Edit tour

Windows Analysis Report
SBkuP3ACSA.exe

Overview

General Information

Sample name:	SBkuP3ACSA.exe renamed because original name is a hash value
Original sample name:	d0d28661ec38fa97bd723628c065471e1c58b6d3918fd988b43cdf0aee2815a3.exe
Analysis ID:	1587819
MD5:	22b0c4defec129bb6a33fc44f1499910
SHA1:	4f5d255970be2c547916a72d2db99ed5b02a89b7
SHA256:	d0d28661ec38fa97bd723628c065471e1c58b6d3918fd988b43cdf0aee2815a3
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

AI detected suspicious sample

Machine Learning detection for sample

Self deletion via cmd or bat file

Tries to detect the country of the analysis system (by using the IP)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SBkuP3ACSA.exe (PID: 3424 cmdline: "C:\Users\user\Desktop\SBkuP3ACSA.exe" MD5: 22B0C4DEFEC129BB6A33FC44F1499910)

SBkuP3ACSA.exe (PID: 2452 cmdline: "C:\Users\user\Desktop\SBkuP3ACSA.exe" MD5: 22B0C4DEFEC129BB6A33FC44F1499910)

cmd.exe (PID: 3224 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\SBkuP3ACSA.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 768 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "frankichong@yulifertilizer.com.my", "Password": "Ayfc931319*", "Host": "mail.yulifertilizer.com.my", "Port": "25", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3315691533.0000000005090000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a31:$a1: get_encryptedPassword 0x14d1d:$a2: get_encryptedUsername 0x1483d:$a3: get_timePasswordChanged 0x14938:$a4: get_passwordField 0x14a47:$a5: set_encryptedPassword 0x160c0:$a7: get_logins 0x16023:$a10: KeyLoggerEventArgs 0x15c8e:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18294:$x1: $%SMTPDV$ 0x182fa:$x2: $#TheHashHere%& 0x1997b:$x3: %FTPDV$ 0x19a6f:$x4: $%TelegramDv$ 0x15c8e:$x5: KeyLoggerEventArgs 0x16023:$x5: KeyLoggerEventArgs 0x1999f:$m2: Clipboard Logs ID 0x19bbf:$m2: Screenshot Logs ID 0x19ccf:$m2: keystroke Logs ID 0x19fa9:$m3: SnakePW 0x19b97:$m4: \SnakeKeylogger\
00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf4241:$a1: get_encryptedPassword 0x114e71:$a1: get_encryptedPassword 0x135891:$a1: get_encryptedPassword 0xf452d:$a2: get_encryptedUsername 0x11515d:$a2: get_encryptedUsername 0x135b7d:$a2: get_encryptedUsername 0xf404d:$a3: get_timePasswordChanged 0x114c7d:$a3: get_timePasswordChanged 0x13569d:$a3: get_timePasswordChanged 0xf4148:$a4: get_passwordField 0x114d78:$a4: get_passwordField 0x135798:$a4: get_passwordField 0xf4257:$a5: set_encryptedPassword 0x114e87:$a5: set_encryptedPassword 0x1358a7:$a5: set_encryptedPassword 0xf58d0:$a7: get_logins 0x116500:$a7: get_logins 0x136f20:$a7: get_logins 0xf5833:$a10: KeyLoggerEventArgs 0x116463:$a10: KeyLoggerEventArgs 0x136e83:$a10: KeyLoggerEventArgs
00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf7aa4:$x1: $%SMTPDV$ 0x1186d4:$x1: $%SMTPDV$ 0x1390f4:$x1: $%SMTPDV$ 0xf7b0a:$x2: $#TheHashHere%& 0x11873a:$x2: $#TheHashHere%& 0x13915a:$x2: $#TheHashHere%& 0xf918b:$x3: %FTPDV$ 0x119dbb:$x3: %FTPDV$ 0x13a7db:$x3: %FTPDV$ 0xf927f:$x4: $%TelegramDv$ 0x119eaf:$x4: $%TelegramDv$ 0x13a8cf:$x4: $%TelegramDv$ 0xf549e:$x5: KeyLoggerEventArgs 0xf5833:$x5: KeyLoggerEventArgs 0x1160ce:$x5: KeyLoggerEventArgs 0x116463:$x5: KeyLoggerEventArgs 0x136aee:$x5: KeyLoggerEventArgs 0x136e83:$x5: KeyLoggerEventArgs 0xf91af:$m2: Clipboard Logs ID 0xf93cf:$m2: Screenshot Logs ID 0xf94df:$m2: keystroke Logs ID
00000002.00000002.2196563053.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: SBkuP3ACSA.exe PID: 3424	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SBkuP3ACSA.exe PID: 3424	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SBkuP3ACSA.exe PID: 3424	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: SBkuP3ACSA.exe PID: 3424	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x711f0:$a1: get_encryptedPassword 0x7143b:$a2: get_encryptedUsername 0x7101f:$a3: get_timePasswordChanged 0x71101:$a4: get_passwordField 0x71206:$a5: set_encryptedPassword 0x730d9:$a7: get_logins 0x7305a:$a10: KeyLoggerEventArgs 0x72dc8:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: SBkuP3ACSA.exe PID: 3424	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x72dc8:$x5: KeyLoggerEventArgs 0x7305a:$x5: KeyLoggerEventArgs 0x735c9:$x5: KeyLoggerEventArgs 0x7392a:$x5: KeyLoggerEventArgs 0x751a4:$m2: Clipboard Logs ID 0x7529b:$m2: Screenshot Logs ID 0x752f1:$m2: keystroke Logs ID 0x75426:$m3: SnakePW 0x75287:$m4: \SnakeKeylogger\
Process Memory Space: SBkuP3ACSA.exe PID: 2452	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SBkuP3ACSA.exe PID: 2452	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: SBkuP3ACSA.exe PID: 2452	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x16792:$a1: get_encryptedPassword 0x16a74:$a2: get_encryptedUsername 0x165a8:$a3: get_timePasswordChanged 0x166a3:$a4: get_passwordField 0x167a8:$a5: set_encryptedPassword 0x18c82:$a7: get_logins 0x18be5:$a10: KeyLoggerEventArgs 0x18850:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: SBkuP3ACSA.exe PID: 2452	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18850:$x5: KeyLoggerEventArgs 0x18be5:$x5: KeyLoggerEventArgs 0x191b2:$x5: KeyLoggerEventArgs 0x19513:$x5: KeyLoggerEventArgs 0x1ae7a:$m2: Clipboard Logs ID 0x1af71:$m2: Screenshot Logs ID 0x1afc7:$m2: keystroke Logs ID 0x1b0fc:$m3: SnakePW 0x1af5d:$m4: \SnakeKeylogger\
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SBkuP3ACSA.exe.3778610.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SBkuP3ACSA.exe.3778610.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.SBkuP3ACSA.exe.3778610.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12e31:$a1: get_encryptedPassword 0x1311d:$a2: get_encryptedUsername 0x12c3d:$a3: get_timePasswordChanged 0x12d38:$a4: get_passwordField 0x12e47:$a5: set_encryptedPassword 0x144c0:$a7: get_logins 0x14423:$a10: KeyLoggerEventArgs 0x1408e:$a11: KeyLoggerEventArgsEventHandler
0.2.SBkuP3ACSA.exe.3778610.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a779:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199ab:$a3: \Google\Chrome\User Data\Default\Login Data 0x19dde:$a4: \Orbitum\User Data\Default\Login Data 0x1ae1d:$a5: \Kometa\User Data\Default\Login Data
0.2.SBkuP3ACSA.exe.3778610.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13a09:$s1: UnHook 0x13a10:$s2: SetHook 0x13a18:$s3: CallNextHook 0x13a25:$s4: _hook
0.2.SBkuP3ACSA.exe.3778610.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16694:$x1: $%SMTPDV$ 0x166fa:$x2: $#TheHashHere%& 0x17d7b:$x3: %FTPDV$ 0x17e6f:$x4: $%TelegramDv$ 0x1408e:$x5: KeyLoggerEventArgs 0x14423:$x5: KeyLoggerEventArgs 0x17d9f:$m2: Clipboard Logs ID 0x17fbf:$m2: Screenshot Logs ID 0x180cf:$m2: keystroke Logs ID 0x183a9:$m3: SnakePW 0x17f97:$m4: \SnakeKeylogger\
0.2.SBkuP3ACSA.exe.28e52ac.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa20a4:$x1: In$J$ct0r 0xa2fb4:$a1: WriteProcessMemory 0xa3040:$a1: WriteProcessMemory 0xa3114:$a4: VirtualAllocEx 0xa3338:$a4: VirtualAllocEx 0xa33b8:$a4: VirtualAllocEx
0.2.SBkuP3ACSA.exe.5090000.5.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
0.2.SBkuP3ACSA.exe.36e7f70.4.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4906b:$x1: In$J$ct0r
0.2.SBkuP3ACSA.exe.3799240.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SBkuP3ACSA.exe.3799240.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.SBkuP3ACSA.exe.3799240.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12e31:$a1: get_encryptedPassword 0x1311d:$a2: get_encryptedUsername 0x12c3d:$a3: get_timePasswordChanged 0x12d38:$a4: get_passwordField 0x12e47:$a5: set_encryptedPassword 0x144c0:$a7: get_logins 0x14423:$a10: KeyLoggerEventArgs 0x1408e:$a11: KeyLoggerEventArgsEventHandler
0.2.SBkuP3ACSA.exe.3799240.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a779:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199ab:$a3: \Google\Chrome\User Data\Default\Login Data 0x19dde:$a4: \Orbitum\User Data\Default\Login Data 0x1ae1d:$a5: \Kometa\User Data\Default\Login Data
0.2.SBkuP3ACSA.exe.3799240.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13a09:$s1: UnHook 0x13a10:$s2: SetHook 0x13a18:$s3: CallNextHook 0x13a25:$s4: _hook
0.2.SBkuP3ACSA.exe.3799240.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16694:$x1: $%SMTPDV$ 0x166fa:$x2: $#TheHashHere%& 0x17d7b:$x3: %FTPDV$ 0x17e6f:$x4: $%TelegramDv$ 0x1408e:$x5: KeyLoggerEventArgs 0x14423:$x5: KeyLoggerEventArgs 0x17d9f:$m2: Clipboard Logs ID 0x17fbf:$m2: Screenshot Logs ID 0x180cf:$m2: keystroke Logs ID 0x183a9:$m3: SnakePW 0x17f97:$m4: \SnakeKeylogger\
0.2.SBkuP3ACSA.exe.28e2a6c.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa48e4:$x1: In$J$ct0r 0xa57f4:$a1: WriteProcessMemory 0xa5880:$a1: WriteProcessMemory 0xa5954:$a4: VirtualAllocEx 0xa5b78:$a4: VirtualAllocEx 0xa5bf8:$a4: VirtualAllocEx
0.2.SBkuP3ACSA.exe.5090000.5.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4906b:$x1: In$J$ct0r
2.2.SBkuP3ACSA.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.SBkuP3ACSA.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.SBkuP3ACSA.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.SBkuP3ACSA.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c31:$a1: get_encryptedPassword 0x14f1d:$a2: get_encryptedUsername 0x14a3d:$a3: get_timePasswordChanged 0x14b38:$a4: get_passwordField 0x14c47:$a5: set_encryptedPassword 0x162c0:$a7: get_logins 0x16223:$a10: KeyLoggerEventArgs 0x15e8e:$a11: KeyLoggerEventArgsEventHandler
2.2.SBkuP3ACSA.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c579:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7ab:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bbde:$a4: \Orbitum\User Data\Default\Login Data 0x1cc1d:$a5: \Kometa\User Data\Default\Login Data
2.2.SBkuP3ACSA.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15809:$s1: UnHook 0x15810:$s2: SetHook 0x15818:$s3: CallNextHook 0x15825:$s4: _hook
2.2.SBkuP3ACSA.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18494:$x1: $%SMTPDV$ 0x184fa:$x2: $#TheHashHere%& 0x19b7b:$x3: %FTPDV$ 0x19c6f:$x4: $%TelegramDv$ 0x15e8e:$x5: KeyLoggerEventArgs 0x16223:$x5: KeyLoggerEventArgs 0x19b9f:$m2: Clipboard Logs ID 0x19dbf:$m2: Screenshot Logs ID 0x19ecf:$m2: keystroke Logs ID 0x1a1a9:$m3: SnakePW 0x19d97:$m4: \SnakeKeylogger\
0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c31:$a1: get_encryptedPassword 0x35651:$a1: get_encryptedPassword 0x14f1d:$a2: get_encryptedUsername 0x3593d:$a2: get_encryptedUsername 0x14a3d:$a3: get_timePasswordChanged 0x3545d:$a3: get_timePasswordChanged 0x14b38:$a4: get_passwordField 0x35558:$a4: get_passwordField 0x14c47:$a5: set_encryptedPassword 0x35667:$a5: set_encryptedPassword 0x162c0:$a7: get_logins 0x36ce0:$a7: get_logins 0x16223:$a10: KeyLoggerEventArgs 0x36c43:$a10: KeyLoggerEventArgs 0x15e8e:$a11: KeyLoggerEventArgsEventHandler 0x368ae:$a11: KeyLoggerEventArgsEventHandler
0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c579:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cf99:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7ab:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c1cb:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bbde:$a4: \Orbitum\User Data\Default\Login Data 0x3c5fe:$a4: \Orbitum\User Data\Default\Login Data 0x1cc1d:$a5: \Kometa\User Data\Default\Login Data 0x3d63d:$a5: \Kometa\User Data\Default\Login Data
0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15809:$s1: UnHook 0x36229:$s1: UnHook 0x15810:$s2: SetHook 0x36230:$s2: SetHook 0x15818:$s3: CallNextHook 0x36238:$s3: CallNextHook 0x15825:$s4: _hook 0x36245:$s4: _hook
0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18494:$x1: $%SMTPDV$ 0x38eb4:$x1: $%SMTPDV$ 0x184fa:$x2: $#TheHashHere%& 0x38f1a:$x2: $#TheHashHere%& 0x19b7b:$x3: %FTPDV$ 0x3a59b:$x3: %FTPDV$ 0x19c6f:$x4: $%TelegramDv$ 0x3a68f:$x4: $%TelegramDv$ 0x15e8e:$x5: KeyLoggerEventArgs 0x16223:$x5: KeyLoggerEventArgs 0x368ae:$x5: KeyLoggerEventArgs 0x36c43:$x5: KeyLoggerEventArgs 0x19b9f:$m2: Clipboard Logs ID 0x19dbf:$m2: Screenshot Logs ID 0x19ecf:$m2: keystroke Logs ID 0x3a5bf:$m2: Clipboard Logs ID 0x3a7df:$m2: Screenshot Logs ID 0x3a8ef:$m2: keystroke Logs ID 0x1a1a9:$m3: SnakePW 0x3abc9:$m3: SnakePW 0x19d97:$m4: \SnakeKeylogger\
0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c31:$a1: get_encryptedPassword 0x35861:$a1: get_encryptedPassword 0x56281:$a1: get_encryptedPassword 0x14f1d:$a2: get_encryptedUsername 0x35b4d:$a2: get_encryptedUsername 0x5656d:$a2: get_encryptedUsername 0x14a3d:$a3: get_timePasswordChanged 0x3566d:$a3: get_timePasswordChanged 0x5608d:$a3: get_timePasswordChanged 0x14b38:$a4: get_passwordField 0x35768:$a4: get_passwordField 0x56188:$a4: get_passwordField 0x14c47:$a5: set_encryptedPassword 0x35877:$a5: set_encryptedPassword 0x56297:$a5: set_encryptedPassword 0x162c0:$a7: get_logins 0x36ef0:$a7: get_logins 0x57910:$a7: get_logins 0x16223:$a10: KeyLoggerEventArgs 0x36e53:$a10: KeyLoggerEventArgs 0x57873:$a10: KeyLoggerEventArgs
0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c579:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d1a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5dbc9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7ab:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c3db:$a3: \Google\Chrome\User Data\Default\Login Data 0x5cdfb:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bbde:$a4: \Orbitum\User Data\Default\Login Data 0x3c80e:$a4: \Orbitum\User Data\Default\Login Data 0x5d22e:$a4: \Orbitum\User Data\Default\Login Data 0x1cc1d:$a5: \Kometa\User Data\Default\Login Data 0x3d84d:$a5: \Kometa\User Data\Default\Login Data 0x5e26d:$a5: \Kometa\User Data\Default\Login Data
0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15809:$s1: UnHook 0x36439:$s1: UnHook 0x56e59:$s1: UnHook 0x15810:$s2: SetHook 0x36440:$s2: SetHook 0x56e60:$s2: SetHook 0x15818:$s3: CallNextHook 0x36448:$s3: CallNextHook 0x56e68:$s3: CallNextHook 0x15825:$s4: _hook 0x36455:$s4: _hook 0x56e75:$s4: _hook
0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18494:$x1: $%SMTPDV$ 0x390c4:$x1: $%SMTPDV$ 0x59ae4:$x1: $%SMTPDV$ 0x184fa:$x2: $#TheHashHere%& 0x3912a:$x2: $#TheHashHere%& 0x59b4a:$x2: $#TheHashHere%& 0x19b7b:$x3: %FTPDV$ 0x3a7ab:$x3: %FTPDV$ 0x5b1cb:$x3: %FTPDV$ 0x19c6f:$x4: $%TelegramDv$ 0x3a89f:$x4: $%TelegramDv$ 0x5b2bf:$x4: $%TelegramDv$ 0x15e8e:$x5: KeyLoggerEventArgs 0x16223:$x5: KeyLoggerEventArgs 0x36abe:$x5: KeyLoggerEventArgs 0x36e53:$x5: KeyLoggerEventArgs 0x574de:$x5: KeyLoggerEventArgs 0x57873:$x5: KeyLoggerEventArgs 0x19b9f:$m2: Clipboard Logs ID 0x19dbf:$m2: Screenshot Logs ID 0x19ecf:$m2: keystroke Logs ID
0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa52d1:$a1: get_encryptedPassword 0xc5f01:$a1: get_encryptedPassword 0xe6921:$a1: get_encryptedPassword 0xa55bd:$a2: get_encryptedUsername 0xc61ed:$a2: get_encryptedUsername 0xe6c0d:$a2: get_encryptedUsername 0xa50dd:$a3: get_timePasswordChanged 0xc5d0d:$a3: get_timePasswordChanged 0xe672d:$a3: get_timePasswordChanged 0xa51d8:$a4: get_passwordField 0xc5e08:$a4: get_passwordField 0xe6828:$a4: get_passwordField 0xa52e7:$a5: set_encryptedPassword 0xc5f17:$a5: set_encryptedPassword 0xe6937:$a5: set_encryptedPassword 0xa6960:$a7: get_logins 0xc7590:$a7: get_logins 0xe7fb0:$a7: get_logins 0xa68c3:$a10: KeyLoggerEventArgs 0xc74f3:$a10: KeyLoggerEventArgs 0xe7f13:$a10: KeyLoggerEventArgs
0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xa5ea9:$s1: UnHook 0xc6ad9:$s1: UnHook 0xe74f9:$s1: UnHook 0xa5eb0:$s2: SetHook 0xc6ae0:$s2: SetHook 0xe7500:$s2: SetHook 0xa5eb8:$s3: CallNextHook 0xc6ae8:$s3: CallNextHook 0xe7508:$s3: CallNextHook 0xa5ec5:$s4: _hook 0xc6af5:$s4: _hook 0xe7515:$s4: _hook
0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xa8b34:$x1: $%SMTPDV$ 0xc9764:$x1: $%SMTPDV$ 0xea184:$x1: $%SMTPDV$ 0xa8b9a:$x2: $#TheHashHere%& 0xc97ca:$x2: $#TheHashHere%& 0xea1ea:$x2: $#TheHashHere%& 0xaa21b:$x3: %FTPDV$ 0xcae4b:$x3: %FTPDV$ 0xeb86b:$x3: %FTPDV$ 0xaa30f:$x4: $%TelegramDv$ 0xcaf3f:$x4: $%TelegramDv$ 0xeb95f:$x4: $%TelegramDv$ 0xa652e:$x5: KeyLoggerEventArgs 0xa68c3:$x5: KeyLoggerEventArgs 0xc715e:$x5: KeyLoggerEventArgs 0xc74f3:$x5: KeyLoggerEventArgs 0xe7b7e:$x5: KeyLoggerEventArgs 0xe7f13:$x5: KeyLoggerEventArgs 0xaa23f:$m2: Clipboard Logs ID 0xaa45f:$m2: Screenshot Logs ID 0xaa56f:$m2: keystroke Logs ID
0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
Click to see the 40 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T18:20:26.548608+0100	2803305	3	Unknown Traffic	192.168.2.5	49709	104.21.16.1	443	TCP
2025-01-10T18:20:27.788391+0100	2803305	3	Unknown Traffic	192.168.2.5	49711	104.21.16.1	443	TCP
2025-01-10T18:20:35.140115+0100	2803305	3	Unknown Traffic	192.168.2.5	49723	104.21.16.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T18:20:24.784668+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	193.122.6.168	80	TCP
2025-01-10T18:20:25.972201+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	193.122.6.168	80	TCP
2025-01-10T18:20:27.237809+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SBkuP3ACSA.exe

Avira: detected

Found malware configuration

Source: 00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "frankichong@yulifertilizer.com.my", "Password": "Ayfc931319*", "Host": "mail.yulifertilizer.com.my", "Port": "25", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: SBkuP3ACSA.exe	Virustotal: Detection: 80%			Perma Link
Source: SBkuP3ACSA.exe	ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SBkuP3ACSA.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: SBkuP3ACSA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49707 version: TLS 1.0

Source: SBkuP3ACSA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: SBkuP3ACSA.exe, 00000000.00000002.3315863367.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, SBkuP3ACSA.exe, 00000000.00000002.3312873596.0000000002691000.00000004.00000800.00020000.00000000.sdmp

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.SBkuP3ACSA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49710 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49711 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49709 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49723 -> 104.21.16.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49707 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002DF4000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: SBkuP3ACSA.exe, 00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: SBkuP3ACSA.exe, 00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SBkuP3ACSA.exe.3778610.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SBkuP3ACSA.exe.3778610.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SBkuP3ACSA.exe.3778610.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SBkuP3ACSA.exe.3778610.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.SBkuP3ACSA.exe.28e52ac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.SBkuP3ACSA.exe.5090000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.SBkuP3ACSA.exe.36e7f70.4.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.SBkuP3ACSA.exe.3799240.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SBkuP3ACSA.exe.3799240.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SBkuP3ACSA.exe.3799240.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SBkuP3ACSA.exe.3799240.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.SBkuP3ACSA.exe.28e2a6c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.SBkuP3ACSA.exe.5090000.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 2.2.SBkuP3ACSA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.SBkuP3ACSA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.SBkuP3ACSA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.SBkuP3ACSA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.3315691533.0000000005090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: SBkuP3ACSA.exe PID: 3424, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SBkuP3ACSA.exe PID: 3424, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: SBkuP3ACSA.exe PID: 2452, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SBkuP3ACSA.exe PID: 2452, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Code function: 0_2_00ABD304	0_2_00ABD304
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Code function: 0_2_08999680	0_2_08999680
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Code function: 2_2_02A4B328	2_2_02A4B328
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Code function: 2_2_02A4C190	2_2_02A4C190
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Code function: 2_2_02A46108	2_2_02A46108
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Code function: 2_2_02A4C752	2_2_02A4C752
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Code function: 2_2_02A4C470	2_2_02A4C470
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Code function: 2_2_02A44AD9	2_2_02A44AD9
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Code function: 2_2_02A4CA32	2_2_02A4CA32
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Code function: 2_2_02A4BBD2	2_2_02A4BBD2
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Code function: 2_2_02A46880	2_2_02A46880
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Code function: 2_2_02A49858	2_2_02A49858
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Code function: 2_2_02A4BEB0	2_2_02A4BEB0
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Code function: 2_2_02A4B4F2	2_2_02A4B4F2
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Code function: 2_2_02A43572	2_2_02A43572

Source: SBkuP3ACSA.exe, 00000000.00000000.2056937490.0000000000272000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFisa.exe* vs SBkuP3ACSA.exe
Source: SBkuP3ACSA.exe, 00000000.00000002.3315691533.0000000005090000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs SBkuP3ACSA.exe
Source: SBkuP3ACSA.exe, 00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs SBkuP3ACSA.exe
Source: SBkuP3ACSA.exe, 00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs SBkuP3ACSA.exe
Source: SBkuP3ACSA.exe, 00000000.00000002.3311393301.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SBkuP3ACSA.exe
Source: SBkuP3ACSA.exe, 00000000.00000002.3315863367.00000000050F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs SBkuP3ACSA.exe
Source: SBkuP3ACSA.exe, 00000000.00000002.3312873596.0000000002691000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs SBkuP3ACSA.exe
Source: SBkuP3ACSA.exe, 00000000.00000002.3312873596.0000000002691000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs SBkuP3ACSA.exe
Source: SBkuP3ACSA.exe, 00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs SBkuP3ACSA.exe
Source: SBkuP3ACSA.exe	Binary or memory string: OriginalFilenameFisa.exe* vs SBkuP3ACSA.exe

Source: SBkuP3ACSA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SBkuP3ACSA.exe.3778610.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SBkuP3ACSA.exe.3778610.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SBkuP3ACSA.exe.3778610.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SBkuP3ACSA.exe.3778610.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.SBkuP3ACSA.exe.28e52ac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.SBkuP3ACSA.exe.5090000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.SBkuP3ACSA.exe.36e7f70.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.SBkuP3ACSA.exe.3799240.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SBkuP3ACSA.exe.3799240.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SBkuP3ACSA.exe.3799240.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SBkuP3ACSA.exe.3799240.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.SBkuP3ACSA.exe.28e2a6c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.SBkuP3ACSA.exe.5090000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 2.2.SBkuP3ACSA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.SBkuP3ACSA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.SBkuP3ACSA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.SBkuP3ACSA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.3315691533.0000000005090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: SBkuP3ACSA.exe PID: 3424, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SBkuP3ACSA.exe PID: 3424, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: SBkuP3ACSA.exe PID: 2452, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SBkuP3ACSA.exe PID: 2452, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@2/2

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SBkuP3ACSA.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_03

Source: SBkuP3ACSA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SBkuP3ACSA.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SBkuP3ACSA.exe	Virustotal: Detection: 80%
Source: SBkuP3ACSA.exe	ReversingLabs: Detection: 78%

Source: unknown	Process created: C:\Users\user\Desktop\SBkuP3ACSA.exe "C:\Users\user\Desktop\SBkuP3ACSA.exe"
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process created: C:\Users\user\Desktop\SBkuP3ACSA.exe "C:\Users\user\Desktop\SBkuP3ACSA.exe"
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\SBkuP3ACSA.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process created: C:\Users\user\Desktop\SBkuP3ACSA.exe "C:\Users\user\Desktop\SBkuP3ACSA.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\SBkuP3ACSA.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SBkuP3ACSA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SBkuP3ACSA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: SBkuP3ACSA.exe

Static PE information: 0xF79C3086 [Tue Aug 23 02:46:30 2101 UTC]

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe

Code function: 0_2_0899A153 pushad ; iretd

0_2_0899A159

Source: SBkuP3ACSA.exe

Static PE information: section name: .text entropy: 7.053977654479298

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\SBkuP3ACSA.exe"
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\SBkuP3ACSA.exe"			Jump to behavior

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SBkuP3ACSA.exe PID: 3424, type: MEMORYSTR

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Memory allocated: AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Memory allocated: 2690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Memory allocated: CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Memory allocated: 2A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Memory allocated: 2D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Memory allocated: 4D40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 598660	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 597327	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596998	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 595248	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 594594	Jump to behavior

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Window / User API: threadDelayed 8444			Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Window / User API: threadDelayed 1419			Jump to behavior

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 4564	Thread sleep count: 8444 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 4564	Thread sleep count: 1419 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -598660s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -597327s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -596998s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -595248s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe TID: 6616	Thread sleep time: -594594s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 598660	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 597327	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596998	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 595248	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Thread delayed: delay time: 594594	Jump to behavior

Source: SBkuP3ACSA.exe, 00000002.00000002.2195938373.00000000011A7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process created: C:\Users\user\Desktop\SBkuP3ACSA.exe "C:\Users\user\Desktop\SBkuP3ACSA.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\SBkuP3ACSA.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Queries volume information: C:\Users\user\Desktop\SBkuP3ACSA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Queries volume information: C:\Users\user\Desktop\SBkuP3ACSA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SBkuP3ACSA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SBkuP3ACSA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.SBkuP3ACSA.exe.3778610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SBkuP3ACSA.exe.3799240.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SBkuP3ACSA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2196563053.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SBkuP3ACSA.exe PID: 3424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SBkuP3ACSA.exe PID: 2452, type: MEMORYSTR

Source: Yara match	File source: 0.2.SBkuP3ACSA.exe.3778610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SBkuP3ACSA.exe.3799240.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SBkuP3ACSA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SBkuP3ACSA.exe PID: 3424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SBkuP3ACSA.exe PID: 2452, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.SBkuP3ACSA.exe.3778610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SBkuP3ACSA.exe.3799240.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SBkuP3ACSA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SBkuP3ACSA.exe.3799240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SBkuP3ACSA.exe.3778610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SBkuP3ACSA.exe.36e7f70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2196563053.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SBkuP3ACSA.exe PID: 3424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SBkuP3ACSA.exe PID: 2452, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SBkuP3ACSA.exe	81%	Virustotal		Browse
SBkuP3ACSA.exe	79%	ReversingLabs	ByteCode-MSIL.Spyware.Snakekeylogger
SBkuP3ACSA.exe	100%	Avira	HEUR/AGEN.1309847
SBkuP3ACSA.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.16.1	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002DF4000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	SBkuP3ACSA.exe, 00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	SBkuP3ACSA.exe, 00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2196563053.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, SBkuP3ACSA.exe, 00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.16.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587819
Start date and time:	2025-01-10 18:19:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SBkuP3ACSA.exe renamed because original name is a hash value
Original Sample Name:	d0d28661ec38fa97bd723628c065471e1c58b6d3918fd988b43cdf0aee2815a3.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 81 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 13.107.246.45, 172.202.163.200, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SBkuP3ACSA.exe, PID 2452 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:20:24	API Interceptor	85x Sleep call for process: SBkuP3ACSA.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.16.1	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
193.122.6.168	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
reallyfreegeoip.org	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
CLOUDFLARENETUS	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	secured File__esperion.com.html	Get hash	malicious	Phisher	Browse	104.17.25.14
	secured File__esperion.com.html	Get hash	malicious	Phisher	Browse	104.17.25.14
	https://www.depoqq.win/geno	Get hash	malicious	Unknown	Browse	104.18.27.193
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	phish_alert_sp2_2.0.0.0 (1).eml	Get hash	malicious	Unknown	Browse	104.18.32.25
	4sfN3Gx1vO.exe	Get hash	malicious	FormBook	Browse	104.21.64.1
	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	https://www.shinsengumiusa.com/mrloskie	Get hash	malicious	Unknown	Browse	104.16.79.73
	qlG7x91YXH.exe	Get hash	malicious	FormBook	Browse	104.21.80.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.16.1
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1

Process:	C:\Users\user\Desktop\SBkuP3ACSA.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.046887280758424
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SBkuP3ACSA.exe
File size:	826'368 bytes
MD5:	22b0c4defec129bb6a33fc44f1499910
SHA1:	4f5d255970be2c547916a72d2db99ed5b02a89b7
SHA256:	d0d28661ec38fa97bd723628c065471e1c58b6d3918fd988b43cdf0aee2815a3
SHA512:	63ba4513e693638e2365d357e6757a7268134c2c0385644a6118cf79fb046e44517eee1f22853fc7d4c5875bac00d56c0ac6c8a01dca76c0cded2b7dc991da53
SSDEEP:	24576:5MaSSKy2/SPNc0PrH5yj15ALOF+gGQ5p/i:5RQ5s/gt
TLSH:	1F054B043AA054F8C53289F7B8E7823C6A74B96161E2D46625CF2E9C7CC9F5046D72AF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4cb0ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF79C3086 [Tue Aug 23 02:46:30 2101 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcb054	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcc000	0x586	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xce000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc90b4	0xc9200	966312f16f834318c6d9a4f5b43c0749	False	0.434636468691734	data	7.053977654479298	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xcc000	0x586	0x600	023f933e236ce25e662698bcb26c192d	False	0.4134114583333333	data	4.009208314844858	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xce000	0xc	0x200	727b93468c891e185699debc43ee745f	False	0.044921875	data	0.09409792566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xcc0a0	0x2fc	data			0.43455497382198954
RT_MANIFEST	0xcc39c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T18:20:24.784668+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	193.122.6.168	80	TCP
2025-01-10T18:20:25.972201+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	193.122.6.168	80	TCP
2025-01-10T18:20:26.548608+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49709	104.21.16.1	443	TCP
2025-01-10T18:20:27.237809+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	193.122.6.168	80	TCP
2025-01-10T18:20:27.788391+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49711	104.21.16.1	443	TCP
2025-01-10T18:20:35.140115+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49723	104.21.16.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:20:22.866588116 CET	49704	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:22.871409893 CET	80	49704	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:22.871494055 CET	49704	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:22.871685028 CET	49704	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:22.876509905 CET	80	49704	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:24.502413034 CET	80	49704	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:24.548784018 CET	49704	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:24.553816080 CET	80	49704	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:24.735618114 CET	80	49704	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:24.784667969 CET	49704	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:25.093676090 CET	49707	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:25.093729973 CET	443	49707	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:25.093818903 CET	49707	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:25.098742008 CET	49707	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:25.098761082 CET	443	49707	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:25.561701059 CET	443	49707	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:25.561790943 CET	49707	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:25.567490101 CET	49707	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:25.567511082 CET	443	49707	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:25.567878962 CET	443	49707	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:25.608685017 CET	49707	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:25.615502119 CET	49707	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:25.663331985 CET	443	49707	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:25.725188971 CET	443	49707	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:25.725255966 CET	443	49707	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:25.725321054 CET	49707	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:25.731703043 CET	49707	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:25.734814882 CET	49704	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:25.739741087 CET	80	49704	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:25.920993090 CET	80	49704	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:25.924057961 CET	49709	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:25.924102068 CET	443	49709	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:25.924196959 CET	49709	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:25.924458027 CET	49709	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:25.924470901 CET	443	49709	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:25.972201109 CET	49704	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:26.396398067 CET	443	49709	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:26.398926020 CET	49709	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:26.398953915 CET	443	49709	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:26.548638105 CET	443	49709	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:26.548716068 CET	443	49709	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:26.548862934 CET	49709	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:26.549355030 CET	49709	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:26.552539110 CET	49704	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:26.553827047 CET	49710	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:26.557470083 CET	80	49704	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:26.557531118 CET	49704	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:26.558670998 CET	80	49710	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:26.558753967 CET	49710	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:26.558834076 CET	49710	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:26.563627958 CET	80	49710	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:27.184441090 CET	80	49710	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:27.185600042 CET	49711	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:27.185651064 CET	443	49711	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:27.185722113 CET	49711	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:27.185956001 CET	49711	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:27.185966969 CET	443	49711	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:27.237808943 CET	49710	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:27.639779091 CET	443	49711	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:27.641391993 CET	49711	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:27.641417980 CET	443	49711	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:27.788398027 CET	443	49711	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:27.788467884 CET	443	49711	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:27.788574934 CET	49711	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:27.789005041 CET	49711	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:27.793097973 CET	49713	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:27.797944069 CET	80	49713	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:27.798044920 CET	49713	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:27.798104048 CET	49713	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:27.802891016 CET	80	49713	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:28.474071980 CET	80	49713	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:28.475452900 CET	49715	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:28.475564957 CET	443	49715	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:28.475639105 CET	49715	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:28.475965977 CET	49715	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:28.475989103 CET	443	49715	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:28.519026041 CET	49713	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:28.943777084 CET	443	49715	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:28.947118998 CET	49715	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:28.947141886 CET	443	49715	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:29.081887960 CET	443	49715	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:29.081979036 CET	443	49715	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:29.082027912 CET	49715	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:29.082490921 CET	49715	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:29.087246895 CET	49713	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:29.088009119 CET	49716	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:29.092927933 CET	80	49716	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:29.093000889 CET	49716	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:29.093094110 CET	49716	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:29.096784115 CET	80	49713	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:29.096841097 CET	49713	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:29.097966909 CET	80	49716	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:29.724905014 CET	80	49716	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:29.726191998 CET	49717	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:29.726233959 CET	443	49717	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:29.726525068 CET	49717	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:29.726572990 CET	49717	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:29.726577997 CET	443	49717	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:29.769099951 CET	49716	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:30.192703009 CET	443	49717	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:30.194413900 CET	49717	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:30.194442987 CET	443	49717	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:30.338519096 CET	443	49717	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:30.338599920 CET	443	49717	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:30.338664055 CET	49717	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:30.339030027 CET	49717	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:30.346610069 CET	49716	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:30.347559929 CET	49718	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:30.351715088 CET	80	49716	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:30.351792097 CET	49716	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:30.352468967 CET	80	49718	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:30.352528095 CET	49718	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:30.352637053 CET	49718	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:30.357873917 CET	80	49718	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:30.976669073 CET	80	49718	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:30.978001118 CET	49719	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:30.978050947 CET	443	49719	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:30.978152990 CET	49719	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:30.978390932 CET	49719	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:30.978404999 CET	443	49719	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:31.019064903 CET	49718	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:31.453037024 CET	443	49719	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:31.454704046 CET	49719	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:31.454737902 CET	443	49719	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:31.607898951 CET	443	49719	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:31.607980967 CET	443	49719	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:31.608036995 CET	49719	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:31.608516932 CET	49719	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:31.612538099 CET	49718	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:31.613162041 CET	49720	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:31.617750883 CET	80	49718	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:31.617850065 CET	49718	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:31.617975950 CET	80	49720	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:31.618046045 CET	49720	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:31.618127108 CET	49720	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:31.622920990 CET	80	49720	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:33.254854918 CET	80	49720	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:33.256875992 CET	49721	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:33.256931067 CET	443	49721	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:33.257117987 CET	49721	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:33.257304907 CET	49721	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:33.257318020 CET	443	49721	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:33.300486088 CET	49720	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:33.716527939 CET	443	49721	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:33.718899012 CET	49721	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:33.718938112 CET	443	49721	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:33.867296934 CET	443	49721	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:33.867396116 CET	443	49721	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:33.867520094 CET	49721	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:33.868026972 CET	49721	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:33.871507883 CET	49720	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:33.872612953 CET	49722	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:33.876540899 CET	80	49720	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:33.877136946 CET	49720	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:33.877473116 CET	80	49722	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:33.877573013 CET	49722	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:33.877705097 CET	49722	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:33.882513046 CET	80	49722	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:34.523174047 CET	80	49722	193.122.6.168	192.168.2.5
Jan 10, 2025 18:20:34.525104046 CET	49723	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:34.525168896 CET	443	49723	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:34.525259018 CET	49723	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:34.525540113 CET	49723	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:34.525551081 CET	443	49723	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:34.566138983 CET	49722	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:34.979090929 CET	443	49723	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:34.981007099 CET	49723	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:34.981039047 CET	443	49723	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:35.140155077 CET	443	49723	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:35.140228987 CET	443	49723	104.21.16.1	192.168.2.5
Jan 10, 2025 18:20:35.140472889 CET	49723	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:35.140964031 CET	49723	443	192.168.2.5	104.21.16.1
Jan 10, 2025 18:20:35.316641092 CET	49722	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:20:35.316725969 CET	49710	80	192.168.2.5	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:20:22.853372097 CET	54259	53	192.168.2.5	1.1.1.1
Jan 10, 2025 18:20:22.860383034 CET	53	54259	1.1.1.1	192.168.2.5
Jan 10, 2025 18:20:25.082899094 CET	62620	53	192.168.2.5	1.1.1.1
Jan 10, 2025 18:20:25.090550900 CET	53	62620	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 18:20:22.853372097 CET	192.168.2.5	1.1.1.1	0xa4a8	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:20:25.082899094 CET	192.168.2.5	1.1.1.1	0xf2b4	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 18:20:22.860383034 CET	1.1.1.1	192.168.2.5	0xa4a8	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 18:20:22.860383034 CET	1.1.1.1	192.168.2.5	0xa4a8	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:20:22.860383034 CET	1.1.1.1	192.168.2.5	0xa4a8	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:20:22.860383034 CET	1.1.1.1	192.168.2.5	0xa4a8	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:20:22.860383034 CET	1.1.1.1	192.168.2.5	0xa4a8	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:20:22.860383034 CET	1.1.1.1	192.168.2.5	0xa4a8	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:20:25.090550900 CET	1.1.1.1	192.168.2.5	0xf2b4	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:20:25.090550900 CET	1.1.1.1	192.168.2.5	0xf2b4	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:20:25.090550900 CET	1.1.1.1	192.168.2.5	0xf2b4	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:20:25.090550900 CET	1.1.1.1	192.168.2.5	0xf2b4	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:20:25.090550900 CET	1.1.1.1	192.168.2.5	0xf2b4	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:20:25.090550900 CET	1.1.1.1	192.168.2.5	0xf2b4	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:20:25.090550900 CET	1.1.1.1	192.168.2.5	0xf2b4	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	193.122.6.168	80	2452	C:\Users\user\Desktop\SBkuP3ACSA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:20:22.871685028 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:20:24.502413034 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:20:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 18:20:24.548784018 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 18:20:24.735618114 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:20:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 18:20:25.734814882 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 18:20:25.920993090 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:20:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	193.122.6.168	80	2452	C:\Users\user\Desktop\SBkuP3ACSA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:20:26.558834076 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 18:20:27.184441090 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:20:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49713	193.122.6.168	80	2452	C:\Users\user\Desktop\SBkuP3ACSA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:20:27.798104048 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:20:28.474071980 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:20:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	193.122.6.168	80	2452	C:\Users\user\Desktop\SBkuP3ACSA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:20:29.093094110 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:20:29.724905014 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:20:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49718	193.122.6.168	80	2452	C:\Users\user\Desktop\SBkuP3ACSA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:20:30.352637053 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:20:30.976669073 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:20:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49720	193.122.6.168	80	2452	C:\Users\user\Desktop\SBkuP3ACSA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:20:31.618127108 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:20:33.254854918 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:20:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49722	193.122.6.168	80	2452	C:\Users\user\Desktop\SBkuP3ACSA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:20:33.877705097 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:20:34.523174047 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:20:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	104.21.16.1	443	2452	C:\Users\user\Desktop\SBkuP3ACSA.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:20:25 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 17:20:25 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:20:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1844414 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eWVVJRVCcnFgqAWLVEsmpwdDzGgcB0539LGpp7%2FcD29p%2Bx8rO5tGm7WUi152fzKcWp2HgF6cyf5tIX70%2FSF5QXI%2BDJp9yhgohAOMPVsZDc9e2yNBKnJYWL60jcLII0B%2FF7vnqwXA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe567069788ce3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1898&min_rtt=1843&rtt_var=730&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1584373&cwnd=252&unsent_bytes=0&cid=7bf8d5cee71e073d&ts=176&x=0"
2025-01-10 17:20:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49709	104.21.16.1	443	2452	C:\Users\user\Desktop\SBkuP3ACSA.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:20:26 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 17:20:26 UTC	865	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:20:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1844415 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5JUs643uKLtBLQZ0%2FYqWvJjXOaDEvPxnm%2F3y3AtE9m%2BFCA8CdwLSHOLGN85Zm8ApKpAmCf2qcKeSqx%2Bs%2FPuoVrLMYLHDvTT5%2FQfrKOvEflvaDMK%2F9tOVu6fbU%2FFIjops3J96Tiz9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe56758b457293-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2064&min_rtt=2059&rtt_var=783&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1387832&cwnd=158&unsent_bytes=0&cid=ef9fd5da07fc5950&ts=157&x=0"
2025-01-10 17:20:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49711	104.21.16.1	443	2452	C:\Users\user\Desktop\SBkuP3ACSA.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:20:27 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 17:20:27 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:20:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1844416 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t08zeo6rNqt6HbJs7M%2BDvfOAOBOI2F5qipgFxnsLrQT1qkFNrJKkct123%2BK7jWR8LJA2Bgl%2FgzfFWKTDwmE%2FWwT2kvU7eLRYUKXpO0fruLKqzjxyxN2s1G8e8kC4RloxyWYNtZ6d"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe567d5dea8ce3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1941&min_rtt=1927&rtt_var=751&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1429270&cwnd=252&unsent_bytes=0&cid=4b5c0c991fad9447&ts=152&x=0"
2025-01-10 17:20:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49715	104.21.16.1	443	2452	C:\Users\user\Desktop\SBkuP3ACSA.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:20:28 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 17:20:29 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:20:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1844418 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F5LKy0DX3%2FG9mvVeaDtFN9nAgMSsKv%2FLABh9%2FBlcYHKv6Lczk%2BEOzlCTjc%2B8%2FLyqx7vkezmnVgKqx6o6UMqcjx6xdYtvya6lOqIwNtJ9dpVlyK2y0v4PHFpNvorFz6RwdFqsq93c"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe56856f587293-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1995&min_rtt=1988&rtt_var=759&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1427872&cwnd=158&unsent_bytes=0&cid=b4a3a789924a36d5&ts=142&x=0"
2025-01-10 17:20:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49717	104.21.16.1	443	2452	C:\Users\user\Desktop\SBkuP3ACSA.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:20:30 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 17:20:30 UTC	867	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:20:30 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1844419 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HEpMHWED%2BOZhd36RSLuHsnlU7O%2Ft7Q1YrOWsoAWXPYd6ZVAgwr6D1%2Ft%2F0gAchwl1Wng8WooEMtNOsh%2B1emwSl%2BKkw%2BteD8IW%2F28yZgAPhw8129MlH4SMoBbrZeof%2F6VMOLgozXUu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe568d3e258ce3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1830&min_rtt=1805&rtt_var=727&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1455633&cwnd=252&unsent_bytes=0&cid=9cf75cb12fed4e23&ts=145&x=0"
2025-01-10 17:20:30 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49719	104.21.16.1	443	2452	C:\Users\user\Desktop\SBkuP3ACSA.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:20:31 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 17:20:31 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:20:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1844420 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FsQZKqMn8mHERC%2FvbzipnmSvN9JKe4Nrvth5mhyPqZ9JX0ELE6x4HsPchSwj0DRzjIoXcoRSWdUyRkt69GXaurgJ61gYmNVvTnIj0W7toEth%2FM7p8Cim2X7KEtAEqH4wFNcU960v"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe56952e6a4388-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1583&min_rtt=1575&rtt_var=607&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1780487&cwnd=221&unsent_bytes=0&cid=bed04519a442aa6a&ts=160&x=0"
2025-01-10 17:20:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49721	104.21.16.1	443	2452	C:\Users\user\Desktop\SBkuP3ACSA.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:20:33 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 17:20:33 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:20:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1844422 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S9rXWMuv5%2F7GsK2L%2Ffz8sUQkZ75U758Eama1MntsT2jXF76lFN8e9vY21oUt%2F8CjjGXTUpKBfv4zYI9w8N0rLjUwQrWORdXqmEPnYFm9bBs%2BEF6vyDnFssOcmHVoK90rFOzLwYeb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe56a33be20fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1470&min_rtt=1466&rtt_var=559&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1941489&cwnd=252&unsent_bytes=0&cid=a7e2d3c629b3539f&ts=157&x=0"
2025-01-10 17:20:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49723	104.21.16.1	443	2452	C:\Users\user\Desktop\SBkuP3ACSA.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:20:34 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 17:20:35 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:20:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1844424 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DPRHPP43E2IIJhnApIfaghYMxQYm8gdyY2ffYDsKX8w0iP6hIJaojAMv2swVUQyftAEriqf%2B%2BIAtpACIzRmmQi9lIDzzTgx7k%2FES9%2F3Mv8JPT1IRDBoa9EPCUJdyaLIeckXznvRp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe56ab3e694388-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1584&min_rtt=1576&rtt_var=607&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1780487&cwnd=221&unsent_bytes=0&cid=fd3e376857ba3fef&ts=164&x=0"
2025-01-10 17:20:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	12:20:20
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\SBkuP3ACSA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SBkuP3ACSA.exe"
Imagebase:	0x270000
File size:	826'368 bytes
MD5 hash:	22B0C4DEFEC129BB6A33FC44F1499910
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.3315691533.0000000005090000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.3314447238.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	12:20:21
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\SBkuP3ACSA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SBkuP3ACSA.exe"
Imagebase:	0x9c0000
File size:	826'368 bytes
MD5 hash:	22B0C4DEFEC129BB6A33FC44F1499910
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.2195327620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2196563053.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:20:34
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\SBkuP3ACSA.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:20:34
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:20:34
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x7f0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4%
Total number of Nodes:	124
Total number of Limit Nodes:	10

Executed Functions

Function 08999680 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3316386618.0000000008990000.00000040.00000800.00020000.00000000.sdmp, Offset: 08990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8990000_SBkuP3ACSA.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: affae77b23c0b256b0a99eafe5d15fcd034857d32128047b32249f134406f5bd
Instruction ID: ea3312c78cc9b5509cb04f970b38b5e13c62d4881a79400b45f4fd36d6906515
Opcode Fuzzy Hash: affae77b23c0b256b0a99eafe5d15fcd034857d32128047b32249f134406f5bd
Instruction Fuzzy Hash: 79F16930A00209CFDF14EFA9C944BADBBF5FF88319F15815DE449AB2A5DB74A945CB80

Function 00ABD3C9 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00ABD456
GetCurrentThread.KERNEL32 ref: 00ABD493
GetCurrentProcess.KERNEL32 ref: 00ABD4D0
GetCurrentThreadId.KERNEL32 ref: 00ABD529

Memory Dump Source

Source File: 00000000.00000002.3312286952.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_SBkuP3ACSA.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0b6d5fe00451d92944b5f80297b829e808baa2ff80615403290da0397492affc
Instruction ID: 0929849910c9b7fd2ec5c7531ba6c53398cfedf51b69eb87f80f837827e93621
Opcode Fuzzy Hash: 0b6d5fe00451d92944b5f80297b829e808baa2ff80615403290da0397492affc
Instruction Fuzzy Hash: F45177B0900309DFDB14CFAAD948BDEBBF5EF48314F24845AE009A73A1DB74A944CB65

Function 00ABD3D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00ABD456
GetCurrentThread.KERNEL32 ref: 00ABD493
GetCurrentProcess.KERNEL32 ref: 00ABD4D0
GetCurrentThreadId.KERNEL32 ref: 00ABD529

Memory Dump Source

Source File: 00000000.00000002.3312286952.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_SBkuP3ACSA.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4a5db3492826aeb396f1fb953f50c8ef6749078147e591612654291423ecfd8f
Instruction ID: e1692dad89d8b08d0121c507b16e1ea2ab2e4ab0ff7549581ffb99b6cdfa8dd3
Opcode Fuzzy Hash: 4a5db3492826aeb396f1fb953f50c8ef6749078147e591612654291423ecfd8f
Instruction Fuzzy Hash: 4B5177B0900309CFDB14DFAAD948BDEBBF5EF48314F24845AE009A73A1DB746944CB65

Function 00ABAD48 Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00ABAF9E

Memory Dump Source

Source File: 00000000.00000002.3312286952.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_SBkuP3ACSA.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f0319c37f57a27c6afcaae28ad42cebc047e41f55ef4d9a2ee77f2bbd776368e
Instruction ID: 671a086aa3aacfcc0e8ea9189e14293db9f5cbb1db6ebe79eb9920c8cf8a4a97
Opcode Fuzzy Hash: f0319c37f57a27c6afcaae28ad42cebc047e41f55ef4d9a2ee77f2bbd776368e
Instruction Fuzzy Hash: 388177B0A00B048FDB24DF29D54179ABBF9FF98304F00892ED48ADBA52D735E945CB91

Function 00AB590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00AB59C9

Memory Dump Source

Source File: 00000000.00000002.3312286952.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_SBkuP3ACSA.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2dfb8c315ead290d0d672dc1b5601cc658015b500b514c2c164c807addd2accf
Instruction ID: ca4e7aa54f2fef86bb80e9941392bd2471376ba6db99b75a75a7f7b6a9a00150
Opcode Fuzzy Hash: 2dfb8c315ead290d0d672dc1b5601cc658015b500b514c2c164c807addd2accf
Instruction Fuzzy Hash: CE41CDB1C00619CADB24CFA9C888BDDBBB5FF49304F20856AD408AB255DB75694ACF50

Function 00AB4248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00AB59C9

Memory Dump Source

Source File: 00000000.00000002.3312286952.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_SBkuP3ACSA.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3a0f387e1679050e97b7ae69cd7c498f4b36f147ddb9dc7d762a7e33e7e40da4
Instruction ID: c138d416afe6fc31e238d6d5a143dbfe9cbec7e26dc96325e95f0553a1bf2216
Opcode Fuzzy Hash: 3a0f387e1679050e97b7ae69cd7c498f4b36f147ddb9dc7d762a7e33e7e40da4
Instruction Fuzzy Hash: C841BEB0C00719CBDB24CFA9C884BDDBBB5FF49304F20816AD408AB255DB756949CFA0

Function 00ABD619 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ABD6A7

Memory Dump Source

Source File: 00000000.00000002.3312286952.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_SBkuP3ACSA.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 88df7368b45aef2b4174b76030d0bbd1021443d3cd0daed0b0b9ed336223a708
Instruction ID: a984f616d27b1bdf59155f3245e37a50565ad1950adf6eb6eed9ef7504f56832
Opcode Fuzzy Hash: 88df7368b45aef2b4174b76030d0bbd1021443d3cd0daed0b0b9ed336223a708
Instruction Fuzzy Hash: F02103B5900209AFDB10CF9AD884ADEBBF8EB48320F14841AE958A7310D375A940CF64

Function 00ABD620 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ABD6A7

Memory Dump Source

Source File: 00000000.00000002.3312286952.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_SBkuP3ACSA.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4740ec73623f21fec437fdf1209967092fe007cb79d4852c12eaced9caf9c2e8
Instruction ID: d744bb5505dd5874da7dd894a812ece31cc5a2490ac13d6ce9fdfe241730af52
Opcode Fuzzy Hash: 4740ec73623f21fec437fdf1209967092fe007cb79d4852c12eaced9caf9c2e8
Instruction Fuzzy Hash: C721E4B59002489FDB10CF9AD984ADEBFF8FB48310F14841AE918A7350D374A940DF65

Function 08990563 Relevance: 1.6, APIs: 1, Instructions: 58
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 089905E5

Memory Dump Source

Source File: 00000000.00000002.3316386618.0000000008990000.00000040.00000800.00020000.00000000.sdmp, Offset: 08990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8990000_SBkuP3ACSA.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 705720880e62d10239542e3f8220547469d260842000791b18e097002e88cab0
Instruction ID: 4c0cba630488f224433d1cd3682810b0d2bea899df1e5b12fc52d2dad53d48b3
Opcode Fuzzy Hash: 705720880e62d10239542e3f8220547469d260842000791b18e097002e88cab0
Instruction Fuzzy Hash: E1216DB58083898FDB11CFA9C945BDEBFF4EB09310F14449AD594E7292C378A544CBA5

Function 08997A30 Relevance: 1.6, APIs: 1, Instructions: 55
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,08999862,00000000,00000000,03694364,026B04D8), ref: 08999CB0

Memory Dump Source

Source File: 00000000.00000002.3316386618.0000000008990000.00000040.00000800.00020000.00000000.sdmp, Offset: 08990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8990000_SBkuP3ACSA.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 2e4fd6bab95fddcd0dbb03455b7d8813422fdac16abff8a09a3554d310773c64
Instruction ID: 6f87b78c39d76afd0e3a09daf73f4d0a98a801d6564c77bc09b08cf1c7084fc3
Opcode Fuzzy Hash: 2e4fd6bab95fddcd0dbb03455b7d8813422fdac16abff8a09a3554d310773c64
Instruction Fuzzy Hash: 0A11E4B58043499FDB10DF9AD944BDEBBF8EB48320F14842AE958A3351D378A944CFA5

Function 08999C43 Relevance: 1.6, APIs: 1, Instructions: 53
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,08999862,00000000,00000000,03694364,026B04D8), ref: 08999CB0

Memory Dump Source

Source File: 00000000.00000002.3316386618.0000000008990000.00000040.00000800.00020000.00000000.sdmp, Offset: 08990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8990000_SBkuP3ACSA.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 51606eca16b5c3b3827518bd4ce4fc4cd3407d9e080dcba68426c85425199d7b
Instruction ID: 7de8369ae3dd3ed373a5739b610aad801d8fa0f707fca54eccd950ee121c91ef
Opcode Fuzzy Hash: 51606eca16b5c3b3827518bd4ce4fc4cd3407d9e080dcba68426c85425199d7b
Instruction Fuzzy Hash: 4A11E4B68003499FDB10DF9AD945BDEBFF8EB48320F14842AE558A3251D378A544CFA5

Function 08990588 Relevance: 1.5, APIs: 1, Instructions: 48
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 089905E5

Memory Dump Source

Source File: 00000000.00000002.3316386618.0000000008990000.00000040.00000800.00020000.00000000.sdmp, Offset: 08990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8990000_SBkuP3ACSA.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 070e2c8be7a7b8b7ed1c822d1ac56466a5ec7afdeb54b69f7fff021c6872f128
Instruction ID: 92f2cdeb3f3cab9af49cfcec8d4395631e26e20e75bcb027f99e5148ccd30ae7
Opcode Fuzzy Hash: 070e2c8be7a7b8b7ed1c822d1ac56466a5ec7afdeb54b69f7fff021c6872f128
Instruction Fuzzy Hash: D911F5B5800349DFDB10CF9AC945BDEBFF8EB48320F148459E554A3251D378A944CFA5

Function 00ABAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00ABAF9E

Memory Dump Source

Source File: 00000000.00000002.3312286952.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_SBkuP3ACSA.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 55a83d8a760a6206bdc4826a1a955a5a3e7e8ecf1d72c6cf04e028cf1bf752fe
Instruction ID: 8763fcd1ac907bc10ee9d470219d9de5cc3fc4e04dd5450276785867a037bf94
Opcode Fuzzy Hash: 55a83d8a760a6206bdc4826a1a955a5a3e7e8ecf1d72c6cf04e028cf1bf752fe
Instruction Fuzzy Hash: F911E3B6C003499FCB20CF9AD944ADEFBF8EB88314F14845AD419A7215C375A545CFA1

Function 08990818 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 08991F1D

Memory Dump Source

Source File: 00000000.00000002.3316386618.0000000008990000.00000040.00000800.00020000.00000000.sdmp, Offset: 08990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8990000_SBkuP3ACSA.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d45e7361cec44307bff020a71536a9bffe6e136f709a257a977285b33ef4eb44
Instruction ID: 47393028496bc8763fbd1a1edb3fec85adb8c8a65d33065027ac9dbcfc2cb5eb
Opcode Fuzzy Hash: d45e7361cec44307bff020a71536a9bffe6e136f709a257a977285b33ef4eb44
Instruction Fuzzy Hash: 931103B5904349DFCB20DF9ED948B9EBBF8EB48320F10845AD559A7340C379A944CFA5

Function 089992AC Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,089999A7), ref: 0899A445

Memory Dump Source

Source File: 00000000.00000002.3316386618.0000000008990000.00000040.00000800.00020000.00000000.sdmp, Offset: 08990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8990000_SBkuP3ACSA.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 67704865ad8f6e49ca508e96087ea1aec0cb8d59ca937428bbb925fc3c7651b9
Instruction ID: 6df4716c15da14840be1e56618e1f3a68eb2cec83b6feaf7cbf4257b1619707e
Opcode Fuzzy Hash: 67704865ad8f6e49ca508e96087ea1aec0cb8d59ca937428bbb925fc3c7651b9
Instruction Fuzzy Hash: 8911EDB5C047599FCB20DF9AD848B9EFBF8EB48324F10846AE558A3350D378A544CFA5

Function 08991EC0 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 08991F1D

Memory Dump Source

Source File: 00000000.00000002.3316386618.0000000008990000.00000040.00000800.00020000.00000000.sdmp, Offset: 08990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8990000_SBkuP3ACSA.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0845ae5a37be1413855d21da9220ce0ba432a94e2ade34da9ef9b3be21201e1c
Instruction ID: 441678ea8e54639078ee046a2ae13c87133b1105b821c92ab7de35e7c1d59eb2
Opcode Fuzzy Hash: 0845ae5a37be1413855d21da9220ce0ba432a94e2ade34da9ef9b3be21201e1c
Instruction Fuzzy Hash: 851103B5800349CFDB20DF9AD885BDEBBF8FB48324F24845AD559A3240D378A944CFA5

Function 0899A3E3 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,089999A7), ref: 0899A445

Memory Dump Source

Source File: 00000000.00000002.3316386618.0000000008990000.00000040.00000800.00020000.00000000.sdmp, Offset: 08990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8990000_SBkuP3ACSA.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: fa87ae29823008fa3b3a7aa7480ec4f1b6dff93ea36e77481a17fb51cd56e547
Instruction ID: 15920a629d3234d8ad0da03f1993c8515cf7f31e24f530763c1d7f0dcbde38fc
Opcode Fuzzy Hash: fa87ae29823008fa3b3a7aa7480ec4f1b6dff93ea36e77481a17fb51cd56e547
Instruction Fuzzy Hash: 6E11FEB5C003498FCB20DF9AD848B8EFBF8EB48324F10841AD558A3250D378A545CFA5

Function 00A1D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3311994479.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a1d000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1198d740d1113a96fd5a2381c3c3f39509fb70a450d5b7489ceba4b0bca36d78
Instruction ID: b7cf8312b6cc24979b13ae9783523c5056295abce63ce2cfc94309b80b6f07d7
Opcode Fuzzy Hash: 1198d740d1113a96fd5a2381c3c3f39509fb70a450d5b7489ceba4b0bca36d78
Instruction Fuzzy Hash: AA2125B5504204DFDB05DF14D9C0B66BF75FB98324F24C569E90A0F25AC33AE896CBA2

Function 00A2D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312058350.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2d000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82d93f50c432ca4a67e97376d4693e9e2cfc44055118b9ef4490c062e5b118e
Instruction ID: 9123721f510c8ca0b8b4ffe285bfe1347a4dbb3e2fec256de83d5a995231fd16
Opcode Fuzzy Hash: e82d93f50c432ca4a67e97376d4693e9e2cfc44055118b9ef4490c062e5b118e
Instruction Fuzzy Hash: 1F21F275608240DFCB15DF18E984B26BB65FB88324F24C97DD90A4B2A7C33AD807CA61

Function 00A2D2BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312058350.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2d000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1033c0a21b9d63a9a4d050ed06dffd7214380d47d734e1a2b7207c07627f21e
Instruction ID: beee6d1beb44ff6d8517e80b835862c6356b0dd020cf2a62531dab2deec07d5b
Opcode Fuzzy Hash: e1033c0a21b9d63a9a4d050ed06dffd7214380d47d734e1a2b7207c07627f21e
Instruction Fuzzy Hash: 7C2105B5504244DFDB01DF18E9C4B2ABB65FB98324F24C979D8495F247C33AE806CAA2

Function 00A1D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3311994479.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a1d000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: 6d3b366d604796532f4dcbaa87ad919948ba9647037e89194506cb0e86ac9a3e
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: 7E112676404240CFCB16CF00D5C4B56BF72FB94324F24C6A9D8090B256C33AE89ACBA1

Function 00A2D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312058350.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2d000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 1811397ff6373132b2a261fea08aa1b829b6e0624101fb0bbea0ebd331ecc093
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: 2A119075508280DFDB15CF14E5C4B15FB62FB44314F24C6ADD84A4B666C33AD84ACB61

Function 00A2D2B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312058350.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2d000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ca1e03a89bf6502059eb4096cb2751f98ce07bc6b40026132c113bb1690e3e
Instruction ID: caf2c8b6923a558ffc316f1a4acf2f7a56e3267b252437ac003392dcf8d5b64e
Opcode Fuzzy Hash: f0ca1e03a89bf6502059eb4096cb2751f98ce07bc6b40026132c113bb1690e3e
Instruction Fuzzy Hash: C911B27A504280CFDB12CF14E5C4B19FB61FB84324F24C6A9D8494B656C33AD80ACB92

Non-executed Functions

Function 00ABD304 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312286952.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3e8adad94939a62b4f007da2205fa688699bc00b96178d48891a73b3a9729e
Instruction ID: 2862eb2e011b1befd109a9e0c09e396c80f8d75f13caa45e5ca7cde8f0bc04f5
Opcode Fuzzy Hash: cb3e8adad94939a62b4f007da2205fa688699bc00b96178d48891a73b3a9729e
Instruction Fuzzy Hash: 28A16E36E002098FCF15DFB4C9405DEB7B6FF85300B1985BAE805AB266EB31E956CB50

Analysis Process: SBkuP3ACSA.exePID: 2452, Parent PID: 3424COMMON

Executed Functions

Function 02A4B328 Relevance: 6.6, Strings: 5, Instructions: 348COMMON

Download Yara Rule

Strings

PHeq, xrefs: 02A4B747
LjHp, xrefs: 02A4B6CF
0oHp, xrefs: 02A4B562
LjHp, xrefs: 02A4B6E5
PHeq, xrefs: 02A4B758

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
API String ID: 0-2617784740
Opcode ID: 0e3ac55090656379edeb7d0f59cedd0273e0934427980a3f5b801c08a2a7c1c8
Instruction ID: 2ddcdfa38d1816cba8fb34d4075da9d8c3f0d925c15fb1c19bfe2e228dd264db
Opcode Fuzzy Hash: 0e3ac55090656379edeb7d0f59cedd0273e0934427980a3f5b801c08a2a7c1c8
Instruction Fuzzy Hash: F9E1E975E00618CFDB14CFA9C984A9DBBB2FF98314F558469E819AB365DB30E841CF60

Function 02A4C752 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

LjHp, xrefs: 02A4C92F
LjHp, xrefs: 02A4C945
0oHp, xrefs: 02A4C7C2
PHeq, xrefs: 02A4C9B8
PHeq, xrefs: 02A4C9A7

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
API String ID: 0-2617784740
Opcode ID: c6fc2d6a4acde9f04efcabad2624ecb215ef2bdcf81bd4d372fcbd51bae1daee
Instruction ID: b506d9b32840ad8d68db04909f51eab2b4543db7d2c5922cddeeb3c516b1f23e
Opcode Fuzzy Hash: c6fc2d6a4acde9f04efcabad2624ecb215ef2bdcf81bd4d372fcbd51bae1daee
Instruction Fuzzy Hash: 2C81C574E01218DFDB58DFA9D984A9DBBF2BF88310F14C46AE419AB365DB349981CF10

Function 02A4BEB0 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

0oHp, xrefs: 02A4BF22
LjHp, xrefs: 02A4C0A5
PHeq, xrefs: 02A4C107
PHeq, xrefs: 02A4C118
LjHp, xrefs: 02A4C08F

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
API String ID: 0-2617784740
Opcode ID: a1dd845e94a40e6a9cc91b878814b1836cb1f6f12d915d43ac1fea75bfa5099f
Instruction ID: fb862b13fb87193904aded57797355755bcb8031ef0939f7153d9a122df8c674
Opcode Fuzzy Hash: a1dd845e94a40e6a9cc91b878814b1836cb1f6f12d915d43ac1fea75bfa5099f
Instruction Fuzzy Hash: 5D81E774E01218DFDB14DFA9D984A9DBBF2BF88310F14C46AE819AB355DB34A981CF50

Function 02A4C190 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

LjHp, xrefs: 02A4C385
PHeq, xrefs: 02A4C3F8
PHeq, xrefs: 02A4C3E7
LjHp, xrefs: 02A4C36F
0oHp, xrefs: 02A4C202

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
API String ID: 0-2617784740
Opcode ID: 92d856f80c7d3636db1389b9fb26ec71dc87acf7c40c63e986b109f2a6d5624c
Instruction ID: cad4415b43db40b9c1631b03aa30b1f61ef9396cb080ac6d44e47542521b9b34
Opcode Fuzzy Hash: 92d856f80c7d3636db1389b9fb26ec71dc87acf7c40c63e986b109f2a6d5624c
Instruction Fuzzy Hash: E881C474E01218DFDB54DFAAD984A9DBBF2BF88314F14C06AE819A7365DB349941CF10

Function 02A4C470 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

LjHp, xrefs: 02A4C665
0oHp, xrefs: 02A4C4E2
PHeq, xrefs: 02A4C6C7
PHeq, xrefs: 02A4C6D8
LjHp, xrefs: 02A4C64F

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
API String ID: 0-2617784740
Opcode ID: 913ab50f7625919b15c6362cd7a347fe66a39fa5a40892f41880bfd66dff4a83
Instruction ID: dcf63b26dee204e7d9da1d1f81639996335da730c3ba8761b2ff44c38a5d8f64
Opcode Fuzzy Hash: 913ab50f7625919b15c6362cd7a347fe66a39fa5a40892f41880bfd66dff4a83
Instruction Fuzzy Hash: 9C81B374E01218DFDB54DFA9D984A9DBBF2BF88310F14D06AE819AB365DB349981CF10

Function 02A44AD9 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

0oHp, xrefs: 02A44B4A
LjHp, xrefs: 02A44CCE
PHeq, xrefs: 02A44D41
PHeq, xrefs: 02A44D30
LjHp, xrefs: 02A44CB8

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
API String ID: 0-2617784740
Opcode ID: 18100bba8b567703a7a6f91f154a5a24f5b260dad8e1caf56fc3bd886f25197b
Instruction ID: 735e3040030e9a4a5c51c0d6a0187e44918ccee36d6e531465f250c18e63c06e
Opcode Fuzzy Hash: 18100bba8b567703a7a6f91f154a5a24f5b260dad8e1caf56fc3bd886f25197b
Instruction Fuzzy Hash: 47817274E00218DFDB58DFA9D984B9DBBB2BF89300F14C069E819AB365DB349981CF50

Function 02A4CA32 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

LjHp, xrefs: 02A4CC0F
LjHp, xrefs: 02A4CC25
PHeq, xrefs: 02A4CC98
PHeq, xrefs: 02A4CC87
0oHp, xrefs: 02A4CAA2

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
API String ID: 0-2617784740
Opcode ID: 6afa56e9716aef6816d29219a0f56316ecd7c2796d3d4fdd496f529919237c3a
Instruction ID: 71913eec574584e52b2f65e37721c34e4eecd802a6b11a03285229693f62bfe6
Opcode Fuzzy Hash: 6afa56e9716aef6816d29219a0f56316ecd7c2796d3d4fdd496f529919237c3a
Instruction Fuzzy Hash: 0C819674E01218DFDB58DFA9D984A9DBBF2BF88310F14C06AE819AB365DB349941CF10

Function 02A4BBD2 Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

PHeq, xrefs: 02A4BE27
LjHp, xrefs: 02A4BDAF
PHeq, xrefs: 02A4BE38
0oHp, xrefs: 02A4BC42
LjHp, xrefs: 02A4BDC5

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
API String ID: 0-2617784740
Opcode ID: e6f7dbe6966ddeebaffeaaf8cea6f09108d9afa5571c8f820931d284fe0605ec
Instruction ID: 4f3ef56d10b6526188150daf3f43002156c171cfbc92d61f542457b5e12dd07d
Opcode Fuzzy Hash: e6f7dbe6966ddeebaffeaaf8cea6f09108d9afa5571c8f820931d284fe0605ec
Instruction Fuzzy Hash: 10819474E00218DFDB58DFA9D984A9DBBF2BF89304F14C469E819AB365DB349981CF10

Function 02A46880 Relevance: 5.3, Strings: 4, Instructions: 334COMMON

Download Yara Rule

Strings

,iq, xrefs: 02A469F2
(oeq, xrefs: 02A46988
(oeq, xrefs: 02A4697A
,iq, xrefs: 02A46A00

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: (oeq$(oeq$,iq$,iq
API String ID: 0-2093320806
Opcode ID: cd567e3b016b0b808bdc1903abd79717bafea4b5832b3f26a6c673dda2cbf34e
Instruction ID: 884dddb31654861c320832dc1c475b7aed6a2970e1943db3c6f168048ac8e294
Opcode Fuzzy Hash: cd567e3b016b0b808bdc1903abd79717bafea4b5832b3f26a6c673dda2cbf34e
Instruction Fuzzy Hash: 1DD11B71A00219DFCB14CFA9C984AADBBFAFF8A705F158069E505AB265DF30ED41CB50

Function 02A4B4F2 Relevance: 3.9, Strings: 3, Instructions: 153COMMON

Download Yara Rule

Strings

PHeq, xrefs: 02A4B747
0oHp, xrefs: 02A4B562
PHeq, xrefs: 02A4B758

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: 0oHp$PHeq$PHeq
API String ID: 0-4068647697
Opcode ID: 17de569ab763e0d930e4fce168c75c8f1e5758b267b92d8f013d2cf01ca7661e
Instruction ID: 3c7c29f3db7ddb5f52189b5a76b723d228382cd1af0bf1ba3c3c4d74dd3d61aa
Opcode Fuzzy Hash: 17de569ab763e0d930e4fce168c75c8f1e5758b267b92d8f013d2cf01ca7661e
Instruction Fuzzy Hash: 1761A474E00608DFDB18DFAAD984A9DBBF2BF89304F24C469E415AB365DB349941CF50

Function 02A49858 Relevance: 3.4, Strings: 2, Instructions: 850COMMON

Download Yara Rule

Strings

4'eq, xrefs: 02A4A273
(oeq, xrefs: 02A49C78

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: (oeq$4'eq
API String ID: 0-2258195259
Opcode ID: ee9228452da01f9522ee022961847ad4d83efd2a585e3c1864c1c836574a8ed1
Instruction ID: 0960adeff2c2080d428fd83fb35bbbc14cd3e0cb89e86596b1ea57471617c3ad
Opcode Fuzzy Hash: ee9228452da01f9522ee022961847ad4d83efd2a585e3c1864c1c836574a8ed1
Instruction Fuzzy Hash: 53727275A0020ADFCB15CF68C994AAEBBF2FF88304F158559E8059B3A5DF30E955CB50

Function 02A46108 Relevance: 3.0, Strings: 2, Instructions: 511COMMON

Download Yara Rule

Strings

Hiq, xrefs: 02A4650E
(oeq, xrefs: 02A46642

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: (oeq$Hiq
API String ID: 0-1760408109
Opcode ID: 725abf0b386774e01250f3c89e839f04361711f20f50edd4ad606b44132a95e7
Instruction ID: 7fc7dc1b995250d58644010c1a9a05028452d3bd8ad0010fe430a13c1eff8dca
Opcode Fuzzy Hash: 725abf0b386774e01250f3c89e839f04361711f20f50edd4ad606b44132a95e7
Instruction Fuzzy Hash: 51129C70A002199FCB14DF69C984BAEBBFABFC9704F208569E4099B395DF34D941CB90

Function 02A43572 Relevance: 2.9, Strings: 2, Instructions: 432COMMON

Download Yara Rule

Strings

Xiq, xrefs: 02A435AF
$eq, xrefs: 02A43596

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: Xiq$$eq
API String ID: 0-3760103188
Opcode ID: 1377e6a17ecfd21f90a980966905be8453266ab3ae138e411e08d465fff0a9c5
Instruction ID: 89387c49bb937e420c3b90ea23c813444b35b222a3a97f1309eaa7d75bdd1b1c
Opcode Fuzzy Hash: 1377e6a17ecfd21f90a980966905be8453266ab3ae138e411e08d465fff0a9c5
Instruction Fuzzy Hash: FBF13E74E002589FDF18DFB9D5946AEBBB2BFC8300B248469E806A7358DF35D846CB51

Function 02A46E58 Relevance: 10.5, Strings: 8, Instructions: 473COMMON

Download Yara Rule

Strings

(oeq, xrefs: 02A4701A
,iq, xrefs: 02A472F8
(oeq, xrefs: 02A46F51
,iq, xrefs: 02A47308
(oeq, xrefs: 02A46E96
(oeq, xrefs: 02A46F7D
(oeq, xrefs: 02A47367
(oeq, xrefs: 02A47377

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: (oeq$(oeq$(oeq$(oeq$(oeq$(oeq$,iq$,iq
API String ID: 0-4181857939
Opcode ID: 1d1d411d5872948d52d53edb87aac28d0bc490fe009efce43f8487796d916ec3
Instruction ID: 919985a30af935c86c02b7ac4a0d0a2058704beab6f79a99a64a1700e6f29fbc
Opcode Fuzzy Hash: 1d1d411d5872948d52d53edb87aac28d0bc490fe009efce43f8487796d916ec3
Instruction Fuzzy Hash: BA124631A006498FCB15CF69D984A9EBBF6FF89318F158599E809DB2A1DF30ED41CB50

Function 02A477F0 Relevance: 3.2, Strings: 2, Instructions: 688COMMON

Download Yara Rule

Strings

$eq, xrefs: 02A48314
$eq, xrefs: 02A48337

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: $eq$$eq
API String ID: 0-2246304398
Opcode ID: 43a25c0474ec03e2f48f1a6bca7a97f7b88a3f36e00d2c79df240bed9618edcb
Instruction ID: 94e02f89467c418b172358cc0324bcd4841eb44bdefe41e23e5a336b54dfca40
Opcode Fuzzy Hash: 43a25c0474ec03e2f48f1a6bca7a97f7b88a3f36e00d2c79df240bed9618edcb
Instruction Fuzzy Hash: B9524378A10218CFEB559BA4C860BAEBB77FF98300F5080A9C11A6B355CF399D85DF51

Function 02A487E9 Relevance: 2.8, Strings: 2, Instructions: 324COMMON

Download Yara Rule

Strings

4'eq, xrefs: 02A48811
4'eq, xrefs: 02A48837

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq
API String ID: 0-907361030
Opcode ID: dc09362a0fc10d171b850317bd8975d8c1d8ac994cdfc221b03f45abde27e952
Instruction ID: 509545893476e07f8d8c8c65288dda83f6021d68fb621994e77c55e7acfd10bf
Opcode Fuzzy Hash: dc09362a0fc10d171b850317bd8975d8c1d8ac994cdfc221b03f45abde27e952
Instruction Fuzzy Hash: B2B129B17105018FDB159B29ED99B3D36AAAFC5744F19446AE602CF3A2EF6CCC42C742

Function 02A456A8 Relevance: 2.8, Strings: 2, Instructions: 322COMMON

Download Yara Rule

Strings

Hiq, xrefs: 02A45793
Hiq, xrefs: 02A457C6

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: Hiq$Hiq
API String ID: 0-2624443307
Opcode ID: caf8a5f1d1f48ee3b72e14a5d951c4ff14f70a7c974a2ac018e4b11ebc6b36da
Instruction ID: e704c0a66d0fc5c53761c18ed63d71ece4dd656e802f10344455707c70eed4e2
Opcode Fuzzy Hash: caf8a5f1d1f48ee3b72e14a5d951c4ff14f70a7c974a2ac018e4b11ebc6b36da
Instruction Fuzzy Hash: 62B1BC75B04215CFCB159F68C898B2A7BE6ABD8314F58896AE406CB395DF34C841D790

Function 02A45C08 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

,iq, xrefs: 02A45CDE
,iq, xrefs: 02A45CE8

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: ,iq$,iq
API String ID: 0-3242339887
Opcode ID: 3e8697d5071c5045ef35d4fadabf5050b21126ea16196f6fc86126d7762ded2d
Instruction ID: fcc48c31c347dd6858693163f7e613ea612614af1530995cc3a86263437e3f99
Opcode Fuzzy Hash: 3e8697d5071c5045ef35d4fadabf5050b21126ea16196f6fc86126d7762ded2d
Instruction Fuzzy Hash: 6E818C75E002059FCB18CF69C8C9A6AB7B2BFD9214BA58169D416DB364DF31E841CF90

Function 02A495D9 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

4'eq, xrefs: 02A4966C
T, xrefs: 02A495E6

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: 4'eq$T
API String ID: 0-2582472209
Opcode ID: c1fe8a49ca80098d9f2d9c2b4caf2169fea9101d07e9dde3002a674e0e5bd289
Instruction ID: 6f7252398ce56d6330e9797d6a0e0148b29b6db2439c6f9903592535e70f4a96
Opcode Fuzzy Hash: c1fe8a49ca80098d9f2d9c2b4caf2169fea9101d07e9dde3002a674e0e5bd289
Instruction Fuzzy Hash: 9751D6716042468FDB05DB788894BBFBBBAEFC5300F18846AE405DB291DF25DC42CBA1

Function 02A49390 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

4'eq, xrefs: 02A494E4
4'eq, xrefs: 02A494CD

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq
API String ID: 0-907361030
Opcode ID: 0d70eb67fcbdeddd73c24cc9b62d5bebf1b32c3737527f249869133a5a1bc656
Instruction ID: da2a754fcdc18992c5dc10f167061f7bbc37d960dd7d0cef83fc9c508a7288b5
Opcode Fuzzy Hash: 0d70eb67fcbdeddd73c24cc9b62d5bebf1b32c3737527f249869133a5a1bc656
Instruction Fuzzy Hash: 1B517B357002069FDB00DB68C884B6BBBEAEFC8354F54C469E908CB295EF35DC118B61

Function 02A43428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xiq, xrefs: 02A4345E
Xiq, xrefs: 02A43435

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: Xiq$Xiq
API String ID: 0-733771754
Opcode ID: 406df7120f4dc84f5c52bd3e279d2e0d4c372827f51db70bbe3c9c37ec9fd642
Instruction ID: 09a22e127f20803d4ed96b444d0035c3340a440d68a97097474e07caa01e5420
Opcode Fuzzy Hash: 406df7120f4dc84f5c52bd3e279d2e0d4c372827f51db70bbe3c9c37ec9fd642
Instruction Fuzzy Hash: 2031D575B003258BDF2D9AAA49D42BE76EABBC4311F74447DE816C7380DFB4CC418652

Function 02A40C8F Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

LReq, xrefs: 02A40E5E

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: LReq
API String ID: 0-2687900687
Opcode ID: 3a0e1f393c4764e0f6a13fab3428dc87fe8360c62075bb0e1004a1e2bd8738f3
Instruction ID: 5ded98b9c88208cf5395638f6721d27099fc6c8cc8fce5c65a6e7e71bf7375e7
Opcode Fuzzy Hash: 3a0e1f393c4764e0f6a13fab3428dc87fe8360c62075bb0e1004a1e2bd8738f3
Instruction Fuzzy Hash: C322CE79D00219CFCB55EF68E889A9DBBB2FF88301F1085A9E409A7359DB706D85CF40

Function 02A40CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LReq, xrefs: 02A40E5E

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: LReq
API String ID: 0-2687900687
Opcode ID: d7ddf7b226136c91bdd7b143c28229895d6e4755f6ba5623e7d880aa96d4d5d8
Instruction ID: 20f96c5d13b092635bb66667f88c3c8f38df2899483d88f1a3f95f86f133eb50
Opcode Fuzzy Hash: d7ddf7b226136c91bdd7b143c28229895d6e4755f6ba5623e7d880aa96d4d5d8
Instruction Fuzzy Hash: 4722CE79D00219CFCB55EF68E889A9DBBB2FF88301F1085A9E409A7359DB706D85CF40

Function 02A4964C Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

4'eq, xrefs: 02A4966C

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: 4'eq
API String ID: 0-1552367303
Opcode ID: f6ab716a252e76efe00bb74ad3d1fe13090a53bf757c7466eda16139cd311525
Instruction ID: f09198f9b572ca144e8e70644035b35b74ce13ff7edbf081e24fb67b08b8e583
Opcode Fuzzy Hash: f6ab716a252e76efe00bb74ad3d1fe13090a53bf757c7466eda16139cd311525
Instruction Fuzzy Hash: F7418F75B041568FDF15DBA98980ABFB7BAAFC8310F148469E802DB251DF34DC51CBA0

Function 02A4A650 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

(oeq, xrefs: 02A4A7D9

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: (oeq
API String ID: 0-952175256
Opcode ID: b91e945954f5a5cb27eda7fc9fc841d06a6f18740511f2c33577859db97a1fad
Instruction ID: 56f6b8dbdbc0e7f55433b09860b450c2221c0b07f1498fc73e3a5475356bcaea
Opcode Fuzzy Hash: b91e945954f5a5cb27eda7fc9fc841d06a6f18740511f2c33577859db97a1fad
Instruction Fuzzy Hash: 2541CF36B102148FCB199B68D965AAE7BF6BBC8310F148469E516EB391DF34DC01CB90

Function 02A4A818 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcaf21c4789dc37b959776f8f91b54afa68141c7961079deff26adc163426713
Instruction ID: ec711aaee289ba8e215b7e7caed0c0b4c12d2095edf3994fd0a132ffad65a721
Opcode Fuzzy Hash: fcaf21c4789dc37b959776f8f91b54afa68141c7961079deff26adc163426713
Instruction Fuzzy Hash: 1DF1FA75A405158FCB04CFADC994A9DBBF6BF88314B1A8069E515EB362CF35EC42CB50

Function 02A49170 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9e3540f76150f78fcb1a49098c5f5277be5f81a59e6d68dffb08a97d6826ed
Instruction ID: 534521a876376785e751f2bd926cb8d206bf74f68ae9f325a8a935131f263821
Opcode Fuzzy Hash: aa9e3540f76150f78fcb1a49098c5f5277be5f81a59e6d68dffb08a97d6826ed
Instruction Fuzzy Hash: 2A81D4315006469FCB11CF6CC884AABFBBAFF85324F558665E85897255CF31F862CBA0

Function 02A47438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d2be84ed073e88c275b56c3ecb3a9fe08aff7e84a5ce006fb98b89f8e93185
Instruction ID: 9df81f14ff4b402a861934cacb77e78f1562672aedce9a1a87ba1fe08b7f4020
Opcode Fuzzy Hash: d1d2be84ed073e88c275b56c3ecb3a9fe08aff7e84a5ce006fb98b89f8e93185
Instruction Fuzzy Hash: 3971F9347002858FCB15DF28C898AA9BBFAAF89705F5540A9E806CB3B1DF74DC41CB91

Function 02A4CEC7 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c11c9889bd976f8b1db7c81079198adf1796b30b4041b5feec7510d6206fbf3
Instruction ID: 7110c37a885b049550c0497b069ed236f56644381a50fdf705d5b2e032b6376a
Opcode Fuzzy Hash: 5c11c9889bd976f8b1db7c81079198adf1796b30b4041b5feec7510d6206fbf3
Instruction Fuzzy Hash: 8751C0302313438FC3552F62A5AE12ABFA9FB0F717B55AC58F11E89419DF705494CB24

Function 02A4CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 884a54cc6507b68788d66b10023d50bf7b79867b1162f2ec72e237189f5813df
Instruction ID: 4a1aaa6d9cb32117c9bf19669a4de2c00ff310480728e245ec32ccbc8a76d89f
Opcode Fuzzy Hash: 884a54cc6507b68788d66b10023d50bf7b79867b1162f2ec72e237189f5813df
Instruction Fuzzy Hash: B551AF302313478FC2952F62A1AE12ABFA9FB4F727B55AC58F11E89419DF705494CB24

Function 02A4CD10 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc69c082888b802ac8022a7fd6766f0214b4a1483df25747f62d07367c38cb4
Instruction ID: 8eb74ccca59f071c9503751b383a09d93221bdbfe6b2ded281fa46c36d01e9bd
Opcode Fuzzy Hash: 6fc69c082888b802ac8022a7fd6766f0214b4a1483df25747f62d07367c38cb4
Instruction Fuzzy Hash: DA518174E012189FDB48DFA9D9849DDBBF2FF89310F248169E419AB364DB30A901CF50

Function 02A43908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3960f64feb6d16ea9d263e1efa48f359020086f46313d1bab426d646ebe09602
Instruction ID: a1032325e4c5f80ff8776baaa03673caa85aaaaa6f759ab76aaef267945e777d
Opcode Fuzzy Hash: 3960f64feb6d16ea9d263e1efa48f359020086f46313d1bab426d646ebe09602
Instruction Fuzzy Hash: B551A379E01208CFCB48DFA9D59499DBBB2FF89311B209469E805BB368DB31A845CF50

Function 02A49A63 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0cbbe7555bd93762ab093c9722a8bbcb020193244598c23a98d5722c3e8e5f
Instruction ID: b2e2cdcff6751c338d3c13c0645194aaa93ba3b991f8414196ae199b77c704b2
Opcode Fuzzy Hash: 1e0cbbe7555bd93762ab093c9722a8bbcb020193244598c23a98d5722c3e8e5f
Instruction Fuzzy Hash: 6E41A231A0424ADFCF11CFA4C884B9FBFB2AF89314F048566E915AF255DB34D961CBA0

Function 02A46730 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec82e45573221ae3bf9004dd24d16296ee5b5acbd7ab1c6af0e8dc90c5c1b7b
Instruction ID: 1863cabe2a60daabb2d6e8c89b7a058bf066f026475f1a41cde37772df4b6543
Opcode Fuzzy Hash: dec82e45573221ae3bf9004dd24d16296ee5b5acbd7ab1c6af0e8dc90c5c1b7b
Instruction Fuzzy Hash: 9B41CE31A00208DFCB148F64C944BAABBFAFB89714F04842AE8559B251DF78ED45CFA1

Function 02A44DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb37eae3772689c060069f35b3a9c7fe30a80c0d0f01f277575f309e0b297b6
Instruction ID: e3e996dce09550d7f8a6c0e01214ebd46ae0bc1989d7c4e0accea635c73a92f0
Opcode Fuzzy Hash: 5fb37eae3772689c060069f35b3a9c7fe30a80c0d0f01f277575f309e0b297b6
Instruction Fuzzy Hash: EE315C3521415AEFCB059F64D895AAF3BA6FB8C314F108428F9198B254CF38DD65DFA0

Function 02A476E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46a4704a1ec39695221b77715c326a94e485ce3cc8db9528838c55b6577ccdd
Instruction ID: 4521a378c6c8833acd38230fbc44adb4cdf76eddfac78591be5aba5ed30c66bb
Opcode Fuzzy Hash: f46a4704a1ec39695221b77715c326a94e485ce3cc8db9528838c55b6577ccdd
Instruction Fuzzy Hash: 8021BE393102418BEB1557299DD4F3AB69BAFC8B18F948078E506CB798EF65CC41D780

Function 02A4A809 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70dd442402203e1d6f29a6beb9342b1f78e0d05a61894fa20108ab535b974aaf
Instruction ID: 1dde11a12a1263de84a831a2c36afefdb9e33caa6710948354b04883674dd751
Opcode Fuzzy Hash: 70dd442402203e1d6f29a6beb9342b1f78e0d05a61894fa20108ab535b974aaf
Instruction Fuzzy Hash: 39319E70A405098FCB04CF69C895AAEBBB6BFC8314F168159E5159B3A6CF30EC42CB90

Function 02A42060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2decda9b55257b604b82b49380312a41118b5458f7227226bd1646b2daef36b1
Instruction ID: db66bb59e5bfc557bdbf427fcc63b9e436c347092b3c44a6e0116ddd55318de5
Opcode Fuzzy Hash: 2decda9b55257b604b82b49380312a41118b5458f7227226bd1646b2daef36b1
Instruction Fuzzy Hash: 1021AE35A002159FCB54DF24D580AAE77B6EFD8260F60C419EC0A8B358DF31EE46CB91

Function 02A4D11E Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9231f30c10e8edb494b925fe27de147e910f8325b3893e22572dcf0fbb8753
Instruction ID: e6ee7a672db1fa382a21acccee80e945e95bd7e41f294d58358498374a32aa13
Opcode Fuzzy Hash: ff9231f30c10e8edb494b925fe27de147e910f8325b3893e22572dcf0fbb8753
Instruction Fuzzy Hash: 8C212631C106099ECB10EFE8E9446ECFBB4FF4A305F109529E95477218EB30A68ACB50

Function 0112D4F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2195753869.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_112d000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5729f360dc93924a2b00cae49472dd57055c2d8eac634cb27c23981c7af6a7
Instruction ID: 31f9cae8295df1c6c0a606a1cc0bc9b2296a7835e09cff9ceb35a653e5b4c21c
Opcode Fuzzy Hash: 8a5729f360dc93924a2b00cae49472dd57055c2d8eac634cb27c23981c7af6a7
Instruction Fuzzy Hash: 25210671504240DFDF09DF58E9C0B26BF75FB88328F24C569E9050A246C376D465CBA2

Function 02A45A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a6da00fe35aa320bbb2fb3a1bde5d967cfc3d88b19ad4b72dba553953ed2fd9
Instruction ID: a0bf9243788cd1d15e437a4362f3a8ec68273ea84e27bead988af5aeaa0323f3
Opcode Fuzzy Hash: 0a6da00fe35aa320bbb2fb3a1bde5d967cfc3d88b19ad4b72dba553953ed2fd9
Instruction Fuzzy Hash: C521AE35B016128FC7299B25C4E852AB7A6EBC8765B948179E906DB354DF30DC06CBC0

Function 02A4D218 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3347938fca5b6eea826a78aa1cb36d0ad11f34b57d94e4f0546f875aa7efe73
Instruction ID: ba19e4b1c53d8e5a2d8e0ba62439526843804b9cb86f237e07d4ceec1c67495c
Opcode Fuzzy Hash: a3347938fca5b6eea826a78aa1cb36d0ad11f34b57d94e4f0546f875aa7efe73
Instruction Fuzzy Hash: 0C212974A012098FCF08DFB4D450AEDBBB2FB8A304F105869D41577394DB39A942CF64

Function 02A439ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452ffabd363a7ebdd5163b6bc8964516732cb5df10916d455047511b6050e4f6
Instruction ID: db628ced2a81486d1aa0e282040ef6572ec8a6e7cc4ca567716e63319d18fc91
Opcode Fuzzy Hash: 452ffabd363a7ebdd5163b6bc8964516732cb5df10916d455047511b6050e4f6
Instruction Fuzzy Hash: 05318979E11209DFCB44DFA8E5948ADBBF6FF49301B204469E909AB369DB31AD05CF40

Function 02A44DB9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062ca21c5c47f40f5a85d96ccdfab3a39addc497fcfa1a4aad87424719266023
Instruction ID: 60a70e9b10726373503161703abaa4fe9703a374f4bd225770dfdf148096432a
Opcode Fuzzy Hash: 062ca21c5c47f40f5a85d96ccdfab3a39addc497fcfa1a4aad87424719266023
Instruction Fuzzy Hash: D021AE35204159DFCB199F68D495BAB3BA6FB8C314F508428F9198B244CF38DC55CBE0

Function 02A48EC1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e98daa6bb2863a31fb45cbf62fea5408ecaba40b69a9d5162d5a41d8f65dbed
Instruction ID: a102e2f4586a022978d4678cbc83eb7427b5cf1b4c9ce7aff29745bea46f5939
Opcode Fuzzy Hash: 7e98daa6bb2863a31fb45cbf62fea5408ecaba40b69a9d5162d5a41d8f65dbed
Instruction Fuzzy Hash: AE216874A00248DFCB04CFA1E890AAEBFB6BF88304F24806AE411E6294CF35E941CF50

Function 02A4D228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831e5b2f382dd7292076c76b477dcff6fb9dec952eb92e758ef43f3b5a0da44c
Instruction ID: d692b9afa528cb9678c475ed511a3baab866a8ca67ff6c2a351cc3f133299a2d
Opcode Fuzzy Hash: 831e5b2f382dd7292076c76b477dcff6fb9dec952eb92e758ef43f3b5a0da44c
Instruction Fuzzy Hash: 4021E435A012088FDF08DFB4D854AEEB7B2FB8A305F109829D81577394DB39A942CF64

Function 02A45B50 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef2db6ae0dccce7acf7e8adb8269dbc240a0e94ca5c1a822de93d17f4cefa45
Instruction ID: a6f657e503f84a7ed759eebdbced28828b7cd03b1e7c778d5e1397b0ca909e84
Opcode Fuzzy Hash: 9ef2db6ae0dccce7acf7e8adb8269dbc240a0e94ca5c1a822de93d17f4cefa45
Instruction Fuzzy Hash: BB11CE707002058FC344AF7AD490A2AB7D9BFD964475544BDE60ACB3A0EFA5DC06C7A8

Function 02A41F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680ca243487102c2e25e44ea024840d10aa11e8d427db5ba1be5d97773f06de5
Instruction ID: bac56f351fdcc2e3e760d440d3c2f5538920913bb6ea6803e52d6e959e49c4ed
Opcode Fuzzy Hash: 680ca243487102c2e25e44ea024840d10aa11e8d427db5ba1be5d97773f06de5
Instruction Fuzzy Hash: 0621C274C1020A8FCB44EFA8D9456EEFFF4BF48300F10812AE805B7214EB305A46CBA1

Function 0112D4EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2195753869.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_112d000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: ecb3f9a8fc31e7130bd13624c13852a5dbe235932d8ed5bb1a401b88f3468f5a
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: CB11AF76504280CFDF16CF54D5C4B16BF71FB84324F24C6A9D9090B256C37AD46ACBA2

Function 02A45607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 743d9a7bfcc584c1826f43535c4fe5af668dc187d50c954782e4e45a17109b8e
Instruction ID: 43ccaf6069fe58dcd53d04cf17a1a68dd53be25d08b12a6238bf06f8202bbf13
Opcode Fuzzy Hash: 743d9a7bfcc584c1826f43535c4fe5af668dc187d50c954782e4e45a17109b8e
Instruction Fuzzy Hash: 6601F532B00115AFCB058E549810BAE7FEBDBD8350F588029F514DB240CE35C8128BA4

Function 02A41F08 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a5c6de5f674e98ccad46629d58de3407993ce11e61955081cd5dc48e31c1c2b
Instruction ID: c56bc370e6d3359d1978a07952415bd701f84fb73f2ad999e85a11680e721bc2
Opcode Fuzzy Hash: 6a5c6de5f674e98ccad46629d58de3407993ce11e61955081cd5dc48e31c1c2b
Instruction Fuzzy Hash: C711E2B4C1460A8FCB00EFA8D4555EEFFF0BF49300F10826AE805B7264EB305A85CBA1

Function 02A4215C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0eac277667710f32f3a000d2c1926be45ab2c6f45a2366d02a4b0fb5df6ca8
Instruction ID: 8d9dfa8098d85264d54f57ff71720d18d187dad271c04625dd9b71b30ca80126
Opcode Fuzzy Hash: 8d0eac277667710f32f3a000d2c1926be45ab2c6f45a2366d02a4b0fb5df6ca8
Instruction Fuzzy Hash: CAE0AB7474414CE6CB55EB38A4009EFB321FAC5121720175DE967870D4DE239C07C241

Function 02A42010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed789c4ba19d799fe7b7913d89825d6ed0c1100fb7c169cbd9411eb956b187dd
Instruction ID: c618f9500b118d03086e092fff3d42e7f1cc4a1c303e44c85b52fbf79f94ebe0
Opcode Fuzzy Hash: ed789c4ba19d799fe7b7913d89825d6ed0c1100fb7c169cbd9411eb956b187dd
Instruction Fuzzy Hash: 34E08C33D2072B53CB00A6B5DC06ADEF778EFD6260F848626D82476544EB70275A82E1

Function 02A42020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fa493bd2cceb6c2d0f4647dee7c357f987aa5a9a7befa355494f20eb5fabc1
Instruction ID: 029bc0a622d6c8ecf8e7d7f29d452ea5785f4d4c389dded27e885aa293771617
Opcode Fuzzy Hash: 41fa493bd2cceb6c2d0f4647dee7c357f987aa5a9a7befa355494f20eb5fabc1
Instruction Fuzzy Hash: AFD05E32D2032B97CB00EBA5EC048EFFB38EED6261B958626D52437154FB702659C6E1

Function 02A48258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 137787a9d7fefc7cc0c04a953cef4b76d1c67f97f477bd9b643fd77081d43a36
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 9CC0127320C1282EA624108E7C84AA3AB8CC6C12F8A250177F92CA3200AC46AC8041A8

Function 02A4A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acd0b93d3f0de82e50c32cbb1ff5ce81e43c67e84f1e47f551e7e45d76ddc7d0
Instruction ID: 1253f29924abc2af0fa13fadb04669a28553d90df06bc0369a5ff9c31f392750
Opcode Fuzzy Hash: acd0b93d3f0de82e50c32cbb1ff5ce81e43c67e84f1e47f551e7e45d76ddc7d0
Instruction Fuzzy Hash: 8ED0677AB51018DFCB049F98EC408DDBBB6FB9C321B048116F915A7261C6319961DBA0

Function 02A45EA8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c7b50942d520c99f007fc20484e24f0f4dbbd268652287acb9240a363e4a45
Instruction ID: 1e3c417ea1dea906d194cf9afc8559e5ba82d5720a3c421d1a7cda8490ed096d
Opcode Fuzzy Hash: 92c7b50942d520c99f007fc20484e24f0f4dbbd268652287acb9240a363e4a45
Instruction Fuzzy Hash: B3D05EAA80878047C30BF660ED921143F26BA80208BD84996F4658AB1AE7684A488261

Function 02A45EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff3bfff52d4e980ae3c4b6860496f5c46e7b99577a61ee975e296e623591d2a
Instruction ID: da93ec0bfe751b253fbf3fb419d2c521c2adcc76112f2584cf8a9a9fcfbe6b93
Opcode Fuzzy Hash: eff3bfff52d4e980ae3c4b6860496f5c46e7b99577a61ee975e296e623591d2a
Instruction Fuzzy Hash: 5CC0127511474A47C506FB75F9855153B2EFBC0304F908950F01A0A61AEF7819844690

Non-executed Functions

Function 02A421E2 Relevance: 5.1, Strings: 4, Instructions: 147COMMON

Download Yara Rule

Strings

Xiq, xrefs: 02A42314
Xiq, xrefs: 02A4220E
Xiq, xrefs: 02A422C7
Xiq, xrefs: 02A42248

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: Xiq$Xiq$Xiq$Xiq
API String ID: 0-4026295062
Opcode ID: 5a777e32c02b7612086cd08a4129b0716ba8bd34a0db168f458e862488acb871
Instruction ID: 66181b43dfd76eea40d8fa6c55095f53543ecf112631262e3e7ce966eba6b7d9
Opcode Fuzzy Hash: 5a777e32c02b7612086cd08a4129b0716ba8bd34a0db168f458e862488acb871
Instruction Fuzzy Hash: 5051A870E043198BDF659B6889553BEBBB2BFC8300F1444A5DD1997245DF30DE81CB92

Function 02A46088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;eq, xrefs: 02A460BA
\;eq, xrefs: 02A460C6
\;eq, xrefs: 02A46094
\;eq, xrefs: 02A4609E

Memory Dump Source

Source File: 00000002.00000002.2196393753.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a40000_SBkuP3ACSA.jbxd

Similarity

API ID:
String ID: \;eq$\;eq$\;eq$\;eq
API String ID: 0-3455962030
Opcode ID: 0715cbbe9cb4efe0e0a0ea660efa0be694c17379b5e0bab6d71a570ed4187454
Instruction ID: 6cc73063b4163e19999771a00baca53339bb780c232f8e432784189b7e208b7d
Opcode Fuzzy Hash: 0715cbbe9cb4efe0e0a0ea660efa0be694c17379b5e0bab6d71a570ed4187454
Instruction Fuzzy Hash: E4017C317101148F8B648F2DC484A2677EAAFDAF64725817AE501CB3B4EFB2EC41C790

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SBkuP3ACSA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SBkuP3ACSA.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
SBkuP3ACSA.exe

Function 08999680 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Function 00ABD3C9 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Function 00ABD3D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 00ABAD48 Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Function 00AB590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 00AB4248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 00ABD619 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 00ABD620 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 08990563 Relevance: 1.6, APIs: 1, Instructions: 58
windowCOMMON

Function 08997A30 Relevance: 1.6, APIs: 1, Instructions: 55
windowCOMMON

Function 08999C43 Relevance: 1.6, APIs: 1, Instructions: 53
windowCOMMON

Function 08990588 Relevance: 1.5, APIs: 1, Instructions: 48
windowCOMMON