Edit tour

Windows Analysis Report
jxy62Zm6c4.exe

Overview

General Information

Sample name:	jxy62Zm6c4.exe renamed because original name is a hash value
Original sample name:	06cfbe948b8a7ea8c436a72f92cf15324fad43bd6cb233991984d50d009bdbd0.exe
Analysis ID:	1587950
MD5:	4d96153e0c2c143244edf3b77857a01c
SHA1:	39f42b2c05becbab9f3d3a8efe48a210b7f884d1
SHA256:	06cfbe948b8a7ea8c436a72f92cf15324fad43bd6cb233991984d50d009bdbd0
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

jxy62Zm6c4.exe (PID: 988 cmdline: "C:\Users\user\Desktop\jxy62Zm6c4.exe" MD5: 4D96153E0C2C143244EDF3B77857A01C)

RegAsm.exe (PID: 2996 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7459538222:AAGuCst3-DtyuFFYR_gchsq5lh5abp8uwcc", "Telegram Chatid": "5943299713"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xff91:$a1: get_encryptedPassword 0x102cd:$a2: get_encryptedUsername 0xfd1e:$a3: get_timePasswordChanged 0xfe3f:$a4: get_passwordField 0xffa7:$a5: set_encryptedPassword 0x11977:$a7: get_logins 0x11628:$a8: GetOutlookPasswords 0x11406:$a9: StartKeylogger 0x118c7:$a10: KeyLoggerEventArgs 0x11463:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.3416355637.00000000034D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x68761:$a1: get_encryptedPassword 0x80789:$a1: get_encryptedPassword 0x987a9:$a1: get_encryptedPassword 0xb05c9:$a1: get_encryptedPassword 0x68a9d:$a2: get_encryptedUsername 0x80ac5:$a2: get_encryptedUsername 0x98ae5:$a2: get_encryptedUsername 0xb0905:$a2: get_encryptedUsername 0x684ee:$a3: get_timePasswordChanged 0x80516:$a3: get_timePasswordChanged 0x98536:$a3: get_timePasswordChanged 0xb0356:$a3: get_timePasswordChanged 0x6860f:$a4: get_passwordField 0x80637:$a4: get_passwordField 0x98657:$a4: get_passwordField 0xb0477:$a4: get_passwordField 0x68777:$a5: set_encryptedPassword 0x8079f:$a5: set_encryptedPassword 0x987bf:$a5: set_encryptedPassword 0xb05df:$a5: set_encryptedPassword 0x6a147:$a7: get_logins
Process Memory Space: jxy62Zm6c4.exe PID: 988	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: jxy62Zm6c4.exe PID: 988	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jxy62Zm6c4.exe PID: 988	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: jxy62Zm6c4.exe PID: 988	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dc8b:$a1: get_encryptedPassword 0x2dfb8:$a2: get_encryptedUsername 0x2da2c:$a3: get_timePasswordChanged 0x2db4d:$a4: get_passwordField 0x2dca1:$a5: set_encryptedPassword 0x2f613:$a7: get_logins 0x2f2c4:$a8: GetOutlookPasswords 0x2f0a2:$a9: StartKeylogger 0x2f563:$a10: KeyLoggerEventArgs 0x2f0ff:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegAsm.exe PID: 2996	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 2996	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2996	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 2996	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1727d:$a1: get_encryptedPassword 0x175aa:$a2: get_encryptedUsername 0x1701e:$a3: get_timePasswordChanged 0x1713f:$a4: get_passwordField 0x17293:$a5: set_encryptedPassword 0x18c05:$a7: get_logins 0x188b6:$a8: GetOutlookPasswords 0x18694:$a9: StartKeylogger 0x18b55:$a10: KeyLoggerEventArgs 0x186f1:$a11: KeyLoggerEventArgsEventHandler
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegAsm.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler
2.2.RegAsm.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153bf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148bd:$a3: \Google\Chrome\User Data\Default\Login Data 0x14bcb:$a4: \Orbitum\User Data\Default\Login Data 0x159c3:$a5: \Kometa\User Data\Default\Login Data
1.2.jxy62Zm6c4.exe.3fed618.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.jxy62Zm6c4.exe.3fed618.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.jxy62Zm6c4.exe.3fed618.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.jxy62Zm6c4.exe.3fed618.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe391:$a1: get_encryptedPassword 0xe6cd:$a2: get_encryptedUsername 0xe11e:$a3: get_timePasswordChanged 0xe23f:$a4: get_passwordField 0xe3a7:$a5: set_encryptedPassword 0xfd77:$a7: get_logins 0xfa28:$a8: GetOutlookPasswords 0xf806:$a9: StartKeylogger 0xfcc7:$a10: KeyLoggerEventArgs 0xf863:$a11: KeyLoggerEventArgsEventHandler
1.2.jxy62Zm6c4.exe.3fed618.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x135bf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12abd:$a3: \Google\Chrome\User Data\Default\Login Data 0x12dcb:$a4: \Orbitum\User Data\Default\Login Data 0x13bc3:$a5: \Kometa\User Data\Default\Login Data
1.2.jxy62Zm6c4.exe.3fbd5d0.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.jxy62Zm6c4.exe.3fbd5d0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.jxy62Zm6c4.exe.3fbd5d0.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.jxy62Zm6c4.exe.3fd55f8.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.jxy62Zm6c4.exe.3fd55f8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.jxy62Zm6c4.exe.3fd55f8.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.jxy62Zm6c4.exe.3fbd5d0.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe391:$a1: get_encryptedPassword 0xe6cd:$a2: get_encryptedUsername 0xe11e:$a3: get_timePasswordChanged 0xe23f:$a4: get_passwordField 0xe3a7:$a5: set_encryptedPassword 0xfd77:$a7: get_logins 0xfa28:$a8: GetOutlookPasswords 0xf806:$a9: StartKeylogger 0xfcc7:$a10: KeyLoggerEventArgs 0xf863:$a11: KeyLoggerEventArgsEventHandler
1.2.jxy62Zm6c4.exe.3fd55f8.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe391:$a1: get_encryptedPassword 0xe6cd:$a2: get_encryptedUsername 0xe11e:$a3: get_timePasswordChanged 0xe23f:$a4: get_passwordField 0xe3a7:$a5: set_encryptedPassword 0xfd77:$a7: get_logins 0xfa28:$a8: GetOutlookPasswords 0xf806:$a9: StartKeylogger 0xfcc7:$a10: KeyLoggerEventArgs 0xf863:$a11: KeyLoggerEventArgsEventHandler
1.2.jxy62Zm6c4.exe.3fbd5d0.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x135bf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12abd:$a3: \Google\Chrome\User Data\Default\Login Data 0x12dcb:$a4: \Orbitum\User Data\Default\Login Data 0x13bc3:$a5: \Kometa\User Data\Default\Login Data
1.2.jxy62Zm6c4.exe.3fd55f8.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x135bf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12abd:$a3: \Google\Chrome\User Data\Default\Login Data 0x12dcb:$a4: \Orbitum\User Data\Default\Login Data 0x13bc3:$a5: \Kometa\User Data\Default\Login Data
1.2.jxy62Zm6c4.exe.3fed618.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.jxy62Zm6c4.exe.3fed618.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.jxy62Zm6c4.exe.3fed618.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.jxy62Zm6c4.exe.3fed618.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x27fb1:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0x282ed:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x27d3e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x27e5f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x27fc7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x29997:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x29648:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x29426:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x298e7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler 0x29483:$a11: KeyLoggerEventArgsEventHandler
1.2.jxy62Zm6c4.exe.3fed618.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153bf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d1df:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148bd:$a3: \Google\Chrome\User Data\Default\Login Data 0x2c6dd:$a3: \Google\Chrome\User Data\Default\Login Data 0x14bcb:$a4: \Orbitum\User Data\Default\Login Data 0x2c9eb:$a4: \Orbitum\User Data\Default\Login Data 0x159c3:$a5: \Kometa\User Data\Default\Login Data 0x2d7e3:$a5: \Kometa\User Data\Default\Login Data
1.2.jxy62Zm6c4.exe.3fd55f8.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.jxy62Zm6c4.exe.3fd55f8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.jxy62Zm6c4.exe.3fd55f8.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.jxy62Zm6c4.exe.3fd55f8.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x281b1:$a1: get_encryptedPassword 0x3ffd1:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0x284ed:$a2: get_encryptedUsername 0x4030d:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x27f3e:$a3: get_timePasswordChanged 0x3fd5e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x2805f:$a4: get_passwordField 0x3fe7f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x281c7:$a5: set_encryptedPassword 0x3ffe7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x29b97:$a7: get_logins 0x419b7:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x29848:$a8: GetOutlookPasswords 0x41668:$a8: GetOutlookPasswords
1.2.jxy62Zm6c4.exe.3fd55f8.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153bf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d3df:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x451ff:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148bd:$a3: \Google\Chrome\User Data\Default\Login Data 0x2c8dd:$a3: \Google\Chrome\User Data\Default\Login Data 0x446fd:$a3: \Google\Chrome\User Data\Default\Login Data 0x14bcb:$a4: \Orbitum\User Data\Default\Login Data 0x2cbeb:$a4: \Orbitum\User Data\Default\Login Data 0x44a0b:$a4: \Orbitum\User Data\Default\Login Data 0x159c3:$a5: \Kometa\User Data\Default\Login Data 0x2d9e3:$a5: \Kometa\User Data\Default\Login Data 0x45803:$a5: \Kometa\User Data\Default\Login Data
1.2.jxy62Zm6c4.exe.3fbd5d0.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.jxy62Zm6c4.exe.3fbd5d0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.jxy62Zm6c4.exe.3fbd5d0.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.jxy62Zm6c4.exe.3fbd5d0.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x281b9:$a1: get_encryptedPassword 0x401d9:$a1: get_encryptedPassword 0x57ff9:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0x284f5:$a2: get_encryptedUsername 0x40515:$a2: get_encryptedUsername 0x58335:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x27f46:$a3: get_timePasswordChanged 0x3ff66:$a3: get_timePasswordChanged 0x57d86:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x28067:$a4: get_passwordField 0x40087:$a4: get_passwordField 0x57ea7:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x281cf:$a5: set_encryptedPassword 0x401ef:$a5: set_encryptedPassword 0x5800f:$a5: set_encryptedPassword 0x11b77:$a7: get_logins
1.2.jxy62Zm6c4.exe.3fbd5d0.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153bf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d3e7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x45407:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d227:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148bd:$a3: \Google\Chrome\User Data\Default\Login Data 0x2c8e5:$a3: \Google\Chrome\User Data\Default\Login Data 0x44905:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c725:$a3: \Google\Chrome\User Data\Default\Login Data 0x14bcb:$a4: \Orbitum\User Data\Default\Login Data 0x2cbf3:$a4: \Orbitum\User Data\Default\Login Data 0x44c13:$a4: \Orbitum\User Data\Default\Login Data 0x5ca33:$a4: \Orbitum\User Data\Default\Login Data 0x159c3:$a5: \Kometa\User Data\Default\Login Data 0x2d9eb:$a5: \Kometa\User Data\Default\Login Data 0x45a0b:$a5: \Kometa\User Data\Default\Login Data 0x5d82b:$a5: \Kometa\User Data\Default\Login Data
Click to see the 30 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T19:42:45.260205+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49710	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: jxy62Zm6c4.exe

Avira: detected

Found malware configuration

Source: 00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7459538222:AAGuCst3-DtyuFFYR_gchsq5lh5abp8uwcc", "Telegram Chatid": "5943299713"}

Multi AV Scanner detection for submitted file

Source: jxy62Zm6c4.exe	Virustotal: Detection: 75%			Perma Link
Source: jxy62Zm6c4.exe	ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: jxy62Zm6c4.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: jxy62Zm6c4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49732 version: TLS 1.0

Source: jxy62Zm6c4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0172A7E0h	2_2_0172A3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0172EA98h	2_2_0172E7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0172A0B9h	2_2_01729E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0172A7E0h	2_2_0172A3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0172E640h	2_2_0172E398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0172A7E0h	2_2_0172A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0172EEF0h	2_2_0172EC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0172F348h	2_2_0172F0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0172F7A0h	2_2_0172F4F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0172FBF8h	2_2_0172F950

Source: global traffic

HTTP traffic detected: GET /xml/ HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49710 -> 158.101.44.242:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49732 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegAsm.exe, 00000002.00000002.3416355637.0000000003400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegAsm.exe, 00000002.00000002.3416355637.0000000003400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegAsm.exe, 00000002.00000002.3416355637.0000000003400000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3416355637.00000000033EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegAsm.exe, 00000002.00000002.3416355637.0000000003381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegAsm.exe, 00000002.00000002.3416355637.0000000003400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: jxy62Zm6c4.exe, 00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegAsm.exe, 00000002.00000002.3416355637.0000000003400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegAsm.exe, 00000002.00000002.3416355637.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegAsm.exe, 00000002.00000002.3416355637.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegAsm.exe, 00000002.00000002.3416355637.0000000003381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: jxy62Zm6c4.exe, 00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegAsm.exe, 00000002.00000002.3416355637.0000000003400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: jxy62Zm6c4.exe, 00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3416355637.0000000003400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegAsm.exe, 00000002.00000002.3416355637.0000000003400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/d

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.jxy62Zm6c4.exe.3fed618.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.jxy62Zm6c4.exe.3fed618.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.jxy62Zm6c4.exe.3fbd5d0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.jxy62Zm6c4.exe.3fd55f8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.jxy62Zm6c4.exe.3fbd5d0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.jxy62Zm6c4.exe.3fd55f8.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.jxy62Zm6c4.exe.3fed618.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.jxy62Zm6c4.exe.3fed618.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.jxy62Zm6c4.exe.3fd55f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.jxy62Zm6c4.exe.3fd55f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.jxy62Zm6c4.exe.3fbd5d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.jxy62Zm6c4.exe.3fbd5d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: jxy62Zm6c4.exe PID: 988, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 2996, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0172E7F0	2_2_0172E7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01722DD1	2_2_01722DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01729E08	2_2_01729E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0172E398	2_2_0172E398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0172E211	2_2_0172E211
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0172E7E0	2_2_0172E7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0172EC48	2_2_0172EC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0172EC39	2_2_0172EC39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0172F0A0	2_2_0172F0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0172F090	2_2_0172F090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0172F4F8	2_2_0172F4F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0172F4E8	2_2_0172F4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0172F950	2_2_0172F950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0172F941	2_2_0172F941
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01729BEC	2_2_01729BEC

Source: jxy62Zm6c4.exe, 00000001.00000002.2177716038.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs jxy62Zm6c4.exe
Source: jxy62Zm6c4.exe, 00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs jxy62Zm6c4.exe
Source: jxy62Zm6c4.exe, 00000001.00000002.2176590739.000000000119E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs jxy62Zm6c4.exe
Source: jxy62Zm6c4.exe, 00000001.00000000.2173504563.0000000000C22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDHL Shpping Document GMBH.exe4 vs jxy62Zm6c4.exe
Source: jxy62Zm6c4.exe	Binary or memory string: OriginalFilenameDHL Shpping Document GMBH.exe4 vs jxy62Zm6c4.exe

Source: jxy62Zm6c4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.jxy62Zm6c4.exe.3fed618.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.jxy62Zm6c4.exe.3fed618.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.jxy62Zm6c4.exe.3fbd5d0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.jxy62Zm6c4.exe.3fd55f8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.jxy62Zm6c4.exe.3fbd5d0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.jxy62Zm6c4.exe.3fd55f8.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.jxy62Zm6c4.exe.3fed618.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.jxy62Zm6c4.exe.3fed618.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.jxy62Zm6c4.exe.3fd55f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.jxy62Zm6c4.exe.3fd55f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.jxy62Zm6c4.exe.3fbd5d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.jxy62Zm6c4.exe.3fbd5d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: jxy62Zm6c4.exe PID: 988, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegAsm.exe PID: 2996, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\jxy62Zm6c4.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jxy62Zm6c4.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutant created: NULL

Source: jxy62Zm6c4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: jxy62Zm6c4.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\jxy62Zm6c4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.3416355637.0000000003496000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3416355637.0000000003473000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3416355637.0000000003481000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3416355637.00000000034A2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3416355637.0000000003463000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3417116196.00000000043AD000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: jxy62Zm6c4.exe	Virustotal: Detection: 75%
Source: jxy62Zm6c4.exe	ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\jxy62Zm6c4.exe "C:\Users\user\Desktop\jxy62Zm6c4.exe"
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: jxy62Zm6c4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: jxy62Zm6c4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 16E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\jxy62Zm6c4.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\jxy62Zm6c4.exe TID: 5196

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\jxy62Zm6c4.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.3415052281.0000000001535000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\jxy62Zm6c4.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\jxy62Zm6c4.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\jxy62Zm6c4.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41A000	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41C000	Jump to behavior
Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1064008	Jump to behavior

Source: C:\Users\user\Desktop\jxy62Zm6c4.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\jxy62Zm6c4.exe	Queries volume information: C:\Users\user\Desktop\jxy62Zm6c4.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\jxy62Zm6c4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fed618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fbd5d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fd55f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fed618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fd55f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fbd5d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jxy62Zm6c4.exe PID: 988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2996, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fed618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fbd5d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fd55f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fed618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fd55f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fbd5d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jxy62Zm6c4.exe PID: 988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2996, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fed618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fbd5d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fd55f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fed618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fd55f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fbd5d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3416355637.00000000034D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jxy62Zm6c4.exe PID: 988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2996, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fed618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fbd5d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fd55f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fed618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fd55f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fbd5d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jxy62Zm6c4.exe PID: 988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2996, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fed618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fbd5d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fd55f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fed618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fd55f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jxy62Zm6c4.exe.3fbd5d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jxy62Zm6c4.exe PID: 988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2996, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
jxy62Zm6c4.exe	75%	Virustotal		Browse
jxy62Zm6c4.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
jxy62Zm6c4.exe	100%	Avira	TR/Dropper.Gen
jxy62Zm6c4.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.96.1	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/d	RegAsm.exe, 00000002.00000002.3416355637.0000000003400000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RegAsm.exe, 00000002.00000002.3416355637.0000000003400000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	jxy62Zm6c4.exe, 00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegAsm.exe, 00000002.00000002.3416355637.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegAsm.exe, 00000002.00000002.3416355637.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegAsm.exe, 00000002.00000002.3416355637.0000000003400000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegAsm.exe, 00000002.00000002.3416355637.0000000003400000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegAsm.exe, 00000002.00000002.3416355637.0000000003400000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3416355637.00000000033EE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegAsm.exe, 00000002.00000002.3416355637.0000000003400000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegAsm.exe, 00000002.00000002.3416355637.0000000003400000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000002.00000002.3416355637.0000000003381000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	jxy62Zm6c4.exe, 00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.96.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587950
Start date and time:	2025-01-10 19:41:43 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	jxy62Zm6c4.exe renamed because original name is a hash value
Original Sample Name:	06cfbe948b8a7ea8c436a72f92cf15324fad43bd6cb233991984d50d009bdbd0.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 69 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegAsm.exe, PID 2996 because it is empty
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.96.1	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	www.aonline.top/fqlg/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
158.101.44.242	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	RubzLi27lr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	YJwE2gTm02.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
reallyfreegeoip.org	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	RubzLi27lr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	YJwE2gTm02.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	RubzLi27lr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	YJwE2gTm02.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
CLOUDFLARENETUS	frosty.arm.elf	Get hash	malicious	Mirai	Browse	104.23.145.230
	Message.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	s2Jg1MAahY.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	172.64.147.188
	jd4t3R7hOq.exe	Get hash	malicious	Azorult	Browse	104.21.75.48
	RubzLi27lr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	6mllsKaB2q.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	Voicemail_+Transcription+_ATT006151.docx	Get hash	malicious	Unknown	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	RubzLi27lr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	YJwE2gTm02.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1

Process:	C:\Users\user\Desktop\jxy62Zm6c4.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.191239485063231
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	jxy62Zm6c4.exe
File size:	276'480 bytes
MD5:	4d96153e0c2c143244edf3b77857a01c
SHA1:	39f42b2c05becbab9f3d3a8efe48a210b7f884d1
SHA256:	06cfbe948b8a7ea8c436a72f92cf15324fad43bd6cb233991984d50d009bdbd0
SHA512:	8b629da54ad94fc8a5f130da232a477b906df96d842552b20bdb7017bfc5d8a617d56ffca6d546b373385b3b4e90c09e1982e2706e969d154d25f612965ee71b
SSDEEP:	6144:/fnABIMnpvtxp1gZmMsGJB40QOnZxF3k/Fxg:/fABIMnpvtxLgovmq0QOnZxF3Srg
TLSH:	B344382439EA5019F1B3EFB94BE879AADA6FB7733B07646E109003464723981DEC153D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*'ag................. ...........>... ...@....@.. ....................................@................................

File Icon


Icon Hash:	6c693168c8e0e0b0

Static PE Info

General

Entrypoint:	0x443eae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6761272A [Tue Dec 17 07:24:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x43e58	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x44000	0x1250	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x46000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x41eb4	0x42000	e6cd014685b60c9b6069615770daa3b2	False	0.48583984375	data	4.102458915188676	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x44000	0x1250	0x1400	166a03d8656bd46bd43cffa1b01794ac	False	0.51328125	data	5.286142231382264	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x46000	0xc	0x200	aac1f55ec40d54720613d590f0ed7d94	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x443c0	0xc88	Device independent bitmap graphic, 32 x 48 x 32, image size 3072	0.5819825436408977
RT_GROUP_ICON	0x45048	0x14	data	1.2
RT_VERSION	0x44130	0x28c	PGP symmetric key encrypted data - Plaintext or unencrypted data	0.4493865030674847
RT_MANIFEST	0x45060	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T19:42:45.260205+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49710	158.101.44.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 19:42:40.243839025 CET	49710	80	192.168.2.6	158.101.44.242
Jan 10, 2025 19:42:40.248697042 CET	80	49710	158.101.44.242	192.168.2.6
Jan 10, 2025 19:42:40.248784065 CET	49710	80	192.168.2.6	158.101.44.242
Jan 10, 2025 19:42:40.249033928 CET	49710	80	192.168.2.6	158.101.44.242
Jan 10, 2025 19:42:40.253807068 CET	80	49710	158.101.44.242	192.168.2.6
Jan 10, 2025 19:42:42.925111055 CET	80	49710	158.101.44.242	192.168.2.6
Jan 10, 2025 19:42:42.939908028 CET	49710	80	192.168.2.6	158.101.44.242
Jan 10, 2025 19:42:42.944664001 CET	80	49710	158.101.44.242	192.168.2.6
Jan 10, 2025 19:42:45.215405941 CET	80	49710	158.101.44.242	192.168.2.6
Jan 10, 2025 19:42:45.227070093 CET	49732	443	192.168.2.6	104.21.96.1
Jan 10, 2025 19:42:45.227101088 CET	443	49732	104.21.96.1	192.168.2.6
Jan 10, 2025 19:42:45.227184057 CET	49732	443	192.168.2.6	104.21.96.1
Jan 10, 2025 19:42:45.237807989 CET	49732	443	192.168.2.6	104.21.96.1
Jan 10, 2025 19:42:45.237827063 CET	443	49732	104.21.96.1	192.168.2.6
Jan 10, 2025 19:42:45.260205030 CET	49710	80	192.168.2.6	158.101.44.242
Jan 10, 2025 19:42:45.704996109 CET	443	49732	104.21.96.1	192.168.2.6
Jan 10, 2025 19:42:45.705199003 CET	49732	443	192.168.2.6	104.21.96.1
Jan 10, 2025 19:42:45.708144903 CET	49732	443	192.168.2.6	104.21.96.1
Jan 10, 2025 19:42:45.708159924 CET	443	49732	104.21.96.1	192.168.2.6
Jan 10, 2025 19:42:45.708522081 CET	443	49732	104.21.96.1	192.168.2.6
Jan 10, 2025 19:42:45.760270119 CET	49732	443	192.168.2.6	104.21.96.1
Jan 10, 2025 19:42:45.768047094 CET	49732	443	192.168.2.6	104.21.96.1
Jan 10, 2025 19:42:45.811332941 CET	443	49732	104.21.96.1	192.168.2.6
Jan 10, 2025 19:42:45.994328976 CET	443	49732	104.21.96.1	192.168.2.6
Jan 10, 2025 19:42:45.994396925 CET	443	49732	104.21.96.1	192.168.2.6
Jan 10, 2025 19:42:45.994446993 CET	49732	443	192.168.2.6	104.21.96.1
Jan 10, 2025 19:42:46.003748894 CET	49732	443	192.168.2.6	104.21.96.1
Jan 10, 2025 19:43:50.197277069 CET	80	49710	158.101.44.242	192.168.2.6
Jan 10, 2025 19:43:50.197339058 CET	49710	80	192.168.2.6	158.101.44.242
Jan 10, 2025 19:44:25.230115891 CET	49710	80	192.168.2.6	158.101.44.242
Jan 10, 2025 19:44:25.234877110 CET	80	49710	158.101.44.242	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 19:42:40.228818893 CET	61213	53	192.168.2.6	1.1.1.1
Jan 10, 2025 19:42:40.235752106 CET	53	61213	1.1.1.1	192.168.2.6
Jan 10, 2025 19:42:45.218616962 CET	60737	53	192.168.2.6	1.1.1.1
Jan 10, 2025 19:42:45.226139069 CET	53	60737	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 19:42:40.228818893 CET	192.168.2.6	1.1.1.1	0x15e2	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:42:45.218616962 CET	192.168.2.6	1.1.1.1	0x6312	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 19:42:40.235752106 CET	1.1.1.1	192.168.2.6	0x15e2	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 19:42:40.235752106 CET	1.1.1.1	192.168.2.6	0x15e2	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:42:40.235752106 CET	1.1.1.1	192.168.2.6	0x15e2	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:42:40.235752106 CET	1.1.1.1	192.168.2.6	0x15e2	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:42:40.235752106 CET	1.1.1.1	192.168.2.6	0x15e2	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:42:40.235752106 CET	1.1.1.1	192.168.2.6	0x15e2	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:42:45.226139069 CET	1.1.1.1	192.168.2.6	0x6312	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:42:45.226139069 CET	1.1.1.1	192.168.2.6	0x6312	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:42:45.226139069 CET	1.1.1.1	192.168.2.6	0x6312	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:42:45.226139069 CET	1.1.1.1	192.168.2.6	0x6312	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:42:45.226139069 CET	1.1.1.1	192.168.2.6	0x6312	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:42:45.226139069 CET	1.1.1.1	192.168.2.6	0x6312	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:42:45.226139069 CET	1.1.1.1	192.168.2.6	0x6312	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	158.101.44.242	80	2996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:42:40.249033928 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 19:42:42.925111055 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 10 Jan 2025 18:42:42 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 2daacacebc19efe419f2421d01d7b792 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 10, 2025 19:42:42.939908028 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 19:42:45.215405941 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 10 Jan 2025 18:42:45 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 96c33fe636e4aa7e323cf9c4e35c66a0 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49732	104.21.96.1	443	2996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 18:42:45 UTC	73	OUT	GET /xml/ HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 18:42:45 UTC	766	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 18:42:45 GMT Content-Type: text/xml Content-Length: 362 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vRZmiNsIXNRWn9Xjez%2Bf50SpncpRslLcRcK2ZpP3SFFVuLQdPmWW6uIWowZu%2FLBTH%2FD1E5r6tCPcwM64sDGKMZy0whCWOgcYrSCp2bTCEvXDw4dbm0s4fVPpGhaKMj8mOk11FeC5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffecf0c6b9c1a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1952&min_rtt=1945&rtt_var=744&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=687&delivery_rate=1457813&cwnd=157&unsent_bytes=0&cid=50cb745a8a67aa7f&ts=302&x=0"
2025-01-10 18:42:45 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	1
Start time:	13:42:38
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\jxy62Zm6c4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\jxy62Zm6c4.exe"
Imagebase:	0xc20000
File size:	276'480 bytes
MD5 hash:	4D96153E0C2C143244EDF3B77857A01C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2177758715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:42:39
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xf30000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3414775742.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3416355637.00000000034D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	43.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	79
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 053E0F54 Relevance: 1.8, APIs: 1, Instructions: 265
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 053E11E9

Memory Dump Source

Source File: 00000001.00000002.2177957900.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_53e0000_jxy62Zm6c4.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 67d79dc8b947536528a0acdae6ad8406147e8ba7472be2a46cf936e9e3936cd3
Instruction ID: f962f166eef1368b84f66aae796434b10b6633f844cfbc6e5b5ac4151e8bce6c
Opcode Fuzzy Hash: 67d79dc8b947536528a0acdae6ad8406147e8ba7472be2a46cf936e9e3936cd3
Instruction Fuzzy Hash: 77A14D71E002699FDB10CFA8C8857EDBBF2BF48314F1481A9E819E7290DB759985CF91

Function 053E0F60 Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 053E11E9

Memory Dump Source

Source File: 00000001.00000002.2177957900.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_53e0000_jxy62Zm6c4.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d1997d569b7deaa7b125aa1c478b460adc2253e46c123af428397cdf40238443
Instruction ID: c330001386169d4db9fe6d131db9fb04108ec51678388a68313ca8c7d51ca9df
Opcode Fuzzy Hash: d1997d569b7deaa7b125aa1c478b460adc2253e46c123af428397cdf40238443
Instruction Fuzzy Hash: B2A14E71E002699FDB14CFA8C8417EDBBF2BF48304F148169E819E7290DB759985CF91

Function 053E1670 Relevance: 1.7, APIs: 1, Instructions: 194
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 053E186D

Memory Dump Source

Source File: 00000001.00000002.2177957900.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_53e0000_jxy62Zm6c4.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1c60656cf93cb4d44b4206885462ac72257d994b75e2c7ed6a7d2c22d4594e9c
Instruction ID: 98181ea7d9e4b923389eadeeeaa92c36019f1206488d0caa53b3e916bc4db096
Opcode Fuzzy Hash: 1c60656cf93cb4d44b4206885462ac72257d994b75e2c7ed6a7d2c22d4594e9c
Instruction Fuzzy Hash: 9061B771A002199FCB15DFA9C880AEFBBF6FF88300F148569E505EB385DB749905CBA4

Function 053E18B0 Relevance: 1.7, APIs: 1, Instructions: 151
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 053E1A57

Memory Dump Source

Source File: 00000001.00000002.2177957900.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_53e0000_jxy62Zm6c4.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 09935050a61aa8eedfca5d7f9d120180cf05a77c17eb798a139750efe7aa58e6
Instruction ID: 351e0777d49fa50e536678b72816921d5a08fed676a9418b3ba48dee6a5276e7
Opcode Fuzzy Hash: 09935050a61aa8eedfca5d7f9d120180cf05a77c17eb798a139750efe7aa58e6
Instruction Fuzzy Hash: D051C270B002188FD714EFA9D454BAEBBF6EFC8310F18806AD519DB394DA749C06CBA5

Function 053E1321 Relevance: 1.6, APIs: 1, Instructions: 113
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 053E1437

Memory Dump Source

Source File: 00000001.00000002.2177957900.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_53e0000_jxy62Zm6c4.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 66148ff85c1400dc4f65c15022a54ec415ce95efae561d524e3c1c87b7600781
Instruction ID: 768922b107930f1239e171aa2674b67aa69e1dcd79e1f3f948f6b7fa53da7c7e
Opcode Fuzzy Hash: 66148ff85c1400dc4f65c15022a54ec415ce95efae561d524e3c1c87b7600781
Instruction Fuzzy Hash: FF41EC31A042698FCB15DFA9C8547AEBBF1FF49310F1980AAD458EB391D7789C01CBA1

Function 053E1548 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 053E1633

Memory Dump Source

Source File: 00000001.00000002.2177957900.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_53e0000_jxy62Zm6c4.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7039e8d3006fed6b5f1ee459143ccace6b2793cd0b9b2b941edb4b6c746cf4bb
Instruction ID: d9546840e16997ad13ce8f3e3bfd7294ef059a3cec590921289f015ea9f84a43
Opcode Fuzzy Hash: 7039e8d3006fed6b5f1ee459143ccace6b2793cd0b9b2b941edb4b6c746cf4bb
Instruction Fuzzy Hash: 5531E371A003489FCB11DFA9C844BDEBFF5EF8A310F18806AE519AB391C7359801CBA4

Function 053E17E0 Relevance: 1.6, APIs: 1, Instructions: 67
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 053E186D

Memory Dump Source

Source File: 00000001.00000002.2177957900.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_53e0000_jxy62Zm6c4.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 110951986d277791c73e44b8716b51e05895dba9167ace094f4bd3cdf16e8a32
Instruction ID: 0348cd7765908a41013af925685bf64f1706b7d29f6e2d49b864cdc6fb2aa289
Opcode Fuzzy Hash: 110951986d277791c73e44b8716b51e05895dba9167ace094f4bd3cdf16e8a32
Instruction Fuzzy Hash: B821F2B5900259DFDB10CF9AC885BDEBBF5FB48310F10842AE919A7250D778A940CBA4

Function 053E05B4 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(02F8B7B8,?,?,?,?), ref: 053E1507

Memory Dump Source

Source File: 00000001.00000002.2177957900.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_53e0000_jxy62Zm6c4.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7f73f2b20d0b9eab98e175f95e733e325865429e61cdb92959756cee7f1d5477
Instruction ID: 8088474e29bbc77ecea0fa77f77f1f02d7c46012df98e158a07c5d88d2196a00
Opcode Fuzzy Hash: 7f73f2b20d0b9eab98e175f95e733e325865429e61cdb92959756cee7f1d5477
Instruction Fuzzy Hash: C32100B5900259DFCB10CF9AD884BDEBBF5FB48310F10842AE919A7350D378A950CBA4

Function 053E1480 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(02F8B7B8,?,?,?,?), ref: 053E1507

Memory Dump Source

Source File: 00000001.00000002.2177957900.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_53e0000_jxy62Zm6c4.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3f665d52e6714f69f21986c5e93bd8accdd0989f9b5cd73c1a0cf7fccbe462fd
Instruction ID: 9af8f373172434c5b450bea448fe885c26f5a862db2d43e723f52b23194ec617
Opcode Fuzzy Hash: 3f665d52e6714f69f21986c5e93bd8accdd0989f9b5cd73c1a0cf7fccbe462fd
Instruction Fuzzy Hash: B52100B6900359DFCB10CF9AC884ADEBBF4FB48310F10842AE919A7250D339A940CFA5

Function 053E13C0 Relevance: 1.6, APIs: 1, Instructions: 60
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 053E1437

Memory Dump Source

Source File: 00000001.00000002.2177957900.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_53e0000_jxy62Zm6c4.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 71f106692f7b51a731f8a6c42f405f3b6ff072283920d3ad1c3bed3267eed307
Instruction ID: 2bce24577dc422c0fe258baa5777386cbd2d0307f62dc5dd102da4aae92345a2
Opcode Fuzzy Hash: 71f106692f7b51a731f8a6c42f405f3b6ff072283920d3ad1c3bed3267eed307
Instruction Fuzzy Hash: A92124B1D0062A9FDB10CF9AC885B9EFBF4BB48620F54812AD518B7340D378A954CFA1

Function 053E15C8 Relevance: 1.6, APIs: 1, Instructions: 51
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 053E1633

Memory Dump Source

Source File: 00000001.00000002.2177957900.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_53e0000_jxy62Zm6c4.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 73204701e4653da96c2a47abbbc434edc5981b55cc312918f09485f83899d79f
Instruction ID: ba7053950365ee00bafb11d5f0097e161696b7e42ff64de8f313351b2fee92c4
Opcode Fuzzy Hash: 73204701e4653da96c2a47abbbc434edc5981b55cc312918f09485f83899d79f
Instruction Fuzzy Hash: 2D1104B5900249DFDB20DF9AC884BDEFBF4FB88324F248419E519A7250C775A940CFA5

Function 053E19F8 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 053E1A57

Memory Dump Source

Source File: 00000001.00000002.2177957900.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_53e0000_jxy62Zm6c4.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a7076f3df7dc7903e8abd4504e8f4651a96b973e8e133eb09d421c1c68be571f
Instruction ID: 0fedc7480bc4e0a50e230bf28eaf00d01c98ad993cfa6d3a7743c1860c168989
Opcode Fuzzy Hash: a7076f3df7dc7903e8abd4504e8f4651a96b973e8e133eb09d421c1c68be571f
Instruction Fuzzy Hash: F51122B1800349CFDB20DF9AC885B9EFBF8AB88320F24841AD519A7250C774A940CFA5

Analysis Process: RegAsm.exePID: 2996, Parent PID: 988COMMON

Executed Functions

Function 01729BEC Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1d57f8bdb7e17d36d1803f1ada3f52e019c170dc37e79b9fa5d04309a22207
Instruction ID: 669571ffb2f37a56ca244955360628713452662ee92f579251d54294b72e603c
Opcode Fuzzy Hash: 2a1d57f8bdb7e17d36d1803f1ada3f52e019c170dc37e79b9fa5d04309a22207
Instruction Fuzzy Hash: FE410474D01258CBEB18CFAAD9446AEFBF2BF88300F24D16AC418AB255DB345946CF50

Function 0172E7F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32eee2b3c834a874887354fc965641e532a0da4f986614e310019e1912ad5e1
Instruction ID: 9d6bb245a23802aa9ef7c7d3aea560e30a14b0c2ab1e58853087a97b0bd07859
Opcode Fuzzy Hash: b32eee2b3c834a874887354fc965641e532a0da4f986614e310019e1912ad5e1
Instruction Fuzzy Hash: 5AC1AF74E00218CFDB54DFA9D954BADBBB2AF89300F2090A9D809AB355DB359E81CF51

Function 01722DD1 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6beeab2bf3449c856a86a7d4c14a982af95537475186bd52e85786f85ad1a8d
Instruction ID: 003cb1209698710851cb10f3d8604c889538ae6364bffb0ac31596fdbf86fbaa
Opcode Fuzzy Hash: e6beeab2bf3449c856a86a7d4c14a982af95537475186bd52e85786f85ad1a8d
Instruction Fuzzy Hash: 50919734B04255DBEB28DB74985467EFBB7BFC8710B08896DE506E7388DE39C9028791

Function 01729E08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd32f80645786e43f51f9b58ae5eeec0988cb4627f417c8eb6fd4ed8af880f6
Instruction ID: 49db454e9018a9499aa31b7d76b1ef28fb03fc5c40610d261d104aac2c26a710
Opcode Fuzzy Hash: 0cd32f80645786e43f51f9b58ae5eeec0988cb4627f417c8eb6fd4ed8af880f6
Instruction Fuzzy Hash: 15C19E78E00218CFDB14DFA5D994BADBBB2FB89300F2490A9D909A7355DB359E81CF50

Function 0172A3B8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b42c4ea3f7a803396af09079547146afb63c2c795ab15778dc72070f0fd7ec9
Instruction ID: 32374acb2e9f07cf9dd36838b8faa94c325b6a735bf8dfbb9ee5408ad8aeff14
Opcode Fuzzy Hash: 1b42c4ea3f7a803396af09079547146afb63c2c795ab15778dc72070f0fd7ec9
Instruction Fuzzy Hash: 30A10370D00218CFEB24DFA9D948B9DBBB1FF88300F249269D509A7395DB749A85CF54

Function 0172A3C8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc36803400c9d96f71f7a93d4eb4f941f64ab3728c60906b6988c3ccdfcaddc5
Instruction ID: c6f18efb642d15b1ace12205f53cf7021a4aa2e12388524f4ef3990d6195f4db
Opcode Fuzzy Hash: dc36803400c9d96f71f7a93d4eb4f941f64ab3728c60906b6988c3ccdfcaddc5
Instruction Fuzzy Hash: D1A10370D00218CFEB24DFA9D948B9DBBB1FF88310F209269E509A73A5DB749985CF54

Function 0172A70E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95976532250dd6275dea3c92ab546efdf09514d2c2020cd69cb80b96898e2e8b
Instruction ID: 654150e533ae89aecf06a9139a2adb7776ba1352220e26cb8938e74c47bcd644
Opcode Fuzzy Hash: 95976532250dd6275dea3c92ab546efdf09514d2c2020cd69cb80b96898e2e8b
Instruction Fuzzy Hash: 3D91E274D00218CFEB20DFA9D948B9DFBB1FF48310F209269E509AB291DB759986CF14

Function 0172E7E0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3274631d8bb5fea64c74c41e766c62896431ce1706e1a8b745a4f954d77a71cf
Instruction ID: 3a2af90e7066bb25f2b6239d1eb96f5018a1efc6e7e0e3744f0a30ea12fdb81d
Opcode Fuzzy Hash: 3274631d8bb5fea64c74c41e766c62896431ce1706e1a8b745a4f954d77a71cf
Instruction Fuzzy Hash: 1B41F670E01658CBEB18CFBAD8546ADFBF2AF89300F24D22AC415AB295DB344946CF50

Function 0172B2B8 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

, xrefs: 0172B3B5

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e9d5d935ceac67ff27cc6440bbf4060af3672bca482a0169ca7ab30ba71be093
Instruction ID: 299ccb8ebee4ae7ac3e77c3de3cb6f7d84c09dc6b34ce74d4c3077edd7376b7a
Opcode Fuzzy Hash: e9d5d935ceac67ff27cc6440bbf4060af3672bca482a0169ca7ab30ba71be093
Instruction Fuzzy Hash: 21A18630B003249FDB25AF78D49866DBBA2FF85321F148629E9158B3D1DF349D42CB51

Function 0172CDC8 Relevance: .8, Instructions: 819COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de702b25df2b2b1c14bd8e61376e56753bf22afd65e6c8fb481a6b8bad3b457e
Instruction ID: 2939fc2f825ed64ac1129d7ca93357ee2ffb4d475e502b7770022c6a858bf460
Opcode Fuzzy Hash: de702b25df2b2b1c14bd8e61376e56753bf22afd65e6c8fb481a6b8bad3b457e
Instruction Fuzzy Hash: BA721234A00219CFEB159BA4C860BAEBB77FF89300F1081ADD54AA7391DF359E85DB51

Function 0172B900 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e42541032282a4f5622e2a7adcd8a6d6e428cdaecacb1ab81b26dc42e6f489
Instruction ID: e3ccbe22c75507ae82812ec9db48e03eb23e738ac5e33e2e118aa1989c1e874c
Opcode Fuzzy Hash: 76e42541032282a4f5622e2a7adcd8a6d6e428cdaecacb1ab81b26dc42e6f489
Instruction Fuzzy Hash: F0B1B431B002158FDB15DB6CC894AAEBBB2FF89320F194469E505EB3A5DB31DD42CB91

Function 0172DC18 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271f807662803eb4b22fdc35505357463f25721a756cfbb344571f2cf61663dc
Instruction ID: b18434542f0e7db7e09b1325b279c0d01c4d384e88bdbfdebf10f2bb278f2521
Opcode Fuzzy Hash: 271f807662803eb4b22fdc35505357463f25721a756cfbb344571f2cf61663dc
Instruction Fuzzy Hash: 32D1D975E005248FCB15CF9CD9889ADBBF6BF9C310B1A8069E515AB362DB31EC42CB50

Function 0172DAF9 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8a7d85ac7ca2ee251077aa1ff3dfaaa069f79795f2bbe95130839b6555be1c
Instruction ID: 12e96e1b2a546a22cfeb540c75290aa4c2b85b7714a0ed6dae2e222f3db195d9
Opcode Fuzzy Hash: bf8a7d85ac7ca2ee251077aa1ff3dfaaa069f79795f2bbe95130839b6555be1c
Instruction Fuzzy Hash: 5AD1F875E006558FCB15CFA8C9889ADBBF6BF9D310F1A8059E515AB362CB31EC42CB50

Function 0172CA88 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0295d4a55666802e8d69739c2abf97b53654e6d91d880fbe9f79170be88ba1ee
Instruction ID: 3ed107ec672e56039573396359debe43a00f9da90806fdef3b2f26ad750852c2
Opcode Fuzzy Hash: 0295d4a55666802e8d69739c2abf97b53654e6d91d880fbe9f79170be88ba1ee
Instruction Fuzzy Hash: 0B61B4307041618FDB16CF3DD884A7EBBEAEF59610B1544AAE916CB362EB31DC42DB50

Function 01720B20 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac83d620e0698eae1f27b3dcc536719cc0ca66cdb52220c38b72bb3b915816c
Instruction ID: da6c3ede8c6187643d557eaa614b20a9b3a6f6f4a669cb1815ad09b9923a5bdc
Opcode Fuzzy Hash: 2ac83d620e0698eae1f27b3dcc536719cc0ca66cdb52220c38b72bb3b915816c
Instruction Fuzzy Hash: 55A1B774A0030ACFCB04DFA8E8949AEFBB6FB48305F105669E505A7365DB74AD46CF81

Function 0172C2C8 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d2786c11f3cfdb89e8f34dff4fa360e1848ed58ced5e0272d6dd8157901dda6
Instruction ID: 8e92f0cc8d65424cee2a9228f13818e08d3ca85a6e6867f77ab16cac671b6f46
Opcode Fuzzy Hash: 8d2786c11f3cfdb89e8f34dff4fa360e1848ed58ced5e0272d6dd8157901dda6
Instruction Fuzzy Hash: E651F072A006119FCB25CB6DDC84AAFFBB5FFD9320B14896AE519C7311D730DA028B90

Function 01720B30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897a2d867199db4c1cd9b2c959f84e622af9b09d9c1735957c3ad089dc813dc0
Instruction ID: 8bc84cbce2e59e06f2644f51939d9f94e3613165edb0a6b3afc68294f0435e25
Opcode Fuzzy Hash: 897a2d867199db4c1cd9b2c959f84e622af9b09d9c1735957c3ad089dc813dc0
Instruction Fuzzy Hash: CDA1B774A0030ACFCB04DFA8E8949AEFBB6FB48305F106569E505A7355DB74AD46CF81

Function 017246A0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ea645fcaac6f4a9942cf11c40b30b37146eaa2d4d2663c24f2542e09317fe4
Instruction ID: 58706c5610b4f921982c48a1f5ba40b957ff53e3d0408bf7e728a57c166ceeb1
Opcode Fuzzy Hash: 93ea645fcaac6f4a9942cf11c40b30b37146eaa2d4d2663c24f2542e09317fe4
Instruction Fuzzy Hash: 8351A074E10258CFDB14DFA9D894AADFBF2BF89300F109069E816AB364DB749842CF50

Function 0172979F Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9bcf75424cf572471dd788f315fb6665fb6525a5edd9c077a65ed520f4e6041
Instruction ID: 02a5b58ce1533a33826d8511b6a0f43d4f323f392000be175d561534c853a6be
Opcode Fuzzy Hash: f9bcf75424cf572471dd788f315fb6665fb6525a5edd9c077a65ed520f4e6041
Instruction Fuzzy Hash: AB4121B642638A8FD7017B60F9AC17A7F70FF0B327B08AC45E55A86919DB3042498F51

Function 0172BFF0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f32fbbc6e6ebcc2ede7c500daa25fe9a524ba9599129e10588246dee638166
Instruction ID: d2968baca74e01dc8c851025fe7f4a0317966c60aedec53b0c3dc311044b4724
Opcode Fuzzy Hash: 67f32fbbc6e6ebcc2ede7c500daa25fe9a524ba9599129e10588246dee638166
Instruction Fuzzy Hash: 4431C531B002059FCB19EFB9D854AAEBBB6EF89200B1445BEE509DB355DF349D02C790

Function 0172C888 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3dc384fb86441a4f49455168aedecfa6050759ec526561d0ef4bfe743dae93
Instruction ID: 6a692ffd86b5b0b32db82578cf74a7b9a79ce428a653b6ccffa2aa3486832334
Opcode Fuzzy Hash: 0e3dc384fb86441a4f49455168aedecfa6050759ec526561d0ef4bfe743dae93
Instruction Fuzzy Hash: 554127747001259FDB16DF29C948AAEBBB5FB48310F144069EA56CB3A1CB71DD42CB90

Function 01723168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a579d1a3844af7379dc73b46e66db76d0574be424b08a496eab6be1b4ff113
Instruction ID: 8fd8db70fe68a6b07df31ec048a84d1755e48ebf0e01767d06ebefa6381d60cd
Opcode Fuzzy Hash: 15a579d1a3844af7379dc73b46e66db76d0574be424b08a496eab6be1b4ff113
Instruction Fuzzy Hash: DC41AE74E012188FDB18DFAAD89499DBBF2BF89300F249529E805B7364DB34A842CF14

Function 0172BBB9 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b14b37620448bcf8e7cde548059ef8fa09557c9bbcfad96bfad747905928f4
Instruction ID: 63619e78c59d241e1ad3a1586640ece6676165f269cacab716c4f1977a8a2f42
Opcode Fuzzy Hash: d1b14b37620448bcf8e7cde548059ef8fa09557c9bbcfad96bfad747905928f4
Instruction Fuzzy Hash: C4310735B002198FDB05DFA8C494E9DBBB2FF88220F155454E601AB365CA71ED82CBA0

Function 0172BBED Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b451c0421bc860997965d5a34c040ce43ebaa9b7a06c42121dfd05a35024294
Instruction ID: e52aa4ca8840f794c47f5f463b8d90652a1e291918a79c3eeb664a0b4541b3f4
Opcode Fuzzy Hash: 8b451c0421bc860997965d5a34c040ce43ebaa9b7a06c42121dfd05a35024294
Instruction Fuzzy Hash: A7311735B0021A8FDB05DFA8C494E9DBBB2EF88320F155454E601AF365CA71ED82CBA0

Function 01722C58 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aada8d26ea578d6194013e837363fcf183aa4298abd1a579c17ae2e1609b5ca
Instruction ID: 8fa92de5f690cc41d5d6e6349086aaa89d1470e7ce93872bd6bcb2eddb333842
Opcode Fuzzy Hash: 3aada8d26ea578d6194013e837363fcf183aa4298abd1a579c17ae2e1609b5ca
Instruction Fuzzy Hash: B821F3357043758BDF294A69989427DFBA6FF84210B18406FD942C7397DB78C88A8762

Function 0172CCAB Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56616adf51b22b8266cd7b98d72251aa9164ad1ba35aae7a4d05a7beaf47b283
Instruction ID: 8dbba8d46818b7c48d234c5a804372ca789649c175e4d7cc37e41e0da38b7932
Opcode Fuzzy Hash: 56616adf51b22b8266cd7b98d72251aa9164ad1ba35aae7a4d05a7beaf47b283
Instruction Fuzzy Hash: 9621C5353042214BEB276B39885437EBE97AFD9614F1884B9D602CB396EE36CCC39751

Function 0172C132 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4454197bc1903e899f09d038a9ffc80d5e866a7cd36be59316a45dd8f63433
Instruction ID: c8f37e2ac8b1b71165870f19ed92af0cd683fdf5b2d4204cab919aae62aa0398
Opcode Fuzzy Hash: 6e4454197bc1903e899f09d038a9ffc80d5e866a7cd36be59316a45dd8f63433
Instruction Fuzzy Hash: 792126346042458FC71ADF78C86565EBBB2FF9A201F2480AAE4058B765DB308E06C791

Function 017218C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdfd574557e70f05c2abe0933da0cf754879a95a1feaee7bf54536c860b47ab3
Instruction ID: dec9240fc61ae6605a8e2030c2359fb25e6a21227ce6ecb0606b55590aaa5f14
Opcode Fuzzy Hash: cdfd574557e70f05c2abe0933da0cf754879a95a1feaee7bf54536c860b47ab3
Instruction Fuzzy Hash: 2221A435B00296AFCF14DB24C4509BEB7A9FB89360F50C05DE959AB340EA31EE06CB91

Function 0172FDA8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb8350d6f6511fc2d4ad6d58f2ba6bd4bbb5c7fa68669183c3df15b3b5d77f0e
Instruction ID: 5e91740db600c8bffcb010e73bd94e1f50f99c57a9d7412ecedbf7083bf7e82d
Opcode Fuzzy Hash: fb8350d6f6511fc2d4ad6d58f2ba6bd4bbb5c7fa68669183c3df15b3b5d77f0e
Instruction Fuzzy Hash: 26215172B051159F9705DE6DE8808BAFBFAFBD9225324C06EE909C7341EA32D806C760

Function 0164D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415457107.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_164d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ffd9a5284b0a81ccc683b2a439635ee84d7c9761e8e57e29f8cfc554b666ed5
Instruction ID: 2afad6a80d4035e408444f2fbe65cb769cb185e1447a7589451e5ebb1534fe54
Opcode Fuzzy Hash: 3ffd9a5284b0a81ccc683b2a439635ee84d7c9761e8e57e29f8cfc554b666ed5
Instruction Fuzzy Hash: 36213471A04204DFDB11DF94DDC0B26BBA1EB94B14F24C56DD9094B382C37AD447CA62

Function 01720EC8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d41965db10b0b2835375f954287213beccf62dce267b99f3b76af3173b7b55
Instruction ID: f9f3a97407ee42d48752a32a9116bae6a79021cc93feed122361dfdde2aa21a9
Opcode Fuzzy Hash: 06d41965db10b0b2835375f954287213beccf62dce267b99f3b76af3173b7b55
Instruction Fuzzy Hash: DD214A70E012199FDB14EFB8D8546AEFBB2FB88704F1084ADD9149B354DB798A42CF50

Function 0172BE91 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62e5fc2094dc3a21398cc867964fa3b33f0f42be017f13af81a09bc68ff4a2f4
Instruction ID: 52daff872178d004084108f5f075473cb056546ba8b602ba7ef634ca488cf337
Opcode Fuzzy Hash: 62e5fc2094dc3a21398cc867964fa3b33f0f42be017f13af81a09bc68ff4a2f4
Instruction Fuzzy Hash: DF118B36700214CFC714CB69E994E56BBE6FF88721F1584AAE20ACB771CA71EC46CB11

Function 017217B8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9320b4b7c58ab0d2057a4160758f41399873473d69aed3926fc8daf8f5eed0c
Instruction ID: 697b703aa7244d4c7b08a2541b4cca9d80937275963e7ac0b67b7067212d2dcb
Opcode Fuzzy Hash: f9320b4b7c58ab0d2057a4160758f41399873473d69aed3926fc8daf8f5eed0c
Instruction Fuzzy Hash: 99211274D0525A8FCB11EFA8C8945EEBFF0FF4A310F0451AAD905B7225EB305A85CBA1

Function 0172BF80 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59724b0dfcb9901dd7b30cdd2a2f0fb9fac2aa11d6f4b7e30fc40336c866ef31
Instruction ID: f92c0ba3b9a2db6a08209614ea49b4f55a885543f650cfaeb206487e0501f972
Opcode Fuzzy Hash: 59724b0dfcb9901dd7b30cdd2a2f0fb9fac2aa11d6f4b7e30fc40336c866ef31
Instruction Fuzzy Hash: 541125307053608FCB25AB79D858969BFE5AF9A34171844BAD501CB795DE35DC02CBA0

Function 0172C460 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e9d3abfc52132de88a24de619cc98d6697f1bec8cd82bab7ebc57ff6c937c2
Instruction ID: 67b74684d0f0baf24a6ae5817e8449b3352a3972a16e6bfdc53e836c2f5668bb
Opcode Fuzzy Hash: d0e9d3abfc52132de88a24de619cc98d6697f1bec8cd82bab7ebc57ff6c937c2
Instruction Fuzzy Hash: 15115A31E003299BDB21EFB9D4846AFFFF6AB98250B154179C509E3204EB319D02CBA1

Function 01724E03 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a660637556ca4c0fe80a876fa753c66f9f8e3724ba5272ff41003f45915d626
Instruction ID: 1b96315d52c15c9f42c69a07f10ff478f925468d083e0684c6fc11d8e2b0e0f7
Opcode Fuzzy Hash: 4a660637556ca4c0fe80a876fa753c66f9f8e3724ba5272ff41003f45915d626
Instruction Fuzzy Hash: 2A012832B092514FEB219B79888457EB7F7AFC8620715447AD406CB265FF30CC018751

Function 0164D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415457107.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_164d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5dafeece261ed5f36609df0c38f61fd31d97a5851a4554c05f514f158599941
Instruction ID: 31117d51537ec4984d3cbcbe2cd0afb46b36afb8902d0d7cf5c6742a42cc2dc4
Opcode Fuzzy Hash: e5dafeece261ed5f36609df0c38f61fd31d97a5851a4554c05f514f158599941
Instruction Fuzzy Hash: E111B875904284CFCB12CF58D9C0B15BBA2FB84718F28C6AAD8494B756C33AD44ACB62

Function 01724E10 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55de7ddb2405b89c71f9c3017045756f62f3be101cc81df19c5297a1dd5cd0d0
Instruction ID: 7f0913fdc9c76249ce7c0fdee804e2700858d688accc20fcefa911679f23ecbe
Opcode Fuzzy Hash: 55de7ddb2405b89c71f9c3017045756f62f3be101cc81df19c5297a1dd5cd0d0
Instruction Fuzzy Hash: 0601D632B052154BDB24AB79484453FB6EBAFC8560710443DD90AC7215FF71CC014790

Function 0172C240 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c928835810e7015d71394fb72ff240971fc4185383ab160ceed71c75e3ecb091
Instruction ID: 0fa8ae203deffb7a0432d6e96ede0aabb4ddbe6e21910ada5b6905fd59f19c69
Opcode Fuzzy Hash: c928835810e7015d71394fb72ff240971fc4185383ab160ceed71c75e3ecb091
Instruction Fuzzy Hash: FD0124367082108FCB265FB4E80855D7BE2EB86221319846BE04ACB252CF34C816C795

Function 0172A858 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534896c381e69ec3eca4859858a8e42ac7f9ffa1ea8b799786e24575f09f9f5d
Instruction ID: 5a3c9d0b62c82c3d213a716be27a7444c78f06b048b7cc33dd787be040138fbc
Opcode Fuzzy Hash: 534896c381e69ec3eca4859858a8e42ac7f9ffa1ea8b799786e24575f09f9f5d
Instruction Fuzzy Hash: 5B015E31E00319DFDF14AFB9E8589AE7BB5FF88250B008539F916D3240EB308A118BA1

Function 0172BEA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72db519678edf974abbdb015cc4af0364f3c91731ddca8408fa381910452b0c9
Instruction ID: 4dff37d6bc7d139dabfce12775d7b2db51f8bc86100962f46fa0e68a12a9e235
Opcode Fuzzy Hash: 72db519678edf974abbdb015cc4af0364f3c91731ddca8408fa381910452b0c9
Instruction Fuzzy Hash: CD017C317002148FD714CB2AD998E26F7E6FF88721F55846DE20A8B761CB71EC46CB11

Function 0172A848 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7486ba90e1bc0a04edf0eadbf65ee7a9f581d4aacf65d2cbd47f83163514d8
Instruction ID: 034efbca31c752d20614c1f67fc89f35678d3758ec79786406ab8b7ce30c8e7d
Opcode Fuzzy Hash: 3c7486ba90e1bc0a04edf0eadbf65ee7a9f581d4aacf65d2cbd47f83163514d8
Instruction Fuzzy Hash: 4D015E32900219DFCF10EFA8E8889AEBBB1FF88310B108529FC59D7204E7305A21CF91

Function 0172C4F7 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686a5016f735325e82a0b91bd3016e228493842b093278666138e652446a20ff
Instruction ID: b788cca2650e8221a3f19d27114cb4241f2808e0e7ca6e5e26fab7589c572569
Opcode Fuzzy Hash: 686a5016f735325e82a0b91bd3016e228493842b093278666138e652446a20ff
Instruction Fuzzy Hash: B4F02B32B046208FCB169B6DE45855EBBF5DFD522072900AFD408DB351CE31D802C750

Function 0172FD98 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df16930f2f17a1094f6b21f94d1f5392e8f7fa8477132ad0f527c34caf45d152
Instruction ID: 0faa98d056975637eb27ac40358a38b7de3b6cc1d027f5ed25f4f9372eff4ed0
Opcode Fuzzy Hash: df16930f2f17a1094f6b21f94d1f5392e8f7fa8477132ad0f527c34caf45d152
Instruction Fuzzy Hash: 1DF0C272B011569FCB01DE7C98405BABFFAEBD8214324C16FE459C7381DA30DC0687A0

Function 0172BD39 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8891bc933487d91af699470b0cea8b2a2b0b64f104cfd9c75e923ea1fc5a65b8
Instruction ID: 844597771457e7ec6093e4bbacb598d43d3da6c95e16f76370b836a4d8ed9c15
Opcode Fuzzy Hash: 8891bc933487d91af699470b0cea8b2a2b0b64f104cfd9c75e923ea1fc5a65b8
Instruction Fuzzy Hash: 59F06D729001199F8B50DFADD8809AEBBF2FF9C250704452AE609D3210D630A6128BA0

Function 0172C1F0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382c3adf04d56c54add18495fefd8333ec2f29af038797c6ab216bde4ebcc510
Instruction ID: 4af54e9e1016ab214e792fb30e973199ccd66b225d469e547eb7919ddcc1d8b6
Opcode Fuzzy Hash: 382c3adf04d56c54add18495fefd8333ec2f29af038797c6ab216bde4ebcc510
Instruction Fuzzy Hash: D5F03A35300115DFC7019F6AD888C5ABBEAFF897247508169EA0987331CB71AC52CB50

Function 01724C7B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc356c98cb074ac2fba0d0213badbd0838dd28de3bf8d679681a3dac31f74c4
Instruction ID: aeaa093bd3eda81dbf809451e79d1bef6ab2bcdc774a4d9fd82f8674dcb37b68
Opcode Fuzzy Hash: cfc356c98cb074ac2fba0d0213badbd0838dd28de3bf8d679681a3dac31f74c4
Instruction Fuzzy Hash: 2DE0AE794213529FD33A6BA4ACAC27A7BB1EB0B3237447D01E00BC2029DB744465CB40

Function 01724C88 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e5c9f1e8c4d416bae67b4ed2ae394833520cff4c2b8678ee8dd2b7f13f43d8
Instruction ID: e3d6afbe0173994eacac4aeba8ca44ee7cafa49f68e95c4606c16f074c34c183
Opcode Fuzzy Hash: 09e5c9f1e8c4d416bae67b4ed2ae394833520cff4c2b8678ee8dd2b7f13f43d8
Instruction Fuzzy Hash: 1AE002790623168BD7393B64BCAC23E7A65EB0B313B407D00A11FC10299B7144648B95

Function 01721877 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b87fa2bec908ab7d5f903040fd46dfcf19850a30046b72eeff5837577138f0ab
Instruction ID: 9ac3d886d90f023eddff1122d37f1937656c0d4c0e4fdbf6653098d1622410ae
Opcode Fuzzy Hash: b87fa2bec908ab7d5f903040fd46dfcf19850a30046b72eeff5837577138f0ab
Instruction Fuzzy Hash: 62E02631D512268FCB02EBA0EC405EDBB34AEC12107884253D0243B560EB30272DCB91

Function 0172BF7C Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d06ab3aaf20f1ace19a956732f3e4b2ea47baac67fe353f1b7ca798368d29e
Instruction ID: 2b78b2b191f2a85c5a08beb852e25268db20db237915be6cd8853eb7b48ad859
Opcode Fuzzy Hash: 43d06ab3aaf20f1ace19a956732f3e4b2ea47baac67fe353f1b7ca798368d29e
Instruction Fuzzy Hash: 3CE08C35B011369F8720A6ACD688D68BB91EF683507288076EA01C7624EA71D8418BD0

Function 0172BF38 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3dce284e9d081b9a6d5f435c7a542cf2dcf3a1f894fa8dd49ca695085c8a493
Instruction ID: 9e33b1754078abffef56331e4db53bd9e954f9767aac81f327011c2b344f89b3
Opcode Fuzzy Hash: b3dce284e9d081b9a6d5f435c7a542cf2dcf3a1f894fa8dd49ca695085c8a493
Instruction Fuzzy Hash: 6DE08C3A2112508FC7119BA4E869D5977B1AF4A22031A40DAE009DF3B3CA34ED10CB81

Function 01721888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 533902f670c61e00c6584a90f941ec458dee84bc713e944a8be361d3e8c6985e
Instruction ID: 76d11c61ae604af78a2df147a7dd9ff603c47e304809cef8dd32cb21c2aae4f9
Opcode Fuzzy Hash: 533902f670c61e00c6584a90f941ec458dee84bc713e944a8be361d3e8c6985e
Instruction Fuzzy Hash: 16D05B31D2126B57CB00E7A5DC044EFF738EED5661B544626D51437140FB702659C7E1

Function 0172C2A0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e15b32a990f77704ff6d9bf65fbc0fb039239f1d513455ab69e74e5c0482b231
Instruction ID: 9245e5976fcee311be2e6e91a460e49561537bf9299bb667f6c9560a3e697e32
Opcode Fuzzy Hash: e15b32a990f77704ff6d9bf65fbc0fb039239f1d513455ab69e74e5c0482b231
Instruction Fuzzy Hash: 7DD0C737300324A74B153A49B408CAE7B5ED7CD771704C026F905C3304CE759D1297E5

Function 0172325B Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8acaa16506b5d36c94ef49575efa251587fbe140d4a377435002f81b9c5773
Instruction ID: e8e4385e1ade1631ca62bc82ce3d494a4efb31d23e3ff216b8cf76d13097fe71
Opcode Fuzzy Hash: 0d8acaa16506b5d36c94ef49575efa251587fbe140d4a377435002f81b9c5773
Instruction Fuzzy Hash: 11E02D78E44209CFCF10DFA9E5444ADFBB9FB49711B10946AE92AA7210D7389A12CF15

Function 0172D9FD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3ffe475a67ac74b2df26c46e34a541d842b36fdf84092f426f375a7aaeb79c
Instruction ID: 088cfedd9660cf1d68272b13d6b5380421b9d11e26ea91278b44e019aca3fec0
Opcode Fuzzy Hash: 4c3ffe475a67ac74b2df26c46e34a541d842b36fdf84092f426f375a7aaeb79c
Instruction Fuzzy Hash: 8ED0673AB00008DFCB149F99E8449DDB7B6FB98221B048116F926A3260CA31A925DB60

Function 0172BF48 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec3a849397244beb573a2c1ed74d94d98630dd104df215eb7fcfa1129a679905
Instruction ID: 913ac6145902a2d27e91cbe057cf2b9814b1e5b210aac4015e56e6b38141c2db
Opcode Fuzzy Hash: ec3a849397244beb573a2c1ed74d94d98630dd104df215eb7fcfa1129a679905
Instruction Fuzzy Hash: 8FD0A9353403288FC314AB68E468C6A73A9EF4863070180A5E90ACB372CF72EC00CBC1

Function 01724DE0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caca84e1167d5db970fb76f1f649890c0ad059066533d93c90c6264b51ba9104
Instruction ID: 5bbf7a0e667021915d7fd4e833a67ce7b4383250a49d40f5ec55b31140fa1993
Opcode Fuzzy Hash: caca84e1167d5db970fb76f1f649890c0ad059066533d93c90c6264b51ba9104
Instruction Fuzzy Hash: 5BC04C764993A28FCF13576455551A07BF4A94B336305D0D3D494CA567D7284847CB23

Non-executed Functions

Function 0172E398 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4157f9d77bad90fd7e7243467c1dc6425f4b06988907f8bbb20f731ade96ddc1
Instruction ID: a3c7517038a91537157398b91cab0ee54f6cdec7899737429912a72751e403cb
Opcode Fuzzy Hash: 4157f9d77bad90fd7e7243467c1dc6425f4b06988907f8bbb20f731ade96ddc1
Instruction Fuzzy Hash: 43C1A074E00218CFDB54DFA9D954BADBBB2AF88300F2090A9D809AB355DB359E81CF51

Function 0172EC48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f8ca64b810fc21f8eba7a90c12d3ccf20d1cbb8bd8b42f66b3b9a34dae07d7
Instruction ID: c08e1e80dcacf9d259129bff0443c4b3a8745198f2feb236875418f8bd4b0a23
Opcode Fuzzy Hash: 50f8ca64b810fc21f8eba7a90c12d3ccf20d1cbb8bd8b42f66b3b9a34dae07d7
Instruction Fuzzy Hash: 5CC1A174E00218CFDB54DFA9D954BADBBB2BF88300F1090A9D409AB355DB359E81CF51

Function 0172F0A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4327386e4ff7f7cd6cf45b600c44a2fac1c24f75d94328aedb7bc4ae04921a
Instruction ID: ee569023fa64c2248eea2ef5468b939561d6d3c75573aea7ef1a38a0b745e79a
Opcode Fuzzy Hash: ef4327386e4ff7f7cd6cf45b600c44a2fac1c24f75d94328aedb7bc4ae04921a
Instruction Fuzzy Hash: 1DC1A074E00218CFDB54DFA9D954BADBBB2EF89300F2090A9D809AB355DB359E81CF51

Function 0172F4F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436d974f39045f3e3a12ec6ec6d0f3803405c115bf329388671c6a3244d80cc2
Instruction ID: 40d6be9b7b3d4dc6e1adce5bf78bbf486ad10cdfc5167a51f996bbc952fe70da
Opcode Fuzzy Hash: 436d974f39045f3e3a12ec6ec6d0f3803405c115bf329388671c6a3244d80cc2
Instruction Fuzzy Hash: EBC1AF74E00218CFDB54DFA9D954BADBBB2EF89300F2090A9D909AB355DB359E81CF11

Function 0172F950 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1fb979676ba52d1e7a92ad36d547dde3e94deb8007ea5c6a790d0d4999a1f79
Instruction ID: fc03a8ecdb8f385c1c6a5c2908cb65b4201e6fe83cd96568b77012628139fe2d
Opcode Fuzzy Hash: e1fb979676ba52d1e7a92ad36d547dde3e94deb8007ea5c6a790d0d4999a1f79
Instruction Fuzzy Hash: 2DC1B174E00218CFDB54DFA9D954BADBBB2EF88300F2090A9D819AB355DB359E81CF11

Function 0172E211 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bbbd14d4343e3194d90f31adfe9facbfe0d5b7ac70f6103ec3e068c2960f9f7
Instruction ID: 6ea43e8d6e4a1e69a9d0dbc8976ec66f4de690c0d02dcab384ac5f4495d3f80c
Opcode Fuzzy Hash: 9bbbd14d4343e3194d90f31adfe9facbfe0d5b7ac70f6103ec3e068c2960f9f7
Instruction Fuzzy Hash: 06915E75E00259CFDB14CFA9C584A9DFBF2BF89301F158169D855AB3A2DB30E942CB50

Function 0172EC39 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c044301e4aaa08c0aa4eac1574a505a1244e716b83af7694917f20b4ea8df5
Instruction ID: 5b0b4fdd01afa8ba41e0cef60f3e718f0db4b39fd3b4634b437a4066afee767d
Opcode Fuzzy Hash: e5c044301e4aaa08c0aa4eac1574a505a1244e716b83af7694917f20b4ea8df5
Instruction Fuzzy Hash: A841F770D01248CBEB18CFEAD9547AEFBF2AF89300F24D12AC414AB295EB345946CF44

Function 0172F090 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7eb6a71e46f31ee988ac4a557f2c55817b33616f0d323ada95d2ebc4102e48c
Instruction ID: 69b10d3bce8dc5c5b4d06641343ae37671caffd5e75cd743ae67521368822c42
Opcode Fuzzy Hash: e7eb6a71e46f31ee988ac4a557f2c55817b33616f0d323ada95d2ebc4102e48c
Instruction Fuzzy Hash: 1D41F970E012498BEB18CFA6D8507AEFBF2AF89300F24D129C414AB255DB344942CF54

Function 0172F4E8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a453d3e3a448042fbbe0702be890d2c19d8c4579d8dc7b5bc279b1336cd13783
Instruction ID: ed27c61333f503adddd32e9d90646b8cb0ed642b704f4bd901fe8422f1ce82aa
Opcode Fuzzy Hash: a453d3e3a448042fbbe0702be890d2c19d8c4579d8dc7b5bc279b1336cd13783
Instruction Fuzzy Hash: 5141F870E052588FEB18CFBAD9546AEFBF2AF89300F24D129C418AB295DB345946CF10

Function 0172F941 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3415755283.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1720000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2c2cf1e6e5d5d24047e4378defdd1c60a4f64fa78c37f89daf9c4816f256b9
Instruction ID: bf39bbcc82f46e9ea6ffd81f4480644be809d5b0ab6f715b047705b7c1c4411d
Opcode Fuzzy Hash: 8c2c2cf1e6e5d5d24047e4378defdd1c60a4f64fa78c37f89daf9c4816f256b9
Instruction Fuzzy Hash: 4F41F870D052588FEB18DFAAD9506EEFBF2AF89300F24D12AC424AB295DB344942CF50

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report jxy62Zm6c4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jxy62Zm6c4.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
jxy62Zm6c4.exe

Function 053E0F54 Relevance: 1.8, APIs: 1, Instructions: 265
processCOMMON

Function 053E0F60 Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Function 053E1670 Relevance: 1.7, APIs: 1, Instructions: 194
injectionCOMMON

Function 053E18B0 Relevance: 1.7, APIs: 1, Instructions: 151
threadCOMMON

Function 053E1321 Relevance: 1.6, APIs: 1, Instructions: 113
threadCOMMON

Function 053E1548 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Function 053E17E0 Relevance: 1.6, APIs: 1, Instructions: 67
injectionCOMMON

Function 053E05B4 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 053E1480 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 053E13C0 Relevance: 1.6, APIs: 1, Instructions: 60
threadCOMMON

Function 053E15C8 Relevance: 1.6, APIs: 1, Instructions: 51
memoryCOMMON

Function 053E19F8 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON