFA8C8887EEBFB2EF46314F24818AC055AB251D7359806CF51

Function 01124248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011259C9

Memory Dump Source

Source File: 00000000.00000002.3290162730.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_MtxN2qEWpW.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 98f188f768e6d9bed1473166f738e45871d41f7e15ba5ba87d16add3bd87d423
Instruction ID: 70f0a34732b524a82302015872b0caf5419ada8f35cb902601a7b25fa0dd5085
Opcode Fuzzy Hash: 98f188f768e6d9bed1473166f738e45871d41f7e15ba5ba87d16add3bd87d423
Instruction Fuzzy Hash: 8641F2B0D00719CBDB28CFA9C884BDDBBB6FF49304F20806AD408AB251DB756946CF90

Function 02CF4050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02CF4111

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 12f6da508ef660eb5356d7a40ea8162bf3330e607ba8b951dc64b99f8db1abb6
Instruction ID: f429daae1f4cc0dc762a305166b27db5a5a6088ffee63ff951efe7ba098ae8da
Opcode Fuzzy Hash: 12f6da508ef660eb5356d7a40ea8162bf3330e607ba8b951dc64b99f8db1abb6
Instruction Fuzzy Hash: 40411AB4A00305CFCB54CF99C848AABBBF5FB89314F24C559D619A7321D775A941CFA0

Function 02CFBC48 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02CFBCE0

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ebb81d3d26fa9540f99061e14f5266341f848e48d4bb3b20c68b22db1e62f9b8
Instruction ID: 5cc3bdebba17f73f65075218e96e11e7e5a9a99579a0095e7b7e0a91c29a0a6c
Opcode Fuzzy Hash: ebb81d3d26fa9540f99061e14f5266341f848e48d4bb3b20c68b22db1e62f9b8
Instruction Fuzzy Hash: 44212AB19003499FDB50DFAAC985BDEBBF5FF48314F108429E919A7240CB789945CBA0

Function 02CFBC50 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02CFBCE0

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ddde964bf2463c8950f715ce0c813a46d02cf64b5b90ca83b8a08e933f86d3fe
Instruction ID: 7321d308f6e2f99997841e097b083a5f30f723e28d5260a3b4add2f4eeed431b
Opcode Fuzzy Hash: ddde964bf2463c8950f715ce0c813a46d02cf64b5b90ca83b8a08e933f86d3fe
Instruction Fuzzy Hash: 792139B19003499FCB50DFAAC985BEEBBF5FF48314F108429E919A7240CB789945CFA0

Function 0112B730 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0112D5E6,?,?,?,?,?), ref: 0112D6A7

Memory Dump Source

Source File: 00000000.00000002.3290162730.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_MtxN2qEWpW.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 485e91842c89ad5ba8befbd72c857645336b0bde93c5890529f8f1fcc81d8a62
Instruction ID: 496092463bf1d502f636b2d13c4df34c03ae6c21c0d620d7c66fc96c83397293
Opcode Fuzzy Hash: 485e91842c89ad5ba8befbd72c857645336b0bde93c5890529f8f1fcc81d8a62
Instruction Fuzzy Hash: 2321E6B59002589FDB10CF9AD584AEEBFF4FB48310F14841AE918B7310D378A954CFA5

Function 02CFBB71 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02CFBBF6

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4e18ab55652c448c15392645236db24081f0810ace1ccf4206e8813bcc9b181e
Instruction ID: 704917d22691667bb90b68b77758c2e91aa6d1a75908aac83093466689a65336
Opcode Fuzzy Hash: 4e18ab55652c448c15392645236db24081f0810ace1ccf4206e8813bcc9b181e
Instruction Fuzzy Hash: 222138B1D003098FDB50DFAAC5857EEBBF4EF88314F148429D519A7240CB789A45CFA1

Function 0112D619 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0112D5E6,?,?,?,?,?), ref: 0112D6A7

Memory Dump Source

Source File: 00000000.00000002.3290162730.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_MtxN2qEWpW.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d634eeb3b658d241ce217946d036e920ca69d3efd4a79a85221ffb0d507b058c
Instruction ID: 65fe988410b7c888c708de25ee047980bcdfd6552c932ae6d6341384b2088033
Opcode Fuzzy Hash: d634eeb3b658d241ce217946d036e920ca69d3efd4a79a85221ffb0d507b058c
Instruction Fuzzy Hash: AB21F8B59002589FDB10CF9AD584AEEBFF5FB48310F24841AE918B3310C378A950CF64

Function 02CFBB78 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02CFBBF6

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d43945eec4d9e9e90d88f648f511a5874712128740b8ee49ee62ca4ac517b739
Instruction ID: 2519279bed39396b891e896ab1c44088d70d7e112ee7d5551eeb488b21c55a53
Opcode Fuzzy Hash: d43945eec4d9e9e90d88f648f511a5874712128740b8ee49ee62ca4ac517b739
Instruction Fuzzy Hash: 6D2115B1D003098FDB50DFAAC5857EEBBF4EF88314F14842AD519A7241CB78A945CFA5

Function 02CFCD80 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02CFCDF9

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6163facf18af261c181b0f2a8745502bda1f36d7a298539af49e5e1af612a185
Instruction ID: 5296aa83ab67b25886524e1bd4de7ed9160f067d9f7ded793b31a0cab68e2f4c
Opcode Fuzzy Hash: 6163facf18af261c181b0f2a8745502bda1f36d7a298539af49e5e1af612a185
Instruction Fuzzy Hash: D121C7B59013599FDB10CF9AD984BDEFBF4FB48310F10841AE558A7250D378A644CFA5

Function 02CFCCC8 Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 02CFCD3B

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6bcf3b389e9421f15ff7ce0a02ad6d83dbc0cdd5b3caaecc189226382fd47c39
Instruction ID: bc00b004a669d0a3e607bfd7262788eef023e8237143c7a6d02050efbb590eaa
Opcode Fuzzy Hash: 6bcf3b389e9421f15ff7ce0a02ad6d83dbc0cdd5b3caaecc189226382fd47c39
Instruction Fuzzy Hash: CF1107B2D002498FDB50CF9AC944BDEFBF5EB88310F14842AD528B3250D378A645CFA5

Function 02CFCD88 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02CFCDF9

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 088358b2c06e770da51dd631e9ae28c14bf89710db17991e5a8d9ff3bac72534
Instruction ID: 76832dce6e3fdb2c53012f80728daa9b5a375719e4b26d3bcd96a5edacfcba04
Opcode Fuzzy Hash: 088358b2c06e770da51dd631e9ae28c14bf89710db17991e5a8d9ff3bac72534
Instruction Fuzzy Hash: C121D3B5901359DFDB10CF9AD984ADEFBF8FB48310F10842AE958A3250D378A644CFA5

Function 02CFBD38 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02CFBDAE

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: edb4ae35faf000136b4a100b02e062e38fd0d91c821dd4f4e117e97fcfc04fac
Instruction ID: 4707475a300c209b153f385e314824642893bb8c93d975d1dc5af7346ac9dcb1
Opcode Fuzzy Hash: edb4ae35faf000136b4a100b02e062e38fd0d91c821dd4f4e117e97fcfc04fac
Instruction Fuzzy Hash: 6C116A728002489FCB10DFAAC844BDFBFF5EF48314F108419E519A7250CB39A940CFA1

Function 02CFCCD0 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 02CFCD3B

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1544c399ef35bfc1b661b2de47634523ced63d988970b4d7243eda173c52f71e
Instruction ID: 625bfc1aac382b19504666b3c8131b0ab49839ac74adbc423cacf73ff7d239f3
Opcode Fuzzy Hash: 1544c399ef35bfc1b661b2de47634523ced63d988970b4d7243eda173c52f71e
Instruction Fuzzy Hash: 321107B2D002498FDB50CF9AC944BDEFBF5EB88310F14842AD528A3250D378A645CFA5

Function 02CFBD40 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02CFBDAE

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a6b6d6260bcf489b1b8e17381f7217afe23cb536cb32ce64fa50f18041191e6b
Instruction ID: 99ef66bf2dcd76c87afa5fd1487f7b237a8d4049b633853571768968d1379972
Opcode Fuzzy Hash: a6b6d6260bcf489b1b8e17381f7217afe23cb536cb32ce64fa50f18041191e6b
Instruction Fuzzy Hash: CE113A719002499FCB10DFAAC844ADFBFF5EF48314F108419E519A7250CB75A940CFA1

Function 02CFBDF8 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02CFBE62

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 794c116996d9c445948f91836da8d732fafcc48d8de88424ce5be474678ea883
Instruction ID: d70711d87ec7861ec8f52678ab847653cf433bd8856c4303955e88757936df06
Opcode Fuzzy Hash: 794c116996d9c445948f91836da8d732fafcc48d8de88424ce5be474678ea883
Instruction Fuzzy Hash: 441116B19002498FCB10DFAAC4457EEFBF5EB88314F24841AD519A7250CB79A944CFA5

Function 02CFBE00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02CFBE62

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f6ba5fd01e3f1ea87d57012a533fd0a5e0c012a3744e2a4c0849f5a4471382e6
Instruction ID: 38104db5bc5d8391a3f4c54dbff077f1acaed15419bc327d315adecc7aa4cb8e
Opcode Fuzzy Hash: f6ba5fd01e3f1ea87d57012a533fd0a5e0c012a3744e2a4c0849f5a4471382e6
Instruction Fuzzy Hash: 231125B19003498FCB20DFAAC4457AEFBF5EF88324F208419D519A7250CB79A944CFA4

Function 0112AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0112AF9E

Memory Dump Source

Source File: 00000000.00000002.3290162730.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_MtxN2qEWpW.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 32beed9f6952a8ee927de69aca4a149d05bfc813b3508c69a39952da9c0bfb27
Instruction ID: 98a6bf6e25fa474d65480bf55f91c32c9b6a54256a945681214a69fe4300b26a
Opcode Fuzzy Hash: 32beed9f6952a8ee927de69aca4a149d05bfc813b3508c69a39952da9c0bfb27
Instruction Fuzzy Hash: E9110FB5C002598FDB14CF9AD544ADEFBF4AF88214F10841AD928A7650C379A545CFA1

Function 02CF1B30 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02CF1B95

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 7852e3f6bf70cc36b8079e563a7a5f443a33ff934b48272acc5f5afcd3548987
Instruction ID: 0d5472e7821bd821b211188b95a123b9c8cd8a26d36a6d737c640ecf6f426999
Opcode Fuzzy Hash: 7852e3f6bf70cc36b8079e563a7a5f443a33ff934b48272acc5f5afcd3548987
Instruction Fuzzy Hash: FE11F2B5800248CFDB50CF99D584BEEBFF8EB88320F24845AD958A7250C379A944CFA5

Function 02CF1B38 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02CF1B95

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d1db784ce354fba115970869bac8a3227b966e3ca3a85c5e64db9ee2c1c554a6
Instruction ID: 92efd3683fa3c42cac389231f83df37d100f5646a34c1df201de6ff652aa2e79
Opcode Fuzzy Hash: d1db784ce354fba115970869bac8a3227b966e3ca3a85c5e64db9ee2c1c554a6
Instruction Fuzzy Hash: 3C1103B5800248CFDB10DF9AC584BDEBBF8EB48320F20841AD918A3200C378A944CFA5

Function 0106D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289820423.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9359631de9f2168074af50c1668e34b9c031e7cbb4e74aef5b6952c7169f08f9
Instruction ID: 438603067383d736d935190bcc6b9deec772ee1a94b3a4516e0538b69d486ff5
Opcode Fuzzy Hash: 9359631de9f2168074af50c1668e34b9c031e7cbb4e74aef5b6952c7169f08f9
Instruction Fuzzy Hash: 83214871600244DFDB05DF58C9C0F5ABFA9FB98314F20C1A9E9890B256C73AE806C7A1

Function 0107D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289877721.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107d000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20447a5d8f39c6028ddc56c260ad931906abc6597a9e6149c1e299a08cdd08b0
Instruction ID: ad13960cc0d70a776f055616734af62c6b8569ad9da0c1ad56f7504374f5bb2d
Opcode Fuzzy Hash: 20447a5d8f39c6028ddc56c260ad931906abc6597a9e6149c1e299a08cdd08b0
Instruction Fuzzy Hash: 44212571A04200DFCB16DF68D980B16BFA5FF84314F20C5ADE9890B256C33AD407CBA1

Function 0107D2BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289877721.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107d000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618e99f69cde88daa95e649931248753f95a862de6d401eef0c87e346f39e6c0
Instruction ID: 6eafa495d2f4483f8d8632abcf2ae0e5a9489273ba10deb04ade340a9aeffe3a
Opcode Fuzzy Hash: 618e99f69cde88daa95e649931248753f95a862de6d401eef0c87e346f39e6c0
Instruction Fuzzy Hash: D9210871904244DFDB05DF58D5C4B2ABFA5FF84324F24C5A9E9890B246C33AD406CBB5

Function 0107D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289877721.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107d000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4405460ae52a293c97faf1d4fc2adb2248620e9783e3a8543f375a8687f46e17
Instruction ID: 9098359b5d9d2b8aaa30f2e2ac662886be6ee29c8dbc5f4a1f9c2297eec3ffc5
Opcode Fuzzy Hash: 4405460ae52a293c97faf1d4fc2adb2248620e9783e3a8543f375a8687f46e17
Instruction Fuzzy Hash: 272165755093808FD713CF64D594715BFB1EF46214F28C5DAD8898F667C33A980ACBA2

Function 0106D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289820423.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: c495165a07be342fbee8c0a19b3a496aa640a60f98b9cbedfbdea9aa7040785f
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 19110372504240CFDB02CF44D5C4B56BFB1FB88324F24C6A9D9890B257C33AE85ACBA2

Function 0107D2B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289877721.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107d000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
Instruction ID: 701dc946067caf6b2d4c839f93319957c105313c9f6067d011d8d996385f57bd
Opcode Fuzzy Hash: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
Instruction Fuzzy Hash: 7B11B275904280DFDB12CF14D5C4B19FFA1FB84324F28C6AAD8894B656C33AD40ACBA2

Non-executed Functions

Function 02CFAD51 Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

Xaq, xrefs: 02CFAD8F
$]q, xrefs: 02CFAD76

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: 5b57b3b94a52a42cba036ce30058e4c337adac1110a60150c9fecac8f6366ed7
Instruction ID: 48c9d287997012b485ac2cdb7768bbefcab0626f76d3ea81f8f5a67ae95f9153
Opcode Fuzzy Hash: 5b57b3b94a52a42cba036ce30058e4c337adac1110a60150c9fecac8f6366ed7
Instruction Fuzzy Hash: D281A471B042188BCB9C9F75945427E7BA7BFC8714F058529E54BEB388CF398C069B92

Function 02CF0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de2d703e0cd6799bcf3c86e4eea680a110c1bfe88b189a15ed06eb1bf6d8b8f
Instruction ID: 18bfd61af1c0e4e17d5e5162ae7bb48061f04f4f272fd105880fbedf2a040d5b
Opcode Fuzzy Hash: 2de2d703e0cd6799bcf3c86e4eea680a110c1bfe88b189a15ed06eb1bf6d8b8f
Instruction Fuzzy Hash: EE128EB44017468AE331CF69E94C18D7AF1BB85328B90870DDA616F2F9DBB8158BCF45

Function 0112D304 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3290162730.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06a6f1e9acab7ea38d23fb1fe8b69ccb3a0df6cb99a48552d8e0baa34e5e0f0
Instruction ID: f3f9de33fcdb492c5c37c9e379e59e6f32757c0f4a422e382ec1542b85757b13
Opcode Fuzzy Hash: a06a6f1e9acab7ea38d23fb1fe8b69ccb3a0df6cb99a48552d8e0baa34e5e0f0
Instruction Fuzzy Hash: 4CA1A435E0021ACFCF19DFB4C84499EBBB2FF84304F15416AE901AB265DB35E916CB40

Function 02CF0007 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3291146599.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f7566f5567696e4f05903942b282632a0cf5deb6934b4e81b0159247f445563
Instruction ID: 6d9e5c3c5396eaf6eb1246895c4149d2c3c6b2bee3cbf59bcabfc8167bfbc39f
Opcode Fuzzy Hash: 9f7566f5567696e4f05903942b282632a0cf5deb6934b4e81b0159247f445563
Instruction Fuzzy Hash: F1D1F2B08017468BE721CF69E84818D7BF1BB85328B54870DD9A16F2F9DBB8158BCF45

Analysis Process: MtxN2qEWpW.exePID: 5952, Parent PID: 5784COMMON

Executed Functions

Function 04F56730 Relevance: 6.7, Strings: 5, Instructions: 446COMMON

Download Yara Rule

Strings

,aq, xrefs: 04F569F2
,aq, xrefs: 04F56A00
(o]q, xrefs: 04F56988
(o]q, xrefs: 04F5697A
(o]q, xrefs: 04F56CA5

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-615190528
Opcode ID: 442ab7b3ef5c939e0e43cf0b8a2be8351c9484b39ef2ca1aee9d4f3f94a52ed1
Instruction ID: dc1e26538f2a15e4c2181da6bf1ec903cce17a9ed4d3aa5656cef1f0bc2d2093
Opcode Fuzzy Hash: 442ab7b3ef5c939e0e43cf0b8a2be8351c9484b39ef2ca1aee9d4f3f94a52ed1
Instruction Fuzzy Hash: 76025E71A00109DFEB14CF68D988AADBBB2FF48305F548069E929EB271D730ED42CB51

Function 04F5B328 Relevance: 6.6, Strings: 5, Instructions: 351COMMON

Download Yara Rule

Strings

0o@p, xrefs: 04F5B562
Lj@p, xrefs: 04F5B6CF
Lj@p, xrefs: 04F5B6E5
PH]q, xrefs: 04F5B747
PH]q, xrefs: 04F5B758

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: c15459ca488e573e4b59b23b35270a5a1658b31b6029910f18b88323e81ab02c
Instruction ID: 1b9ab7ff01026d26efc88bfae179784c4f7c84991c280f7bc9ab84931de66eb2
Opcode Fuzzy Hash: c15459ca488e573e4b59b23b35270a5a1658b31b6029910f18b88323e81ab02c
Instruction Fuzzy Hash: 84E1E875E00618DFDB14CFA9D984A9EBBB1FF48310F1584A9E919AB361DB30B842CF50

Function 04F5C751 Relevance: 6.4, Strings: 5, Instructions: 191COMMON

Download Yara Rule

Strings

PH]q, xrefs: 04F5C9A7
Lj@p, xrefs: 04F5C945
0o@p, xrefs: 04F5C7C2
PH]q, xrefs: 04F5C9B8
Lj@p, xrefs: 04F5C92F

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 72cb796251d6d3172209e17b38a33dc1ae978381348eeebb6b5bb1621c496afe
Instruction ID: 439b52d9fbec88dbe6df1364688b0d0d5080697990869b332f21852cf7d05f57
Opcode Fuzzy Hash: 72cb796251d6d3172209e17b38a33dc1ae978381348eeebb6b5bb1621c496afe
Instruction Fuzzy Hash: 1981C774E00258DFDB14DFA9D984A9DBBF2BF88300F14C469E949AB365DB34A942CF10

Function 04F5BEB0 Relevance: 6.4, Strings: 5, Instructions: 190COMMON

Download Yara Rule

Strings

Lj@p, xrefs: 04F5C0A5
0o@p, xrefs: 04F5BF22
PH]q, xrefs: 04F5C107
PH]q, xrefs: 04F5C118
Lj@p, xrefs: 04F5C08F

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 482c8d05a9357a65caee29cbe3e1b839d8eef8e10a130d50cc5496849435e74f
Instruction ID: f3c4d9958d51a357f984c7f0306fac389632b1959743cce4c1529cb9ed8bddd4
Opcode Fuzzy Hash: 482c8d05a9357a65caee29cbe3e1b839d8eef8e10a130d50cc5496849435e74f
Instruction Fuzzy Hash: D781A474E00258CFDB14DFA9D984A9DBBF2BF89300F14D069D909AB365DB34A946CF10

Function 04F5C190 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

Lj@p, xrefs: 04F5C36F
Lj@p, xrefs: 04F5C385
0o@p, xrefs: 04F5C202
PH]q, xrefs: 04F5C3F8
PH]q, xrefs: 04F5C3E7

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 721fb2fe0aafce31785c3cc44503629082cf02ecf74817733f2fb47f23f26524
Instruction ID: 352ceef30f0a32405494493c089dfc5a9874bd19d440053296d3132a17c5fa8d
Opcode Fuzzy Hash: 721fb2fe0aafce31785c3cc44503629082cf02ecf74817733f2fb47f23f26524
Instruction Fuzzy Hash: 6681A674E00258DFDB14DFA9D984A9DBBF2BF89300F14C069D909AB365DB34A942CF10

Function 04F5BBD2 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

PH]q, xrefs: 04F5BE38
Lj@p, xrefs: 04F5BDC5
Lj@p, xrefs: 04F5BDAF
0o@p, xrefs: 04F5BC42
PH]q, xrefs: 04F5BE27

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 601d32bda83860dd41bdbffd3180ec07cb47b40204e9ad92c477d666660d7ba3
Instruction ID: 49a41304c4f40eb282ce1fb3f4e9215033613a323caef7c18950f2506bbc7790
Opcode Fuzzy Hash: 601d32bda83860dd41bdbffd3180ec07cb47b40204e9ad92c477d666660d7ba3
Instruction Fuzzy Hash: E0819374E00218DFDB14DFA9D984A9DBBF2FF89300F14C469E919AB265DB34A946CF10

Function 04F54AD9 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

PH]q, xrefs: 04F54D41
PH]q, xrefs: 04F54D30
Lj@p, xrefs: 04F54CB8
Lj@p, xrefs: 04F54CCE
0o@p, xrefs: 04F54B4A

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 43a6480b3392e0a7b3e835ad6f49354afe0c0ed1bbdd0a5b517faf3a29951b71
Instruction ID: 899fe64bd72a09c7d59ca594149f4c9235dc9c87659a39e32f0a97e677f222f7
Opcode Fuzzy Hash: 43a6480b3392e0a7b3e835ad6f49354afe0c0ed1bbdd0a5b517faf3a29951b71
Instruction Fuzzy Hash: F4819474E00218DFDB14DFA9D984A9DBBF2BF88301F148169D919AB365DB34A986CF10

Function 04F5CA31 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

PH]q, xrefs: 04F5CC98
0o@p, xrefs: 04F5CAA2
PH]q, xrefs: 04F5CC87
Lj@p, xrefs: 04F5CC0F
Lj@p, xrefs: 04F5CC25

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 43652c4a4d998f04d27245d59c95f337a52f686a9356bd6a3e7d8b6b2dbeeb7c
Instruction ID: 4b8eb1b61158cc57c97e380a7f51c358b0e7eaccce36638f9e2ec33fb319ad49
Opcode Fuzzy Hash: 43652c4a4d998f04d27245d59c95f337a52f686a9356bd6a3e7d8b6b2dbeeb7c
Instruction Fuzzy Hash: F3819674E00258DFDB14DFA9D994A9DBBF2BF88300F14C069E919AB365DB34A946CF10

Function 04F5C470 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

Lj@p, xrefs: 04F5C64F
0o@p, xrefs: 04F5C4E2
Lj@p, xrefs: 04F5C665
PH]q, xrefs: 04F5C6C7
PH]q, xrefs: 04F5C6D8

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: a0d24f377a851402193442f0320ee0ccac1a62eec83ba193e5200a281920f413
Instruction ID: d4fbc118f9cef0433be2b4bc8b875a3a770077253708da2ae788391fed85bb45
Opcode Fuzzy Hash: a0d24f377a851402193442f0320ee0ccac1a62eec83ba193e5200a281920f413
Instruction Fuzzy Hash: 9481B574E00258DFDB14DFA9D984A9DBBF2BF88310F14D069E909AB365DB34A942CF10

Function 04F5B4F3 Relevance: 3.9, Strings: 3, Instructions: 153COMMON

Download Yara Rule

Strings

0o@p, xrefs: 04F5B562
PH]q, xrefs: 04F5B747
PH]q, xrefs: 04F5B758

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: 0o@p$PH]q$PH]q
API String ID: 0-2023588385
Opcode ID: d34c9971e429c142294fb43f50b5b20ebbdfab7085600f469ab52cff86303439
Instruction ID: d466ec3e86cc61e4a45ac3ec8214ec9ba895e676de56135935c51e888df8e8a8
Opcode Fuzzy Hash: d34c9971e429c142294fb43f50b5b20ebbdfab7085600f469ab52cff86303439
Instruction Fuzzy Hash: 97619674E006089FDB18DFAAD984A9DBBF2FF88300F14C469D915AB365DB34A942CF50

Function 04F59858 Relevance: 3.4, Strings: 2, Instructions: 859COMMON

Download Yara Rule

Strings

(o]q, xrefs: 04F59C78
4']q, xrefs: 04F5A273

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: (o]q$4']q
API String ID: 0-176817397
Opcode ID: 724aec2e402f063c1ad0c2d9a17ea3d7abe0e02cd90d653df5cf7d6bb1355897
Instruction ID: cdd045e3d23d7b9c09bd53e6b20497bab16a54d3bd318339e583e00a7c39cc6a
Opcode Fuzzy Hash: 724aec2e402f063c1ad0c2d9a17ea3d7abe0e02cd90d653df5cf7d6bb1355897
Instruction Fuzzy Hash: 0D729F71A00209DFCB15DF68D984AAEBBF2FF88300F158559E9169B2A1D770F952CF90

Function 04F56108 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

Haq, xrefs: 04F5650E
(o]q, xrefs: 04F56642

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: (o]q$Haq
API String ID: 0-903699183
Opcode ID: 4ea499bdf12bf0632499d718fde03f3f44fea43acc9218140f42ca94e22e6cb2
Instruction ID: f21f8cfffb8952d114e08488f852e06d86a50dcab9a6c4daddec66c743e7c030
Opcode Fuzzy Hash: 4ea499bdf12bf0632499d718fde03f3f44fea43acc9218140f42ca94e22e6cb2
Instruction Fuzzy Hash: 86128171A001198FEB14DF69D854AAEBBF6FF88304F108559E959DB391DF34AD42CB80

Function 04F53570 Relevance: 2.9, Strings: 2, Instructions: 442COMMON

Download Yara Rule

Strings

$]q, xrefs: 04F53596
Xaq, xrefs: 04F535AF

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: 18c2f2386048945f18c19a5f19b39717fc752e585c5e406a353cf4aa4977081c
Instruction ID: a3344bc40ed954cdc9bed9a8489c2b8bcca7b5ae38adfe70eff8f47a45e7eabb
Opcode Fuzzy Hash: 18c2f2386048945f18c19a5f19b39717fc752e585c5e406a353cf4aa4977081c
Instruction Fuzzy Hash: 12F15075F002488FDB08DFB9D8945AEBBB2FF88701B148469D946AB358DF35A803CB51

Function 04F56E58 Relevance: 10.5, Strings: 8, Instructions: 477COMMON

Download Yara Rule

Strings

(o]q, xrefs: 04F57367
(o]q, xrefs: 04F5701A
(o]q, xrefs: 04F56F7D
,aq, xrefs: 04F57308
,aq, xrefs: 04F572F8
(o]q, xrefs: 04F56F51
(o]q, xrefs: 04F57377
(o]q, xrefs: 04F56E96

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-1435242062
Opcode ID: c6dbcaf70bf36d02d0590d67aebcdb8c5a3c004c39e1464e9d831c318e9b91cc
Instruction ID: 8038f299c27c9bc65ef40ae648cfa74f26260caf0dba054c3157a546f9c8b61b
Opcode Fuzzy Hash: c6dbcaf70bf36d02d0590d67aebcdb8c5a3c004c39e1464e9d831c318e9b91cc
Instruction Fuzzy Hash: DB124830A006098FCB14EFA9D984A9EBBF6FF49314F158569E919DB261D730FD42CB50

Function 04F587E9 Relevance: 4.2, Strings: 3, Instructions: 498COMMON

Download Yara Rule

Strings

;]q, xrefs: 04F58C2C
4']q, xrefs: 04F58837
4']q, xrefs: 04F58811

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: 4']q$4']q$;]q
API String ID: 0-1096896373
Opcode ID: 72aa42581b1bf22cb603e767adca3bcdaf8d7168d9f6623ea0d41f2ecb0be793
Instruction ID: a5e81478d73a405cdc52915606f980129f685f094aea94fe750411b743f496e0
Opcode Fuzzy Hash: 72aa42581b1bf22cb603e767adca3bcdaf8d7168d9f6623ea0d41f2ecb0be793
Instruction Fuzzy Hash: 47F1B1717041018FDB15BB39C958B3937AAEF85785F0444AAEA02CF3B1EA68EC53D742

Function 04F577F0 Relevance: 3.2, Strings: 2, Instructions: 704COMMON

Download Yara Rule

Strings

$]q, xrefs: 04F58314
$]q, xrefs: 04F58337

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 9545995d13d01cb90e0beb29f70b6803862945c80809edbe4867530f6f3e52db
Instruction ID: 9856ef01839089a161aa96e5c13bdbbcd32fe647fd46b4a58c2ddfd71c9c9c19
Opcode Fuzzy Hash: 9545995d13d01cb90e0beb29f70b6803862945c80809edbe4867530f6f3e52db
Instruction Fuzzy Hash: FC522F74A00218CFEB159BA4D960BEEBB76FF84300F1080ADC54A6B365DB359D46DF91

Function 04F556A8 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

Haq, xrefs: 04F55793
Haq, xrefs: 04F557C6

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: 758fa9ac5506c449ef0410b781fe160190c0105248702f6b0e7988936a10e19a
Instruction ID: 81a056aa24b0179ce4b518112514f53b0490b1ef88db38cbe27460211b19ea92
Opcode Fuzzy Hash: 758fa9ac5506c449ef0410b781fe160190c0105248702f6b0e7988936a10e19a
Instruction Fuzzy Hash: 30B1E231B04219AFDB159F68D494B6E7BA2FF85300F049469EA46CB3A8DF34EC02C791

Function 04F55C08 Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

,aq, xrefs: 04F55CDE
,aq, xrefs: 04F55CE8

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: d9228cc73624078d1875aefedf53904914df8bc46ecfd809be422f28e327a128
Instruction ID: 14bfc26421da6b9b93277d07f643499872865b57bdf54366d189950fde507af9
Opcode Fuzzy Hash: d9228cc73624078d1875aefedf53904914df8bc46ecfd809be422f28e327a128
Instruction Fuzzy Hash: 2A81A035B04105AFCB14DFA9C8889AAB7F2FF89304B159169DA15DB379D731F842CB90

Function 04F53428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xaq, xrefs: 04F53435
Xaq, xrefs: 04F5345E

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: Xaq$Xaq
API String ID: 0-1488805882
Opcode ID: 56c72cffecde6f71112a27371bef97a0748d40d79c05471605699c8b2d16b75f
Instruction ID: 4434a52d021c7deb55fe897e50ed85cca9df512bf2af0cbb662c50499883884b
Opcode Fuzzy Hash: 56c72cffecde6f71112a27371bef97a0748d40d79c05471605699c8b2d16b75f
Instruction Fuzzy Hash: 8F310632F003268BDB1D5EAE598427FA5DAEBC0290F144439DE06C73A4DB74DC078691

Function 04F50C8F Relevance: 1.7, Strings: 1, Instructions: 402COMMON

Download Yara Rule

Strings

LR]q, xrefs: 04F50E5E

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: a0a166078e4755200b243073559be5222044b4e6f806e53d4507f6c089f530b4
Instruction ID: 446204126ffa7b9421c15392d74c8860182c3190229a7507da5c50f065be80d5
Opcode Fuzzy Hash: a0a166078e4755200b243073559be5222044b4e6f806e53d4507f6c089f530b4
Instruction Fuzzy Hash: 8722B674A0021ACFCB54EF64ED94A9EBBB5FF89301F1085A5D849A7368DB346D46CF80

Function 04F50CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR]q, xrefs: 04F50E5E

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: c7f19dccdf01d99e1d8ea5f37f9caf0c3606f6feee352970b33a00c761a9b466
Instruction ID: 51fe974c1f8d2ff905acb90d4b2ad51c0af4469296f2a710167020beb0ff21b6
Opcode Fuzzy Hash: c7f19dccdf01d99e1d8ea5f37f9caf0c3606f6feee352970b33a00c761a9b466
Instruction Fuzzy Hash: BB22B674A0021ACFCB54EF64ED94A9EBBB5FF89301F1085A5D849A7368DB346D46CF80

Function 04F5A650 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

(o]q, xrefs: 04F5A7D9

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: 3782133788c9008baadf8c751f1f8022fe2a4cf31d20c706f6bfdb5802d439fe
Instruction ID: 627327beec1ba29b32048f980730894db9032c61f7f5f63a82cfa80c546484f9
Opcode Fuzzy Hash: 3782133788c9008baadf8c751f1f8022fe2a4cf31d20c706f6bfdb5802d439fe
Instruction Fuzzy Hash: 0E41D035B002089FC7049F68E894AAE7BF6FFC9611F108469DA06D7391CE349C02CBD1

Function 04F577E0 Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 837383093ffbd0f4c4ea4c996b9fad515d082b9e47790f1d336dd55ef206fb63
Instruction ID: 57299536d2171c96d61cf57b146f215b0bed2ced3816afd8305f2bd5d5d64b0f
Opcode Fuzzy Hash: 837383093ffbd0f4c4ea4c996b9fad515d082b9e47790f1d336dd55ef206fb63
Instruction Fuzzy Hash: 28420A74A00218CFEB159BA4C960BDEBB77FF94300F1080ADC64A6B3A5CA355E46DF91

Function 04F5A818 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba2f9a1601323b1f89f808ae8be01f22c6b912a9493f064f60ad048e23e8af1
Instruction ID: 87f9df6d12f9834ac19e097042143f60a8982898c106a5eeadd8ba3b4bec818c
Opcode Fuzzy Hash: 6ba2f9a1601323b1f89f808ae8be01f22c6b912a9493f064f60ad048e23e8af1
Instruction Fuzzy Hash: 13F11A71E001159FCB04CFA9D98899DBBF6FF88310B1A8159EA15AB371DB35EC52CB90

Function 04F57438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a5ad90a996708d253cec829a5f81eb77f84adb473e950396f2620aaed1a01f
Instruction ID: 3596f386e8717c5cce71f6a146bc21890778203cb5675820da1858cfae12e82e
Opcode Fuzzy Hash: 02a5ad90a996708d253cec829a5f81eb77f84adb473e950396f2620aaed1a01f
Instruction Fuzzy Hash: A771FC75B00605CFCB15EF29C898A6E7BE5AF49700F1540A9EA16CB3B1DB74EC42CB91

Function 04F5CEC7 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac777440dbb333a79105d197dfbd8469414df5b08b7fb8628040533e2b4ee883
Instruction ID: f655615e414e8fc7969d9077dace618d6e28cfc016811a05f4b173a9aada8006
Opcode Fuzzy Hash: ac777440dbb333a79105d197dfbd8469414df5b08b7fb8628040533e2b4ee883
Instruction Fuzzy Hash: ED51A13502234BCFD7542F20B9ED16BBB75FB0F3277496C15A84E910169B3E5845CBA2

Function 04F5CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661a1c73d47aad995d23598c3c5fe391eb70fb353e5b0763afdf924b4c059834
Instruction ID: 458e4d7dfdfbb7a17d31e1223ffd162b730fbb7e54b822b0ec6a32deda296518
Opcode Fuzzy Hash: 661a1c73d47aad995d23598c3c5fe391eb70fb353e5b0763afdf924b4c059834
Instruction Fuzzy Hash: 14518D3402234BCFD6542B24B9ED12BBBB5FB4F3277486D14A84E9101A9B7E58458BA2

Function 04F5CD10 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ebc6566af9397686fcdb58b9846a97969356d711e3f050ab75936f9b039b05
Instruction ID: 3af6c4bfd539648df47749748888c055b6b12443b278fdc54c5eaef12d4b8eea
Opcode Fuzzy Hash: c8ebc6566af9397686fcdb58b9846a97969356d711e3f050ab75936f9b039b05
Instruction Fuzzy Hash: 9B517074E11208DFDB44DFA9D9949DDBBF2BF89300F248169E819AB364DB31A902CF50

Function 04F53908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1e27d1c8638b209b00b72f6dcfc085e6c5de79ec979deae6fd88401339cdb9
Instruction ID: 38034d5c4fb666c003946b721504276efb6dd8a33f80034303676318737fe198
Opcode Fuzzy Hash: 3f1e27d1c8638b209b00b72f6dcfc085e6c5de79ec979deae6fd88401339cdb9
Instruction Fuzzy Hash: AC51A874E01208CFDB08DFA9D99099DBBF2FF89304B209469E905AB324DB35AD46CF50

Function 04F59A63 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1af508117419d1023b62e32719db70b14cc66e477c6f70616f64e84774495f7
Instruction ID: 9fb22af6f37bb93a3a6b182bd2dc69823ac6731e9b1c0ed7b7674d7b47e0121e
Opcode Fuzzy Hash: a1af508117419d1023b62e32719db70b14cc66e477c6f70616f64e84774495f7
Instruction Fuzzy Hash: 9941AFB1A04249DFCF19CFA4C844E9DBFB2EF49310F048555EE159B2A2D3B4E912DBA1

Function 04F54DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367dc4df223ba10b27214606fc4ad5a362ebd6b17977e706e50f0d31000ddfa4
Instruction ID: 3490c7b23058c49225daf00f3e5b20b235c0d2c861857a99cb8c95455f7b48b7
Opcode Fuzzy Hash: 367dc4df223ba10b27214606fc4ad5a362ebd6b17977e706e50f0d31000ddfa4
Instruction Fuzzy Hash: 5031847170010AAFDB069F64E894AAE7BA2FF89305F104418FE558B250CB35EC62DBD1

Function 04F576D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a4b5275dbb1595b4495a2f3202226a50b5d3365f089c26a9820febebe2fd15
Instruction ID: 6780f28e83a4f99e2be83952ae179802ce67e4ddec7ca1e5372b25a7f334808d
Opcode Fuzzy Hash: f9a4b5275dbb1595b4495a2f3202226a50b5d3365f089c26a9820febebe2fd15
Instruction Fuzzy Hash: 8821D1357042004FDB156B39B89493A36D79FC5619F1441A9DB06CB765EE28EC43D7C1

Function 04F5A809 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42e8ee5d2a931ed519b1c88f8d48ad39c79cfec1a2280ab8c605776a43872aa
Instruction ID: 9695f0f18778cef96e1c23f566e2bfd6bd38d07c8a5c6a5fecd1402bf8c20add
Opcode Fuzzy Hash: b42e8ee5d2a931ed519b1c88f8d48ad39c79cfec1a2280ab8c605776a43872aa
Instruction Fuzzy Hash: DF315270E005198FCB04CFA9C8889AEBBB2FF85750B158659E9559B3B1CB34EC13CB90

Function 04F576E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c734b1690803415cc9aecb3ca1fcc7bc18c73318a9d11277585874bc186a32bf
Instruction ID: 3c4fa5047ab7574306377aeaa80fe11d021aa5dbffb4880099f895d1832114d5
Opcode Fuzzy Hash: c734b1690803415cc9aecb3ca1fcc7bc18c73318a9d11277585874bc186a32bf
Instruction Fuzzy Hash: 1A2190357042054BEB152B29B894A7A36DB9FC4618F144078DB06CB7A4EE69EC43D3C1

Function 04F55A63 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d82dac24db5f39554f33308b28d3dad3a6398f62684016a8a68f480c4e8fef
Instruction ID: 4f4594407f9bcf089e9a8862f3c47170cf87e1a24e9b90295e854641784e1b25
Opcode Fuzzy Hash: 15d82dac24db5f39554f33308b28d3dad3a6398f62684016a8a68f480c4e8fef
Instruction Fuzzy Hash: B421F231B01611AFD3269B25D8E452EB7A2EFC671570581A9E906CB369CE34EC038BC1

Function 04F52060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6817455a40786a6dff54dc69ea1dc691d5966bc7d62e2563443e5c2d05a5cc3a
Instruction ID: 90ef4b5d61bee850d2b17e1eb9db9424903a96b246ef13a80005fdb1b5e55df8
Opcode Fuzzy Hash: 6817455a40786a6dff54dc69ea1dc691d5966bc7d62e2563443e5c2d05a5cc3a
Instruction Fuzzy Hash: 0B21E031E001059FCB14DF64C8809AE37A6EB98264F11C159D90A8B250DB35FA47CFC2

Function 04F5215C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdcade9b03b936bc7e6477e8148a13e55b60e1499c9599b7e564a3120dfd4774
Instruction ID: 438306765955aca0895994b385245a765b91379e1b332282a0be9f0d3e744150
Opcode Fuzzy Hash: fdcade9b03b936bc7e6477e8148a13e55b60e1499c9599b7e564a3120dfd4774
Instruction Fuzzy Hash: 66115972E0425D9FCB01DBF8AC008DEBB71FF89210B258796DA26B7151E631290ACB91

Function 04F5D122 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70eb66631a2d6826a7906c4d6272edccdfbc10968436478884dc236970df02f8
Instruction ID: 8cfc32391eb8bb3973452cff27eb987e1234b2a93c6c2d34c6b1e5b70f7fc791
Opcode Fuzzy Hash: 70eb66631a2d6826a7906c4d6272edccdfbc10968436478884dc236970df02f8
Instruction Fuzzy Hash: 43211431C12219DEDB10EFE8E9446EDFBB0FF4A301F109629D90877254EB346A5ACB80

Function 04F5D218 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac16affece8e84be8a6ce6e2d3bed0e80300529e707b9957c269227f959efdb5
Instruction ID: 19f66ce503e9f287ce98a859407b324ab96a6436d2763fffa2edb6bb6392a6d7
Opcode Fuzzy Hash: ac16affece8e84be8a6ce6e2d3bed0e80300529e707b9957c269227f959efdb5
Instruction Fuzzy Hash: 5621E834912218DFCB18DFB4E850AEEB7B2FF89305F10A829D84577265CB399942CF65

Function 04F54DBB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b53db63c769d98a82cde91956acbb3129e4764a0f2368c77eb205f0b5b03a5
Instruction ID: f5f04ad302a8f021498ddc1b4b90db855c66a2b6cd747b4096f5755836a08625
Opcode Fuzzy Hash: 10b53db63c769d98a82cde91956acbb3129e4764a0f2368c77eb205f0b5b03a5
Instruction Fuzzy Hash: C4210871A441099FD705AF64E8547AB7BA2FF85304F104029F9458B350CB34EC93CBD0

Function 04F539ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8c14def934ae7aced0001c37b340f95f58e2e9cb611ada9796890f016be624
Instruction ID: 0e36a0adce8b3139d7e78c849a9253a30e1c574aface2ec5a99a879ed9f96242
Opcode Fuzzy Hash: 3e8c14def934ae7aced0001c37b340f95f58e2e9cb611ada9796890f016be624
Instruction Fuzzy Hash: 7131A978E11209CFCB44DFA8E99499DBBF2FF49305B208469E909AB324D735AD06CF41

Function 04F5D228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ffc6e54a7100617aef12ab79d0ecf50e01a72a9f2c045c14d7df938c25b3b4
Instruction ID: 8f958f7d283255b4415b7a972e18880861e8abcff0c78ba2c9850cd0713e921c
Opcode Fuzzy Hash: c8ffc6e54a7100617aef12ab79d0ecf50e01a72a9f2c045c14d7df938c25b3b4
Instruction Fuzzy Hash: F221D8349012089FCB18DFB4E850AEDB7B2FF89305F109429D81577354DB3AA942CF65

Function 04F55A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b9ca9367cbc2396be4cb8c1a292f3679e6dd068f10cb9b90aa56be0682f6ff
Instruction ID: 3679d370f81ea236bb6a1787abbfc27d57f5d689708d850f276e18ab8fd6650e
Opcode Fuzzy Hash: 77b9ca9367cbc2396be4cb8c1a292f3679e6dd068f10cb9b90aa56be0682f6ff
Instruction Fuzzy Hash: FD11C231B01612ABC71A9A29D89892EB7A6FFC575171541A8EE06CB364DF24EC0387C0

Function 04F51F08 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d62fd6c08403e23eec83f644b6d5989d07baa8914573e30e4fac84f24928c0
Instruction ID: 546b15224e7a29cd0ed3f6db53c924e7737e6fd11497a60f019c2c77f1bdf81d
Opcode Fuzzy Hash: b1d62fd6c08403e23eec83f644b6d5989d07baa8914573e30e4fac84f24928c0
Instruction Fuzzy Hash: 152102B4D0460D8FCB41EFA8D4845EEBFB5FF8A300F14416AD845B7264EB346A46CB91

Function 04F51F61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54a2e3a98228b9be15151653cbae30a830d473d598786a4e359573e9a368fc7
Instruction ID: c6422a9251fa9a5142d688dd881b44f727db998d6e1b58e239c647021a5d03d1
Opcode Fuzzy Hash: d54a2e3a98228b9be15151653cbae30a830d473d598786a4e359573e9a368fc7
Instruction Fuzzy Hash: B821C0B4C0520A8FCB41EFA8D9855EEBFF0FB49301F10916AD805B3225EB345A49CFA1

Function 04F55607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b9aceae35c2a172db12b735990ccffb3db9af35fcbb013b872ddc64d6749b2
Instruction ID: a7f35d0ef5c8f6b26c24e43dfbc99933e336b0894da7e22650064b659bbde951
Opcode Fuzzy Hash: 35b9aceae35c2a172db12b735990ccffb3db9af35fcbb013b872ddc64d6749b2
Instruction Fuzzy Hash: 80012D72B041156FDB029E64A8206EF3F97EBC9791B14802AF914D7254D971DC038790

Function 04F52010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7811beef39ee3b5dc4cf647b09a75622164038cb52f62a9e93567a9376201baa
Instruction ID: 9a0c7c3670c6fdee3df3af54237874525f678aa4665ee13d899112c406b5a097
Opcode Fuzzy Hash: 7811beef39ee3b5dc4cf647b09a75622164038cb52f62a9e93567a9376201baa
Instruction Fuzzy Hash: CCE0D835D152576BCB1197A0DC450DDBB34EE92214B054566D4683B141EB605A4BC391

Function 04F52020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c780883068a0946a4c5edf5abd6e1281522cb7b12db21aaea2cc04aef547c2
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: c8c780883068a0946a4c5edf5abd6e1281522cb7b12db21aaea2cc04aef547c2
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 04F58258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 415bd9cb1bc7dceaeaa33205d110173e530e6515ef65ad2d80c34eb00504d1dd
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: A8C0123360C1282AA624208F7C40AA3AB8CC3C22F4A250137FA1CE3210A842AC9201A8

Function 04F5A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c19797e49062ee2f1cd7c97b2ba3caaeab5cb573ae273176b356269abd968fc
Instruction ID: 315af6ae003bfbc50eb9706f5a0523d30ea5f6ae9708371f351c022a5554cfbf
Opcode Fuzzy Hash: 0c19797e49062ee2f1cd7c97b2ba3caaeab5cb573ae273176b356269abd968fc
Instruction Fuzzy Hash: 9ED0677AB410189FCB049F98E8808DDBBB6FB9C221B048116E915A7261C6319921DB90

Function 04F55EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e14116f88fd6aa717d2466490e51b6197fb11d0a52d9781e466c81b64f409fd5
Instruction ID: 39182b6b664d1c1b2d2c78d27152ee0542650f2b5ff1e82e3ff6009132accc2c
Opcode Fuzzy Hash: e14116f88fd6aa717d2466490e51b6197fb11d0a52d9781e466c81b64f409fd5
Instruction Fuzzy Hash: A6D05B7055C3460FC34FF770F9954643F29EEC1208B5081B598590911AEA7D4C0B87D1

Function 04F55EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459782b090bcf21c7c2a88927ae996cdcc729e568b033bbd8ee7b327c6800da8
Instruction ID: 89630dcc65769f4f389f84588bc888f14381777304e56a6c2a12a7e3208beea6
Opcode Fuzzy Hash: 459782b090bcf21c7c2a88927ae996cdcc729e568b033bbd8ee7b327c6800da8
Instruction Fuzzy Hash: E3C0127055430A4FC54EFB75FE85969772EFAC0204F508560A40A0A12DEF7D9C4986D4

Non-executed Functions

Function 04F56088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 04F560BA
\;]q, xrefs: 04F5609E
\;]q, xrefs: 04F56094
\;]q, xrefs: 04F560C6

Memory Dump Source

Source File: 00000002.00000002.2349900115.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f50000_MtxN2qEWpW.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: 0104a0915da1bc1029c7c9bd396aa9f183c63e1bf694f5add8d7f06125688e88
Instruction ID: 7603609b304b1ea51530792f3b25a5ea4161c679293254e91bffd6f84490f88b
Opcode Fuzzy Hash: 0104a0915da1bc1029c7c9bd396aa9f183c63e1bf694f5add8d7f06125688e88
Instruction Fuzzy Hash: 8F018432B441148FEB648E2DC48492577EAAF88760755457AEA19CB3B4EE71EC43C790

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MtxN2qEWpW.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MtxN2qEWpW.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
MtxN2qEWpW.exe

Function 02CFBF60 Relevance: 1.9, Strings: 1, Instructions: 619
COMMON

Function 0112AD48 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Function 02CFCA96 Relevance: 1.6, APIs: 1, Instructions: 138
processCOMMON

Function 02CFCAA0 Relevance: 1.6, APIs: 1, Instructions: 137
processCOMMON

Function 02CF18E4 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Function 02CF18F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 0112590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 01125A84 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 01124248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02CF4050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 02CFBC48 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON