Edit tour

Windows Analysis Report
h1HIe1rt4D.exe

Overview

General Information

Sample name:	h1HIe1rt4D.exe renamed because original name is a hash value
Original sample name:	da35f06d5f83c958940b5816901f091a1725f9af4398d94e7347550cf56be86b.exe
Analysis ID:	1588354
MD5:	aca1506ec2fc90d9bd56cbbe91bd6386
SHA1:	d2b443e927e57d8481fd6ddc5c7722d423815a9b
SHA256:	da35f06d5f83c958940b5816901f091a1725f9af4398d94e7347550cf56be86b
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

AI detected suspicious sample

Machine Learning detection for sample

Self deletion via cmd or bat file

Tries to detect the country of the analysis system (by using the IP)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

h1HIe1rt4D.exe (PID: 6728 cmdline: "C:\Users\user\Desktop\h1HIe1rt4D.exe" MD5: ACA1506EC2FC90D9BD56CBBE91BD6386)

h1HIe1rt4D.exe (PID: 5740 cmdline: "C:\Users\user\Desktop\h1HIe1rt4D.exe" MD5: ACA1506EC2FC90D9BD56CBBE91BD6386)

cmd.exe (PID: 5764 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\h1HIe1rt4D.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 6540 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7634300667:AAElS97UnedbkmPEFHxIY0TyKl484PsrjZY/sendMessage?chat_id=2135869667", "Token": "7634300667:AAElS97UnedbkmPEFHxIY0TyKl484PsrjZY", "Chat_id": "2135869667", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148e9:$a1: get_encryptedPassword 0x14bd5:$a2: get_encryptedUsername 0x146f5:$a3: get_timePasswordChanged 0x147f0:$a4: get_passwordField 0x148ff:$a5: set_encryptedPassword 0x15f51:$a7: get_logins 0x15eb4:$a10: KeyLoggerEventArgs 0x15b1f:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1999c:$x1: $%SMTPDV$ 0x18380:$x2: $#TheHashHere%& 0x19944:$x3: %FTPDV$ 0x18320:$x4: $%TelegramDv$ 0x15b1f:$x5: KeyLoggerEventArgs 0x15eb4:$x5: KeyLoggerEventArgs 0x19968:$m2: Clipboard Logs ID 0x19ba6:$m2: Screenshot Logs ID 0x19cb6:$m2: keystroke Logs ID 0x19f90:$m3: SnakePW 0x19b7e:$m4: \SnakeKeylogger\
00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf40f9:$a1: get_encryptedPassword 0x114d29:$a1: get_encryptedPassword 0x135749:$a1: get_encryptedPassword 0xf43e5:$a2: get_encryptedUsername 0x115015:$a2: get_encryptedUsername 0x135a35:$a2: get_encryptedUsername 0xf3f05:$a3: get_timePasswordChanged 0x114b35:$a3: get_timePasswordChanged 0x135555:$a3: get_timePasswordChanged 0xf4000:$a4: get_passwordField 0x114c30:$a4: get_passwordField 0x135650:$a4: get_passwordField 0xf410f:$a5: set_encryptedPassword 0x114d3f:$a5: set_encryptedPassword 0x13575f:$a5: set_encryptedPassword 0xf5761:$a7: get_logins 0x116391:$a7: get_logins 0x136db1:$a7: get_logins 0xf56c4:$a10: KeyLoggerEventArgs 0x1162f4:$a10: KeyLoggerEventArgs 0x136d14:$a10: KeyLoggerEventArgs
00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf91ac:$x1: $%SMTPDV$ 0x119ddc:$x1: $%SMTPDV$ 0x13a7fc:$x1: $%SMTPDV$ 0xf7b90:$x2: $#TheHashHere%& 0x1187c0:$x2: $#TheHashHere%& 0x1391e0:$x2: $#TheHashHere%& 0xf9154:$x3: %FTPDV$ 0x119d84:$x3: %FTPDV$ 0x13a7a4:$x3: %FTPDV$ 0xf7b30:$x4: $%TelegramDv$ 0x118760:$x4: $%TelegramDv$ 0x139180:$x4: $%TelegramDv$ 0xf532f:$x5: KeyLoggerEventArgs 0xf56c4:$x5: KeyLoggerEventArgs 0x115f5f:$x5: KeyLoggerEventArgs 0x1162f4:$x5: KeyLoggerEventArgs 0x13697f:$x5: KeyLoggerEventArgs 0x136d14:$x5: KeyLoggerEventArgs 0xf9178:$m2: Clipboard Logs ID 0xf93b6:$m2: Screenshot Logs ID 0xf94c6:$m2: keystroke Logs ID
00000002.00000002.1920934211.0000000002831000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: h1HIe1rt4D.exe PID: 6728	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: h1HIe1rt4D.exe PID: 6728	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: h1HIe1rt4D.exe PID: 6728	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x9d3ca:$a1: get_encryptedPassword 0x9d615:$a2: get_encryptedUsername 0x9d1f9:$a3: get_timePasswordChanged 0x9d2db:$a4: get_passwordField 0x9d3e0:$a5: set_encryptedPassword 0x9f2af:$a7: get_logins 0x9f230:$a10: KeyLoggerEventArgs 0x9ef9e:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: h1HIe1rt4D.exe PID: 6728	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x9ef9e:$x5: KeyLoggerEventArgs 0x9f230:$x5: KeyLoggerEventArgs 0x9f85a:$x5: KeyLoggerEventArgs 0x9fbbb:$x5: KeyLoggerEventArgs 0xa1313:$m2: Clipboard Logs ID 0xa1419:$m2: Screenshot Logs ID 0xa146f:$m2: keystroke Logs ID 0xa15a4:$m3: SnakePW 0xa1405:$m4: \SnakeKeylogger\
Process Memory Space: h1HIe1rt4D.exe PID: 5740	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: h1HIe1rt4D.exe PID: 5740	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: h1HIe1rt4D.exe PID: 5740	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x17d9c:$a1: get_encryptedPassword 0x1807e:$a2: get_encryptedUsername 0x17bb2:$a3: get_timePasswordChanged 0x17cad:$a4: get_passwordField 0x17db2:$a5: set_encryptedPassword 0x1a288:$a7: get_logins 0x1a1eb:$a10: KeyLoggerEventArgs 0x19e56:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: h1HIe1rt4D.exe PID: 5740	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19e56:$x5: KeyLoggerEventArgs 0x1a1eb:$x5: KeyLoggerEventArgs 0x1a891:$x5: KeyLoggerEventArgs 0x1abf2:$x5: KeyLoggerEventArgs 0x1c419:$m2: Clipboard Logs ID 0x1c51f:$m2: Screenshot Logs ID 0x1c575:$m2: keystroke Logs ID 0x1c6aa:$m3: SnakePW 0x1c50b:$m4: \SnakeKeylogger\
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.h1HIe1rt4D.exe.3828610.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.h1HIe1rt4D.exe.3828610.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.h1HIe1rt4D.exe.3828610.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12ce9:$a1: get_encryptedPassword 0x12fd5:$a2: get_encryptedUsername 0x12af5:$a3: get_timePasswordChanged 0x12bf0:$a4: get_passwordField 0x12cff:$a5: set_encryptedPassword 0x14351:$a7: get_logins 0x142b4:$a10: KeyLoggerEventArgs 0x13f1f:$a11: KeyLoggerEventArgsEventHandler
1.2.h1HIe1rt4D.exe.3828610.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a760:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19992:$a3: \Google\Chrome\User Data\Default\Login Data 0x19dc5:$a4: \Orbitum\User Data\Default\Login Data 0x1ae04:$a5: \Kometa\User Data\Default\Login Data
1.2.h1HIe1rt4D.exe.3828610.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138b6:$s1: UnHook 0x138bd:$s2: SetHook 0x138c5:$s3: CallNextHook 0x138d2:$s4: _hook
1.2.h1HIe1rt4D.exe.3828610.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d9c:$x1: $%SMTPDV$ 0x16780:$x2: $#TheHashHere%& 0x17d44:$x3: %FTPDV$ 0x16720:$x4: $%TelegramDv$ 0x13f1f:$x5: KeyLoggerEventArgs 0x142b4:$x5: KeyLoggerEventArgs 0x17d68:$m2: Clipboard Logs ID 0x17fa6:$m2: Screenshot Logs ID 0x180b6:$m2: keystroke Logs ID 0x18390:$m3: SnakePW 0x17f7e:$m4: \SnakeKeylogger\
1.2.h1HIe1rt4D.exe.3849240.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.h1HIe1rt4D.exe.3849240.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.h1HIe1rt4D.exe.3849240.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12ce9:$a1: get_encryptedPassword 0x12fd5:$a2: get_encryptedUsername 0x12af5:$a3: get_timePasswordChanged 0x12bf0:$a4: get_passwordField 0x12cff:$a5: set_encryptedPassword 0x14351:$a7: get_logins 0x142b4:$a10: KeyLoggerEventArgs 0x13f1f:$a11: KeyLoggerEventArgsEventHandler
1.2.h1HIe1rt4D.exe.3849240.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a760:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19992:$a3: \Google\Chrome\User Data\Default\Login Data 0x19dc5:$a4: \Orbitum\User Data\Default\Login Data 0x1ae04:$a5: \Kometa\User Data\Default\Login Data
1.2.h1HIe1rt4D.exe.3849240.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138b6:$s1: UnHook 0x138bd:$s2: SetHook 0x138c5:$s3: CallNextHook 0x138d2:$s4: _hook
1.2.h1HIe1rt4D.exe.3849240.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d9c:$x1: $%SMTPDV$ 0x16780:$x2: $#TheHashHere%& 0x17d44:$x3: %FTPDV$ 0x16720:$x4: $%TelegramDv$ 0x13f1f:$x5: KeyLoggerEventArgs 0x142b4:$x5: KeyLoggerEventArgs 0x17d68:$m2: Clipboard Logs ID 0x17fa6:$m2: Screenshot Logs ID 0x180b6:$m2: keystroke Logs ID 0x18390:$m3: SnakePW 0x17f7e:$m4: \SnakeKeylogger\
2.2.h1HIe1rt4D.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.h1HIe1rt4D.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.h1HIe1rt4D.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.h1HIe1rt4D.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ae9:$a1: get_encryptedPassword 0x14dd5:$a2: get_encryptedUsername 0x148f5:$a3: get_timePasswordChanged 0x149f0:$a4: get_passwordField 0x14aff:$a5: set_encryptedPassword 0x16151:$a7: get_logins 0x160b4:$a10: KeyLoggerEventArgs 0x15d1f:$a11: KeyLoggerEventArgsEventHandler
2.2.h1HIe1rt4D.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c560:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b792:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bbc5:$a4: \Orbitum\User Data\Default\Login Data 0x1cc04:$a5: \Kometa\User Data\Default\Login Data
2.2.h1HIe1rt4D.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156b6:$s1: UnHook 0x156bd:$s2: SetHook 0x156c5:$s3: CallNextHook 0x156d2:$s4: _hook
2.2.h1HIe1rt4D.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b9c:$x1: $%SMTPDV$ 0x18580:$x2: $#TheHashHere%& 0x19b44:$x3: %FTPDV$ 0x18520:$x4: $%TelegramDv$ 0x15d1f:$x5: KeyLoggerEventArgs 0x160b4:$x5: KeyLoggerEventArgs 0x19b68:$m2: Clipboard Logs ID 0x19da6:$m2: Screenshot Logs ID 0x19eb6:$m2: keystroke Logs ID 0x1a190:$m3: SnakePW 0x19d7e:$m4: \SnakeKeylogger\
1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ae9:$a1: get_encryptedPassword 0x35509:$a1: get_encryptedPassword 0x14dd5:$a2: get_encryptedUsername 0x357f5:$a2: get_encryptedUsername 0x148f5:$a3: get_timePasswordChanged 0x35315:$a3: get_timePasswordChanged 0x149f0:$a4: get_passwordField 0x35410:$a4: get_passwordField 0x14aff:$a5: set_encryptedPassword 0x3551f:$a5: set_encryptedPassword 0x16151:$a7: get_logins 0x36b71:$a7: get_logins 0x160b4:$a10: KeyLoggerEventArgs 0x36ad4:$a10: KeyLoggerEventArgs 0x15d1f:$a11: KeyLoggerEventArgsEventHandler 0x3673f:$a11: KeyLoggerEventArgsEventHandler
1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ae9:$a1: get_encryptedPassword 0x35719:$a1: get_encryptedPassword 0x56139:$a1: get_encryptedPassword 0x14dd5:$a2: get_encryptedUsername 0x35a05:$a2: get_encryptedUsername 0x56425:$a2: get_encryptedUsername 0x148f5:$a3: get_timePasswordChanged 0x35525:$a3: get_timePasswordChanged 0x55f45:$a3: get_timePasswordChanged 0x149f0:$a4: get_passwordField 0x35620:$a4: get_passwordField 0x56040:$a4: get_passwordField 0x14aff:$a5: set_encryptedPassword 0x3572f:$a5: set_encryptedPassword 0x5614f:$a5: set_encryptedPassword 0x16151:$a7: get_logins 0x36d81:$a7: get_logins 0x577a1:$a7: get_logins 0x160b4:$a10: KeyLoggerEventArgs 0x36ce4:$a10: KeyLoggerEventArgs 0x57704:$a10: KeyLoggerEventArgs
1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c560:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cf80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b792:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c1b2:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bbc5:$a4: \Orbitum\User Data\Default\Login Data 0x3c5e5:$a4: \Orbitum\User Data\Default\Login Data 0x1cc04:$a5: \Kometa\User Data\Default\Login Data 0x3d624:$a5: \Kometa\User Data\Default\Login Data
1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c560:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d190:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5dbb0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b792:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c3c2:$a3: \Google\Chrome\User Data\Default\Login Data 0x5cde2:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bbc5:$a4: \Orbitum\User Data\Default\Login Data 0x3c7f5:$a4: \Orbitum\User Data\Default\Login Data 0x5d215:$a4: \Orbitum\User Data\Default\Login Data 0x1cc04:$a5: \Kometa\User Data\Default\Login Data 0x3d834:$a5: \Kometa\User Data\Default\Login Data 0x5e254:$a5: \Kometa\User Data\Default\Login Data
1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156b6:$s1: UnHook 0x360d6:$s1: UnHook 0x156bd:$s2: SetHook 0x360dd:$s2: SetHook 0x156c5:$s3: CallNextHook 0x360e5:$s3: CallNextHook 0x156d2:$s4: _hook 0x360f2:$s4: _hook
1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b9c:$x1: $%SMTPDV$ 0x3a5bc:$x1: $%SMTPDV$ 0x18580:$x2: $#TheHashHere%& 0x38fa0:$x2: $#TheHashHere%& 0x19b44:$x3: %FTPDV$ 0x3a564:$x3: %FTPDV$ 0x18520:$x4: $%TelegramDv$ 0x38f40:$x4: $%TelegramDv$ 0x15d1f:$x5: KeyLoggerEventArgs 0x160b4:$x5: KeyLoggerEventArgs 0x3673f:$x5: KeyLoggerEventArgs 0x36ad4:$x5: KeyLoggerEventArgs 0x19b68:$m2: Clipboard Logs ID 0x19da6:$m2: Screenshot Logs ID 0x19eb6:$m2: keystroke Logs ID 0x3a588:$m2: Clipboard Logs ID 0x3a7c6:$m2: Screenshot Logs ID 0x3a8d6:$m2: keystroke Logs ID 0x1a190:$m3: SnakePW 0x3abb0:$m3: SnakePW 0x19d7e:$m4: \SnakeKeylogger\
1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156b6:$s1: UnHook 0x362e6:$s1: UnHook 0x56d06:$s1: UnHook 0x156bd:$s2: SetHook 0x362ed:$s2: SetHook 0x56d0d:$s2: SetHook 0x156c5:$s3: CallNextHook 0x362f5:$s3: CallNextHook 0x56d15:$s3: CallNextHook 0x156d2:$s4: _hook 0x36302:$s4: _hook 0x56d22:$s4: _hook
1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b9c:$x1: $%SMTPDV$ 0x3a7cc:$x1: $%SMTPDV$ 0x5b1ec:$x1: $%SMTPDV$ 0x18580:$x2: $#TheHashHere%& 0x391b0:$x2: $#TheHashHere%& 0x59bd0:$x2: $#TheHashHere%& 0x19b44:$x3: %FTPDV$ 0x3a774:$x3: %FTPDV$ 0x5b194:$x3: %FTPDV$ 0x18520:$x4: $%TelegramDv$ 0x39150:$x4: $%TelegramDv$ 0x59b70:$x4: $%TelegramDv$ 0x15d1f:$x5: KeyLoggerEventArgs 0x160b4:$x5: KeyLoggerEventArgs 0x3694f:$x5: KeyLoggerEventArgs 0x36ce4:$x5: KeyLoggerEventArgs 0x5736f:$x5: KeyLoggerEventArgs 0x57704:$x5: KeyLoggerEventArgs 0x19b68:$m2: Clipboard Logs ID 0x19da6:$m2: Screenshot Logs ID 0x19eb6:$m2: keystroke Logs ID
1.2.h1HIe1rt4D.exe.3797f70.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.h1HIe1rt4D.exe.3797f70.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.h1HIe1rt4D.exe.3797f70.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.h1HIe1rt4D.exe.3797f70.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa5189:$a1: get_encryptedPassword 0xc5db9:$a1: get_encryptedPassword 0xe67d9:$a1: get_encryptedPassword 0xa5475:$a2: get_encryptedUsername 0xc60a5:$a2: get_encryptedUsername 0xe6ac5:$a2: get_encryptedUsername 0xa4f95:$a3: get_timePasswordChanged 0xc5bc5:$a3: get_timePasswordChanged 0xe65e5:$a3: get_timePasswordChanged 0xa5090:$a4: get_passwordField 0xc5cc0:$a4: get_passwordField 0xe66e0:$a4: get_passwordField 0xa519f:$a5: set_encryptedPassword 0xc5dcf:$a5: set_encryptedPassword 0xe67ef:$a5: set_encryptedPassword 0xa67f1:$a7: get_logins 0xc7421:$a7: get_logins 0xe7e41:$a7: get_logins 0xa6754:$a10: KeyLoggerEventArgs 0xc7384:$a10: KeyLoggerEventArgs 0xe7da4:$a10: KeyLoggerEventArgs
1.2.h1HIe1rt4D.exe.3797f70.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xa5d56:$s1: UnHook 0xc6986:$s1: UnHook 0xe73a6:$s1: UnHook 0xa5d5d:$s2: SetHook 0xc698d:$s2: SetHook 0xe73ad:$s2: SetHook 0xa5d65:$s3: CallNextHook 0xc6995:$s3: CallNextHook 0xe73b5:$s3: CallNextHook 0xa5d72:$s4: _hook 0xc69a2:$s4: _hook 0xe73c2:$s4: _hook
1.2.h1HIe1rt4D.exe.3797f70.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xaa23c:$x1: $%SMTPDV$ 0xcae6c:$x1: $%SMTPDV$ 0xeb88c:$x1: $%SMTPDV$ 0xa8c20:$x2: $#TheHashHere%& 0xc9850:$x2: $#TheHashHere%& 0xea270:$x2: $#TheHashHere%& 0xaa1e4:$x3: %FTPDV$ 0xcae14:$x3: %FTPDV$ 0xeb834:$x3: %FTPDV$ 0xa8bc0:$x4: $%TelegramDv$ 0xc97f0:$x4: $%TelegramDv$ 0xea210:$x4: $%TelegramDv$ 0xa63bf:$x5: KeyLoggerEventArgs 0xa6754:$x5: KeyLoggerEventArgs 0xc6fef:$x5: KeyLoggerEventArgs 0xc7384:$x5: KeyLoggerEventArgs 0xe7a0f:$x5: KeyLoggerEventArgs 0xe7da4:$x5: KeyLoggerEventArgs 0xaa208:$m2: Clipboard Logs ID 0xaa446:$m2: Screenshot Logs ID 0xaa556:$m2: keystroke Logs ID
Click to see the 34 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:14:55.882772+0100	2803305	3	Unknown Traffic	192.168.2.9	49711	104.21.96.1	443	TCP
2025-01-11T01:14:57.193258+0100	2803305	3	Unknown Traffic	192.168.2.9	49713	104.21.96.1	443	TCP
2025-01-11T01:15:01.324614+0100	2803305	3	Unknown Traffic	192.168.2.9	49721	104.21.96.1	443	TCP
2025-01-11T01:15:31.855728+0100	2803305	3	Unknown Traffic	192.168.2.9	49727	104.21.96.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:14:53.834470+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49706	193.122.6.168	80	TCP
2025-01-11T01:14:55.240731+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49706	193.122.6.168	80	TCP
2025-01-11T01:14:56.615794+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49712	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7634300667:AAElS97UnedbkmPEFHxIY0TyKl484PsrjZY/sendMessage?chat_id=2135869667", "Token": "7634300667:AAElS97UnedbkmPEFHxIY0TyKl484PsrjZY", "Chat_id": "2135869667", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: h1HIe1rt4D.exe	Virustotal: Detection: 56%			Perma Link
Source: h1HIe1rt4D.exe	ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: h1HIe1rt4D.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: h1HIe1rt4D.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49709 version: TLS 1.0

Source: h1HIe1rt4D.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: h1HIe1rt4D.exe, 00000001.00000002.2753141706.0000000002741000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000001.00000002.2756052457.0000000004F10000.00000004.08000000.00040000.00000000.sdmp

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.h1HIe1rt4D.exe.3797f70.4.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49712 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49706 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49727 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49721 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49713 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49711 -> 104.21.96.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49709 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.000000000299F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002984000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029AD000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.000000000299F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029BB000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002984000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002934000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000028E6000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029AD000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: h1HIe1rt4D.exe, 00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.000000000299F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002909000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002984000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029AD000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: h1HIe1rt4D.exe	String found in binary or memory: https://github.com/0xd4d/dnSpy/wiki/Debugging-Unity-Games
Source: h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.000000000299F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002984000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002934000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029AD000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: h1HIe1rt4D.exe, 00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.000000000299F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002984000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002934000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029AD000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.h1HIe1rt4D.exe.3828610.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.h1HIe1rt4D.exe.3828610.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.h1HIe1rt4D.exe.3828610.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.h1HIe1rt4D.exe.3828610.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.h1HIe1rt4D.exe.3849240.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.h1HIe1rt4D.exe.3849240.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.h1HIe1rt4D.exe.3849240.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.h1HIe1rt4D.exe.3849240.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.h1HIe1rt4D.exe.3797f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.h1HIe1rt4D.exe.3797f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.h1HIe1rt4D.exe.3797f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: h1HIe1rt4D.exe PID: 6728, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: h1HIe1rt4D.exe PID: 6728, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: h1HIe1rt4D.exe PID: 5740, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: h1HIe1rt4D.exe PID: 5740, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 1_2_00D1D364	1_2_00D1D364
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 1_2_05A194F8	1_2_05A194F8
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00CAC193	2_2_00CAC193
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00CA6108	2_2_00CA6108
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00CAB328	2_2_00CAB328
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00CAC470	2_2_00CAC470
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00CAC753	2_2_00CAC753
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00CA6730	2_2_00CA6730
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00CA9858	2_2_00CA9858
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00CA4AD9	2_2_00CA4AD9
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00CACA33	2_2_00CACA33
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00CABEB7	2_2_00CABEB7
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00CAB4F3	2_2_00CAB4F3

Source: h1HIe1rt4D.exe, 00000001.00000002.2753141706.0000000002741000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe, 00000001.00000002.2753141706.0000000002741000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe, 00000001.00000002.2755567043.0000000004E90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe, 00000001.00000002.2756052457.0000000004F10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe, 00000001.00000000.1492541251.000000000038A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInochia.exe0 vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe, 00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe, 00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe, 00000001.00000002.2752290430.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe, 00000002.00000002.1923847134.0000000006153000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe, 00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe	Binary or memory string: OriginalFilenameInochia.exe0 vs h1HIe1rt4D.exe

Source: h1HIe1rt4D.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.h1HIe1rt4D.exe.3828610.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.h1HIe1rt4D.exe.3828610.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.h1HIe1rt4D.exe.3828610.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.h1HIe1rt4D.exe.3828610.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.h1HIe1rt4D.exe.3849240.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.h1HIe1rt4D.exe.3849240.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.h1HIe1rt4D.exe.3849240.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.h1HIe1rt4D.exe.3849240.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.h1HIe1rt4D.exe.3797f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.h1HIe1rt4D.exe.3797f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.h1HIe1rt4D.exe.3797f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: h1HIe1rt4D.exe PID: 6728, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: h1HIe1rt4D.exe PID: 6728, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: h1HIe1rt4D.exe PID: 5740, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: h1HIe1rt4D.exe PID: 5740, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: classification engine

Classification label: mal92.troj.winEXE@8/1@2/2

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\h1HIe1rt4D.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3616:120:WilError_03

Source: h1HIe1rt4D.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: h1HIe1rt4D.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: h1HIe1rt4D.exe	Virustotal: Detection: 56%
Source: h1HIe1rt4D.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\h1HIe1rt4D.exe "C:\Users\user\Desktop\h1HIe1rt4D.exe"
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process created: C:\Users\user\Desktop\h1HIe1rt4D.exe "C:\Users\user\Desktop\h1HIe1rt4D.exe"
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\h1HIe1rt4D.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process created: C:\Users\user\Desktop\h1HIe1rt4D.exe "C:\Users\user\Desktop\h1HIe1rt4D.exe"	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\h1HIe1rt4D.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: h1HIe1rt4D.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: h1HIe1rt4D.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: h1HIe1rt4D.exe

Static PE information: 0x81AF2B24 [Sun Dec 12 04:25:08 2038 UTC]

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00CA24B9 push 8BFFFFFFh; retf	2_2_00CA24BF
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00CA2B1D push 8BD08B02h; iretd	2_2_00CA2B22
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00CA2DAC push 8B6CEB02h; iretd	2_2_00CA2DB3

Source: h1HIe1rt4D.exe

Static PE information: section name: .text entropy: 7.347443352053939

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\h1HIe1rt4D.exe"
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\h1HIe1rt4D.exe"			Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Memory allocated: AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Memory allocated: 2740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Memory allocated: 2570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Memory allocated: CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Memory allocated: 4830000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 598607	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 598277	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 598041	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 597926	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 597786	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 597657	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 597532	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 597407	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 597282	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 597157	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 595357	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 594973	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 594721	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 594218	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 594000	Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Window / User API: threadDelayed 2947			Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Window / User API: threadDelayed 6875			Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2920	Thread sleep count: 2947 > 30	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2920	Thread sleep count: 6875 > 30	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -598607s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -598500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -598391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -598277s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -598041s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -597926s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -597786s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -597657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -597532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -597407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -597282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -597157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -596563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -596438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -596313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -595357s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -595124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -594973s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -594721s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -594344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -594218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 2572	Thread sleep time: -594000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 598607	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 598277	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 598041	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 597926	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 597786	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 597657	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 597532	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 597407	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 597282	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 597157	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 595357	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 594973	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 594721	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 594218	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 594000	Jump to behavior

Source: h1HIe1rt4D.exe	Binary or memory string: ResumeVirtualMachine
Source: h1HIe1rt4D.exe	Binary or memory string: iqEMUhZ
Source: h1HIe1rt4D.exe	Binary or memory string: InitializeVirtualMachine
Source: h1HIe1rt4D.exe	Binary or memory string: get_VirtualMachine
Source: h1HIe1rt4D.exe	Binary or memory string: get_MonoVirtualMachine
Source: h1HIe1rt4D.exe	Binary or memory string: VirtualMachineManager
Source: h1HIe1rt4D.exe, 00000002.00000002.1920062217.0000000000B67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process created: C:\Users\user\Desktop\h1HIe1rt4D.exe "C:\Users\user\Desktop\h1HIe1rt4D.exe"	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\h1HIe1rt4D.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Queries volume information: C:\Users\user\Desktop\h1HIe1rt4D.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Queries volume information: C:\Users\user\Desktop\h1HIe1rt4D.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 1.2.h1HIe1rt4D.exe.3828610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.h1HIe1rt4D.exe.3849240.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.h1HIe1rt4D.exe.3797f70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1920934211.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: h1HIe1rt4D.exe PID: 6728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: h1HIe1rt4D.exe PID: 5740, type: MEMORYSTR

Source: Yara match	File source: 1.2.h1HIe1rt4D.exe.3828610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.h1HIe1rt4D.exe.3849240.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.h1HIe1rt4D.exe.3797f70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: h1HIe1rt4D.exe PID: 6728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: h1HIe1rt4D.exe PID: 5740, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 1.2.h1HIe1rt4D.exe.3828610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.h1HIe1rt4D.exe.3849240.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.h1HIe1rt4D.exe.3849240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.h1HIe1rt4D.exe.3828610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.h1HIe1rt4D.exe.3797f70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1920934211.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: h1HIe1rt4D.exe PID: 6728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: h1HIe1rt4D.exe PID: 5740, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	12 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
h1HIe1rt4D.exe	57%	Virustotal		Browse
h1HIe1rt4D.exe	68%	ReversingLabs	Win32.Spyware.Snakekeylogger
h1HIe1rt4D.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.96.1	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.000000000299F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002984000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002934000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029AD000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002991000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/0xd4d/dnSpy/wiki/Debugging-Unity-Games	h1HIe1rt4D.exe	false	high
http://checkip.dyndns.org	h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.000000000299F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029BB000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002984000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002934000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000028E6000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029AD000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002991000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.000000000299F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002984000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029AD000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002991000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002831000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	h1HIe1rt4D.exe, 00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.000000000299F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002984000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002934000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029AD000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002991000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.000000000299F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002909000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002984000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029AD000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.0000000002991000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	h1HIe1rt4D.exe, 00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1920934211.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
104.21.96.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588354
Start date and time:	2025-01-11 01:13:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	h1HIe1rt4D.exe renamed because original name is a hash value
Original Sample Name:	da35f06d5f83c958940b5816901f091a1725f9af4398d94e7347550cf56be86b.exe
Detection:	MAL
Classification:	mal92.troj.winEXE@8/1@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 76 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target h1HIe1rt4D.exe, PID 5740 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:14:53	API Interceptor	302x Sleep call for process: h1HIe1rt4D.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.6.168	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	FPACcnxAUT.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
104.21.96.1	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/58m5/
	EIvidclKOb.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/0pqe/
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	www.aonline.top/fqlg/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
checkip.dyndns.com	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	WGi85dsMNp.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	phish_alert_sp2_2.0.0.0(4).eml	Get hash	malicious	Unknown	Browse	192.29.202.93
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	192.29.202.93
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	192.29.202.93
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	WGi85dsMNp.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
CLOUDFLARENETUS	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://txto.eu.org/	Get hash	malicious	Unknown	Browse	104.21.16.1
	ru52XOQ1p7.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	phish_alert_sp2_2.0.0.0(4).eml	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://maya-lopez.filemail.com/t/XhcWEjoR	Get hash	malicious	Unknown	Browse	188.114.96.3
	25IvlOVEB1.exe	Get hash	malicious	FormBook	Browse	104.21.32.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1

Process:	C:\Users\user\Desktop\h1HIe1rt4D.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.3367983816294675
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	h1HIe1rt4D.exe
File size:	553'472 bytes
MD5:	aca1506ec2fc90d9bd56cbbe91bd6386
SHA1:	d2b443e927e57d8481fd6ddc5c7722d423815a9b
SHA256:	da35f06d5f83c958940b5816901f091a1725f9af4398d94e7347550cf56be86b
SHA512:	4e7af171c7ca0eb32616e53e63e59d41bda62e52ea801c8e005e8cc8d9f08cbb5aa59ea5203688efaf53a0e1d2c91a64a6cba225481f6a36ba08d4f96454f956
SSDEEP:	12288:YiU+RfWk1Sm5bp+4yZXfcKa6Io24RPlA24:Yi3fWxIbc4yZ0xoDf
TLSH:	AEC4CF2933E8E317D6AF0B7AF43411005776BE93F196EB0D5C84A9EF0D53B9199122A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$+................0..h............... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4887de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x81AF2B24 [Sun Dec 12 04:25:08 2038 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x88790	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x867e4	0x86800	df2d295129eb6017176828fb23590027	False	0.601626031017658	data	7.347443352053939	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x596	0x600	bb337337fd525b603631f27b8432eb2e	False	0.41015625	data	4.03984594780929	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8c000	0xc	0x200	ea0438b2ffa5d5203b31ad259aa8633b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8a0a0	0x30c	data			0.4230769230769231
RT_MANIFEST	0x8a3ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T01:14:53.834470+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49706	193.122.6.168	80	TCP
2025-01-11T01:14:55.240731+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49706	193.122.6.168	80	TCP
2025-01-11T01:14:55.882772+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49711	104.21.96.1	443	TCP
2025-01-11T01:14:56.615794+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49712	193.122.6.168	80	TCP
2025-01-11T01:14:57.193258+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49713	104.21.96.1	443	TCP
2025-01-11T01:15:01.324614+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49721	104.21.96.1	443	TCP
2025-01-11T01:15:31.855728+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49727	104.21.96.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:14:52.030114889 CET	49706	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:52.035121918 CET	80	49706	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:52.035198927 CET	49706	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:52.035432100 CET	49706	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:52.040373087 CET	80	49706	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:53.102508068 CET	80	49706	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:53.107122898 CET	49706	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:53.112025023 CET	80	49706	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:53.793334961 CET	80	49706	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:53.834470034 CET	49706	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:53.848910093 CET	49709	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:53.848934889 CET	443	49709	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:53.849014044 CET	49709	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:53.856643915 CET	49709	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:53.856666088 CET	443	49709	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:54.326189995 CET	443	49709	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:54.326273918 CET	49709	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:54.331747055 CET	49709	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:54.331768990 CET	443	49709	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:54.332134008 CET	443	49709	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:54.381647110 CET	49709	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:54.750456095 CET	49709	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:54.791326046 CET	443	49709	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:54.864496946 CET	443	49709	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:54.864672899 CET	443	49709	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:54.864731073 CET	49709	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:54.873806000 CET	49709	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:54.879591942 CET	49706	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:54.884569883 CET	80	49706	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:55.199398041 CET	80	49706	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:55.203541994 CET	49711	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:55.203578949 CET	443	49711	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:55.203691006 CET	49711	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:55.204122066 CET	49711	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:55.204133034 CET	443	49711	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:55.240731001 CET	49706	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:55.720824957 CET	443	49711	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:55.724296093 CET	49711	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:55.724324942 CET	443	49711	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:55.882802963 CET	443	49711	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:55.882864952 CET	443	49711	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:55.882930040 CET	49711	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:55.883919001 CET	49711	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:55.886913061 CET	49706	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:55.888122082 CET	49712	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:55.892313957 CET	80	49706	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:55.892422915 CET	49706	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:55.892999887 CET	80	49712	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:55.893167019 CET	49712	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:55.893299103 CET	49712	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:55.898083925 CET	80	49712	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:56.562684059 CET	80	49712	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:56.563914061 CET	49713	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:56.563977957 CET	443	49713	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:56.564062119 CET	49713	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:56.564292908 CET	49713	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:56.564307928 CET	443	49713	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:56.615793943 CET	49712	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:57.048726082 CET	443	49713	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:57.055367947 CET	49713	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:57.055409908 CET	443	49713	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:57.193284035 CET	443	49713	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:57.193351984 CET	443	49713	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:57.193408966 CET	49713	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:57.198975086 CET	49713	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:57.292293072 CET	49714	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:57.297193050 CET	80	49714	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:57.297291040 CET	49714	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:57.300060987 CET	49714	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:57.304919958 CET	80	49714	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:57.955003023 CET	80	49714	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:57.956350088 CET	49715	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:57.956373930 CET	443	49715	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:57.956434011 CET	49715	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:57.956693888 CET	49715	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:57.956706047 CET	443	49715	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:58.006365061 CET	49714	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:58.409744978 CET	443	49715	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:58.411482096 CET	49715	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:58.411499977 CET	443	49715	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:58.562485933 CET	443	49715	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:58.562549114 CET	443	49715	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:58.562596083 CET	49715	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:58.562972069 CET	49715	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:58.566597939 CET	49714	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:58.567653894 CET	49717	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:58.571782112 CET	80	49714	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:58.571831942 CET	49714	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:58.572483063 CET	80	49717	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:58.572547913 CET	49717	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:58.572657108 CET	49717	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:58.577475071 CET	80	49717	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:59.231209993 CET	80	49717	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:59.235996962 CET	49718	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:59.236043930 CET	443	49718	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:59.236334085 CET	49718	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:59.236669064 CET	49718	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:59.236699104 CET	443	49718	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:59.287602901 CET	49717	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:59.715498924 CET	443	49718	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:59.718661070 CET	49718	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:59.718686104 CET	443	49718	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:59.853251934 CET	443	49718	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:59.853312016 CET	443	49718	104.21.96.1	192.168.2.9
Jan 11, 2025 01:14:59.858927011 CET	49718	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:59.885440111 CET	49718	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:14:59.890511990 CET	49717	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:59.891025066 CET	49720	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:59.895728111 CET	80	49717	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:59.895920992 CET	80	49720	193.122.6.168	192.168.2.9
Jan 11, 2025 01:14:59.895966053 CET	49717	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:59.896007061 CET	49720	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:59.896090031 CET	49720	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:14:59.900968075 CET	80	49720	193.122.6.168	192.168.2.9
Jan 11, 2025 01:15:00.689771891 CET	80	49720	193.122.6.168	192.168.2.9
Jan 11, 2025 01:15:00.690987110 CET	49721	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:15:00.691046953 CET	443	49721	104.21.96.1	192.168.2.9
Jan 11, 2025 01:15:00.691102982 CET	49721	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:15:00.691356897 CET	49721	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:15:00.691382885 CET	443	49721	104.21.96.1	192.168.2.9
Jan 11, 2025 01:15:00.740747929 CET	49720	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:15:00.932086945 CET	80	49720	193.122.6.168	192.168.2.9
Jan 11, 2025 01:15:00.932132006 CET	49720	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:15:01.172390938 CET	443	49721	104.21.96.1	192.168.2.9
Jan 11, 2025 01:15:01.178065062 CET	49721	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:15:01.178132057 CET	443	49721	104.21.96.1	192.168.2.9
Jan 11, 2025 01:15:01.324631929 CET	443	49721	104.21.96.1	192.168.2.9
Jan 11, 2025 01:15:01.324696064 CET	443	49721	104.21.96.1	192.168.2.9
Jan 11, 2025 01:15:01.325217009 CET	49721	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:15:01.325457096 CET	49721	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:15:01.328366995 CET	49720	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:15:01.329338074 CET	49722	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:15:01.333955050 CET	80	49720	193.122.6.168	192.168.2.9
Jan 11, 2025 01:15:01.334029913 CET	49720	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:15:01.334892035 CET	80	49722	193.122.6.168	192.168.2.9
Jan 11, 2025 01:15:01.335105896 CET	49722	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:15:01.335216999 CET	49722	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:15:01.340058088 CET	80	49722	193.122.6.168	192.168.2.9
Jan 11, 2025 01:15:18.576276064 CET	80	49722	193.122.6.168	192.168.2.9
Jan 11, 2025 01:15:18.577966928 CET	49725	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:15:18.578022003 CET	443	49725	104.21.96.1	192.168.2.9
Jan 11, 2025 01:15:18.578155041 CET	49725	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:15:18.578433037 CET	49725	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:15:18.578444958 CET	443	49725	104.21.96.1	192.168.2.9
Jan 11, 2025 01:15:18.631473064 CET	49722	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:15:19.060673952 CET	443	49725	104.21.96.1	192.168.2.9
Jan 11, 2025 01:15:19.068428040 CET	49725	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:15:19.068454981 CET	443	49725	104.21.96.1	192.168.2.9
Jan 11, 2025 01:15:19.199723959 CET	443	49725	104.21.96.1	192.168.2.9
Jan 11, 2025 01:15:19.203285933 CET	443	49725	104.21.96.1	192.168.2.9
Jan 11, 2025 01:15:19.203402996 CET	49725	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:15:19.216101885 CET	49725	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:15:19.259440899 CET	49722	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:15:19.264111996 CET	49726	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:15:19.264488935 CET	80	49722	193.122.6.168	192.168.2.9
Jan 11, 2025 01:15:19.264549017 CET	49722	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:15:19.269071102 CET	80	49726	193.122.6.168	192.168.2.9
Jan 11, 2025 01:15:19.269227028 CET	49726	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:15:19.347146988 CET	49726	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:15:19.352108002 CET	80	49726	193.122.6.168	192.168.2.9
Jan 11, 2025 01:15:31.195398092 CET	80	49726	193.122.6.168	192.168.2.9
Jan 11, 2025 01:15:31.199210882 CET	49727	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:15:31.199259996 CET	443	49727	104.21.96.1	192.168.2.9
Jan 11, 2025 01:15:31.199347019 CET	49727	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:15:31.199881077 CET	49727	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:15:31.199893951 CET	443	49727	104.21.96.1	192.168.2.9
Jan 11, 2025 01:15:31.240881920 CET	49726	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:15:31.689562082 CET	443	49727	104.21.96.1	192.168.2.9
Jan 11, 2025 01:15:31.697627068 CET	49727	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:15:31.697649002 CET	443	49727	104.21.96.1	192.168.2.9
Jan 11, 2025 01:15:31.855796099 CET	443	49727	104.21.96.1	192.168.2.9
Jan 11, 2025 01:15:31.855983019 CET	443	49727	104.21.96.1	192.168.2.9
Jan 11, 2025 01:15:31.856321096 CET	49727	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:15:31.861924887 CET	49727	443	192.168.2.9	104.21.96.1
Jan 11, 2025 01:15:32.176047087 CET	49726	80	192.168.2.9	193.122.6.168
Jan 11, 2025 01:15:32.176126003 CET	49712	80	192.168.2.9	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:14:52.005980968 CET	63842	53	192.168.2.9	1.1.1.1
Jan 11, 2025 01:14:52.012842894 CET	53	63842	1.1.1.1	192.168.2.9
Jan 11, 2025 01:14:53.831419945 CET	61613	53	192.168.2.9	1.1.1.1
Jan 11, 2025 01:14:53.838310957 CET	53	61613	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 01:14:52.005980968 CET	192.168.2.9	1.1.1.1	0xdcfe	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:53.831419945 CET	192.168.2.9	1.1.1.1	0x26fd	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 01:14:52.012842894 CET	1.1.1.1	192.168.2.9	0xdcfe	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 01:14:52.012842894 CET	1.1.1.1	192.168.2.9	0xdcfe	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:52.012842894 CET	1.1.1.1	192.168.2.9	0xdcfe	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:52.012842894 CET	1.1.1.1	192.168.2.9	0xdcfe	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:52.012842894 CET	1.1.1.1	192.168.2.9	0xdcfe	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:52.012842894 CET	1.1.1.1	192.168.2.9	0xdcfe	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:53.838310957 CET	1.1.1.1	192.168.2.9	0x26fd	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:53.838310957 CET	1.1.1.1	192.168.2.9	0x26fd	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:53.838310957 CET	1.1.1.1	192.168.2.9	0x26fd	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:53.838310957 CET	1.1.1.1	192.168.2.9	0x26fd	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:53.838310957 CET	1.1.1.1	192.168.2.9	0x26fd	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:53.838310957 CET	1.1.1.1	192.168.2.9	0x26fd	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:53.838310957 CET	1.1.1.1	192.168.2.9	0x26fd	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49706	193.122.6.168	80	5740	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:14:52.035432100 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 01:14:53.102508068 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:14:53 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 01:14:53.107122898 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 01:14:53.793334961 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:14:53 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 01:14:54.879591942 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 01:14:55.199398041 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:14:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49712	193.122.6.168	80	5740	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:14:55.893299103 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 01:14:56.562684059 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:14:56 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49714	193.122.6.168	80	5740	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:14:57.300060987 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 01:14:57.955003023 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:14:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49717	193.122.6.168	80	5740	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:14:58.572657108 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 01:14:59.231209993 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:14:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49720	193.122.6.168	80	5740	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:14:59.896090031 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 01:15:00.689771891 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:15:00 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 01:15:00.932086945 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:15:00 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49722	193.122.6.168	80	5740	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:15:01.335216999 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 01:15:18.576276064 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:15:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49726	193.122.6.168	80	5740	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:15:19.347146988 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 01:15:31.195398092 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:15:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49709	104.21.96.1	443	5740	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:14:54 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 00:14:54 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:14:54 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1869283 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rkXJm2%2F3YpKeaI9YvZEKZ4CRqBh0qFJpBazDSBOfgf22jia%2FNI9y7gSYLOO6zyYgL02lKFhcyRn7d%2FzfR1ZI0L36hlp2lk15k1JWCTI4YDmVDQPvLUPGDu4PwRNRZ1PqxWnIi4Se"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000b5988ebe1a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1986&min_rtt=1981&rtt_var=753&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1442687&cwnd=157&unsent_bytes=0&cid=1e4b9749228babb6&ts=551&x=0"
2025-01-11 00:14:54 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49711	104.21.96.1	443	5740	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:14:55 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 00:14:55 UTC	861	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:14:55 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1869284 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vQ4FxCmtLrXRkc7iWueqbX7PPQcLa9mBXXowXzr9cFxR7Lapj%2Fvu%2BOXJRykUiyX20GY8dTep9gwscwKjAgp35ViMP%2F1ku51X35uTJx6A%2BUXUqeAa%2BgayLLbE%2BePGpcX6EE8X3Tht"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000b59edb2cc32e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2187&min_rtt=1611&rtt_var=1757&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=469227&cwnd=178&unsent_bytes=0&cid=a18251c61375e71e&ts=212&x=0"
2025-01-11 00:14:55 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49713	104.21.96.1	443	5740	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:14:57 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 00:14:57 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:14:57 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1869286 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YzPX1nVbpbUi9gpSCgy%2F2AtWDPn3HmugOLQ2lmZ2rhn3N7au8FtB5kXuYLJ9DVHjCe6%2B%2FZRzRtHOUuI4skQcVzt0EQOmSKpv61HRgP28NCVtfZHbEf84njySHCQpoYE8E7E%2BF1OQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000b5a70a9872a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1962&min_rtt=1956&rtt_var=746&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1454183&cwnd=212&unsent_bytes=0&cid=036c575fadf78bbe&ts=151&x=0"
2025-01-11 00:14:57 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49715	104.21.96.1	443	5740	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:14:58 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 00:14:58 UTC	859	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:14:58 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1869287 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EkZjHnDPEjh0ZqTQFzQWSSM%2B8ZhC9YjeKz%2BI5Cyze3ci2cNqP%2FuGVGbeVy3bAHqdyrKPnGCuWw4fMwzFZK5Gt6lCPkDlqFjNxYaLOi7xlLij6o5PaiYrPCpeZDqqFx%2Bw7aL%2B88rv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000b5af9983c32e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1618&min_rtt=1614&rtt_var=614&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1767554&cwnd=178&unsent_bytes=0&cid=c5cdef8381382842&ts=148&x=0"
2025-01-11 00:14:58 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49718	104.21.96.1	443	5740	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:14:59 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 00:14:59 UTC	853	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:14:59 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1869288 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a%2FPYd%2B5Om0FpCO0SWsXl4toLyUeOSb1OO03eQ6wxWOsNenjiL9Epjh4BOuQLjmLw8XwO34rsh5he03G3QCBByvc1FiGeWaaT2Kxy1evKuH1IXPD9Ps4tKNBgOYvInDehWCfHU1iX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000b5b7b9171a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1926&min_rtt=1912&rtt_var=727&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1527196&cwnd=157&unsent_bytes=0&cid=57c3ae040d5564c8&ts=147&x=0"
2025-01-11 00:14:59 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49721	104.21.96.1	443	5740	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:15:01 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 00:15:01 UTC	853	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:15:01 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1869290 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NX1N7urD5DmeXdAX6iLjA1rGDp7uEhmstDj4ZZyeP9lKslW5J84EY7TdEcAVGqcMTvGFmRqZ93nH9VA7UaHm6MLKh278vXp1wTa8Zb9SJB%2FA409fJjnWfI40tA%2Ft3ZxftfPsuSgy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000b5c0ce6a4363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1532&min_rtt=1518&rtt_var=598&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1788120&cwnd=240&unsent_bytes=0&cid=7c7b985d52bbfe78&ts=163&x=0"
2025-01-11 00:15:01 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49725	104.21.96.1	443	5740	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:15:19 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 00:15:19 UTC	861	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:15:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1869308 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z25FJEkXQI%2BEFkeu3DDDfavx%2F7hn27x%2Bkx3Ihb2tfPpdDXTbzG5QQUiedG9qCAoXXlDBGrogsjvufPag4NUNQGFsfZRh5y8tdiPIm%2B4Q9obtRvfgXuNyzUrETl%2B0y0CodCH%2BI7sZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000b6309f0f4363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1567&min_rtt=1561&rtt_var=597&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1814791&cwnd=240&unsent_bytes=0&cid=83abb3fb10799061&ts=145&x=0"
2025-01-11 00:15:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49727	104.21.96.1	443	5740	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:15:31 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 00:15:31 UTC	859	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:15:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1869320 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UMxpwFfKvdlTEXR6Jh0IBCM8c%2FB%2B3CtNjsK25TYaNRitEdmbGbGjQbl46tIjUAuYZ5tNHBC9hJX7V0%2FgPTXnBpxY2x0%2FQCFyBFaXxb59GWBx1rmyMxnD57YfZh%2BPx598vEmvVpHu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000b67fa9a572a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1976&min_rtt=1976&rtt_var=741&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1475492&cwnd=212&unsent_bytes=0&cid=33c17eedeefc1ab6&ts=175&x=0"
2025-01-11 00:15:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	1
Start time:	19:14:48
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\h1HIe1rt4D.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\h1HIe1rt4D.exe"
Imagebase:	0x300000
File size:	553'472 bytes
MD5 hash:	ACA1506EC2FC90D9BD56CBBE91BD6386
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.2754619507.0000000003749000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	19:14:49
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\h1HIe1rt4D.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\h1HIe1rt4D.exe"
Imagebase:	0x4e0000
File size:	553'472 bytes
MD5 hash:	ACA1506EC2FC90D9BD56CBBE91BD6386
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.1919765075.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.1920934211.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:15:30
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\h1HIe1rt4D.exe"
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:15:30
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:15:31
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x210000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.4%
Total number of Nodes:	118
Total number of Limit Nodes:	15

Executed Functions

Function 05A194F8 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2756580992.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5a10000_h1HIe1rt4D.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 93f58766ac0d85d9164b960863e88075ae59c8cba8b07438e1beb342ed93505d
Instruction ID: 55623624ce9b65625a35ed8205614ca7a24a24dd7db2893c7ef7fb054bc9413b
Opcode Fuzzy Hash: 93f58766ac0d85d9164b960863e88075ae59c8cba8b07438e1beb342ed93505d
Instruction Fuzzy Hash: 9CF16F30A00209CFEB14DFA5C954FAEBBF2BF88314F158169D81AAF265DB74E945CB44

Function 00D1D429 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D1D4B6
GetCurrentThread.KERNEL32 ref: 00D1D4F3
GetCurrentProcess.KERNEL32 ref: 00D1D530
GetCurrentThreadId.KERNEL32 ref: 00D1D589

Memory Dump Source

Source File: 00000001.00000002.2752645461.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d10000_h1HIe1rt4D.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f8dc46640aaa4b40d3acf9fd99e50ea3519b316bc1c200700dc5cda8c7c33134
Instruction ID: 2fdecdaa1006e2946dbd07562be4092abb9c351057b8ab158ed592e485ea9fea
Opcode Fuzzy Hash: f8dc46640aaa4b40d3acf9fd99e50ea3519b316bc1c200700dc5cda8c7c33134
Instruction Fuzzy Hash: 745159B0D003499FEB14CFA9D5487EEBBF2AF88314F24845AE409A7390DB746984CB65

Function 00D1D438 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D1D4B6
GetCurrentThread.KERNEL32 ref: 00D1D4F3
GetCurrentProcess.KERNEL32 ref: 00D1D530
GetCurrentThreadId.KERNEL32 ref: 00D1D589

Memory Dump Source

Source File: 00000001.00000002.2752645461.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d10000_h1HIe1rt4D.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b5dbe88af65bfb45ce8b20569ce8640972e3544dbebf36501aecd1381629241d
Instruction ID: a20b5e361978367e22e02bb2348bc34f119066b0602d112a4bd8087741f66e6a
Opcode Fuzzy Hash: b5dbe88af65bfb45ce8b20569ce8640972e3544dbebf36501aecd1381629241d
Instruction Fuzzy Hash: F95147B0D003499FEB54CFA9D548BDEBBF2AF88314F24845AE009A7350DB74A984CB65

Function 00D1ADA8 Relevance: 1.7, APIs: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00D1AFFE

Memory Dump Source

Source File: 00000001.00000002.2752645461.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d10000_h1HIe1rt4D.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0839cf6d05b6bd783da522345574935b3923cbf3058dd6c9c0dbca39491450e8
Instruction ID: 859a75026f8bc0a15732b244aeddb9280db832e87385b7a2a2d9481b40d35b22
Opcode Fuzzy Hash: 0839cf6d05b6bd783da522345574935b3923cbf3058dd6c9c0dbca39491450e8
Instruction Fuzzy Hash: 45817A70A01B049FDB24DF69E44179AB7F1FF88314F04892EE446DBA51DB35E886CBA1

Function 00D1590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D159C9

Memory Dump Source

Source File: 00000001.00000002.2752645461.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d10000_h1HIe1rt4D.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 97e5abb4a98c6882ccea073d5aa6eb739cac059f7237730a1dfacaec75ea5b0e
Instruction ID: 7e69a8b19f3c50a2c890acf583b5bf56bbf5cfeea870e335514dde803133dd9a
Opcode Fuzzy Hash: 97e5abb4a98c6882ccea073d5aa6eb739cac059f7237730a1dfacaec75ea5b0e
Instruction Fuzzy Hash: 6D41EF70C00719CFDB24CFA9D884BCEBBB5BF88304F24816AD409AB255DBB56985CF60

Function 00D14248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D159C9

Memory Dump Source

Source File: 00000001.00000002.2752645461.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d10000_h1HIe1rt4D.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 761b17c5a7833864648927e21c8704cdabef2978b92c296a2987a60ad6029762
Instruction ID: 5673ffb221ddb4e931bf1ab574cd3b72ecf1575490390a24669e97bd82646d9d
Opcode Fuzzy Hash: 761b17c5a7833864648927e21c8704cdabef2978b92c296a2987a60ad6029762
Instruction Fuzzy Hash: 8041D270C00718DBDB24CFA9D8847DEBBB5FF88304F24816AD409AB255DBB56985CFA0

Function 00D1D680 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D1D707

Memory Dump Source

Source File: 00000001.00000002.2752645461.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d10000_h1HIe1rt4D.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1396c0ed0e25b2a42b346e3539fcfc08876374fb3cf63e0939b1f89751a1b063
Instruction ID: d2eb8c36fd0f2b4fb1f20626fc67e260ad2aeb5c0a7fab596f361df7f0318b97
Opcode Fuzzy Hash: 1396c0ed0e25b2a42b346e3539fcfc08876374fb3cf63e0939b1f89751a1b063
Instruction Fuzzy Hash: A921D5B5900248AFDB10CFAAD884ADEFBF5FB48310F14841AE915A7350D375A944CF65

Function 00D1D679 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D1D707

Memory Dump Source

Source File: 00000001.00000002.2752645461.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d10000_h1HIe1rt4D.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b91a5b62a3854901aaff406129a67892ca1d84fc646269164003dd27535b5b86
Instruction ID: 2fba8f99e7394b3448b6f59baf778dffa30522a641ffd8aa0a21ec8b72f26ed1
Opcode Fuzzy Hash: b91a5b62a3854901aaff406129a67892ca1d84fc646269164003dd27535b5b86
Instruction Fuzzy Hash: C92112B5900248EFDB10CFAAD984ADEBBF5FB48324F14801AE818B7350C378A944CF64

Function 05A10562 Relevance: 1.6, APIs: 1, Instructions: 61
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 05A105E5

Memory Dump Source

Source File: 00000001.00000002.2756580992.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5a10000_h1HIe1rt4D.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ac31fe6c7611b0ee8e6e12f5e7cf53f453597f21ddaf9d46c2063209d2b448f4
Instruction ID: 47b8a15621028b75a60117cc64ee90ea625a93cf67ea83d850ecaa7a02b2c3e4
Opcode Fuzzy Hash: ac31fe6c7611b0ee8e6e12f5e7cf53f453597f21ddaf9d46c2063209d2b448f4
Instruction Fuzzy Hash: 6521BBB58093898FDB01CFA5C845BDEBFF4EB09310F04809AD444A7292C378A948CBA1

Function 05A10588 Relevance: 1.5, APIs: 1, Instructions: 48
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 05A105E5

Memory Dump Source

Source File: 00000001.00000002.2756580992.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5a10000_h1HIe1rt4D.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 747f0b055affee1a8672e02dae6336f9301b4184ada8a8ec76bbb08a092f81cd
Instruction ID: 5d2d8720eeeacb1b9db84c65605efb284f41229f0aae5884707be7f8baf4214e
Opcode Fuzzy Hash: 747f0b055affee1a8672e02dae6336f9301b4184ada8a8ec76bbb08a092f81cd
Instruction Fuzzy Hash: 3411E3B5800249DFDB10CF9AC845BEEBBF8FB48324F10841AE954A7240D379A984CFA5

Function 00D1AF98 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00D1AFFE

Memory Dump Source

Source File: 00000001.00000002.2752645461.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d10000_h1HIe1rt4D.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 31192cc4c0f6e19f739e0cda45797725833ca8539282e89f04bcc72a225717ed
Instruction ID: a6432e1a5f56f2f21f026762657d77895b1d174bd3a906858d16064811504876
Opcode Fuzzy Hash: 31192cc4c0f6e19f739e0cda45797725833ca8539282e89f04bcc72a225717ed
Instruction Fuzzy Hash: 2C1110B6C002498FCB20CF9AD444BDEFBF4EF88324F15842AD429A7210C379A545CFA1

Function 05A187C4 Relevance: 1.5, APIs: 1, Instructions: 46
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,05A1981F), ref: 05A1A2BD

Memory Dump Source

Source File: 00000001.00000002.2756580992.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5a10000_h1HIe1rt4D.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 21f26756e64db3965edbcbf19fbec8b945ed88a36a5824579f5a04779f5b60ab
Instruction ID: ea023c38af425677478a339f53cdb5c374d6cb6450828661ae859b32f26fa745
Opcode Fuzzy Hash: 21f26756e64db3965edbcbf19fbec8b945ed88a36a5824579f5a04779f5b60ab
Instruction Fuzzy Hash: 2511DFB5D046488FCB10DF9AD444BDEBBF4EB48324F10846AE819A7210D379A544CFA9

Function 05A11EC0 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 05A11F1D

Memory Dump Source

Source File: 00000001.00000002.2756580992.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5a10000_h1HIe1rt4D.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 579f05f347d6e7942ee36058c1399b3b2289cb146b6a977badb769ffb14f3270
Instruction ID: c85657fa0a16b3be5b1ec67e0d12c040b4a08ecc975d9d7844cacc4e6b0d98ba
Opcode Fuzzy Hash: 579f05f347d6e7942ee36058c1399b3b2289cb146b6a977badb769ffb14f3270
Instruction Fuzzy Hash: 7C1115B18043488FDB10DF9AD885BDEBBF4EB48324F10845AD519A7640D379A545CFA6

Function 05A108A0 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 05A11F1D

Memory Dump Source

Source File: 00000001.00000002.2756580992.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5a10000_h1HIe1rt4D.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5d33fc44bd3c66aadf5912eff657f154cb7b8b1197eb2a54c0d6e7abfbc30efb
Instruction ID: 4561dce771e4a2f1f615d61fc9e2e76e561e748cc23e80fd04bb77213a8c7c0e
Opcode Fuzzy Hash: 5d33fc44bd3c66aadf5912eff657f154cb7b8b1197eb2a54c0d6e7abfbc30efb
Instruction Fuzzy Hash: 721115B59043488FDB20DF9AD544BDEBBF4EB48324F10845AE519A7340C375A944CFA9

Function 05A1A258 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,05A1981F), ref: 05A1A2BD

Memory Dump Source

Source File: 00000001.00000002.2756580992.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5a10000_h1HIe1rt4D.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 344f09a2817ac810e18fc30abdbc1b528d986c938a57d4df51046affa3197184
Instruction ID: 6c280032b48ddda99ceb3697701196e4adbb142262952a2b1aec913d53906035
Opcode Fuzzy Hash: 344f09a2817ac810e18fc30abdbc1b528d986c938a57d4df51046affa3197184
Instruction Fuzzy Hash: B411E0B1C046498FCB10DF9AD444BDEBBF4EB48314F10846AE429A7650D379A645CFA5

Function 00A4D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2751954911.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a4d000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d74ff0670acd044e836850d4489be15f84d7bd681696ebe6b1f23b893d7d15
Instruction ID: a15549757dc836abc678160eb3160e469948c7561051506f642d0738ec9cc1fb
Opcode Fuzzy Hash: a1d74ff0670acd044e836850d4489be15f84d7bd681696ebe6b1f23b893d7d15
Instruction Fuzzy Hash: F2212575604244EFDB15DF10D9C0B26BFA5FBC8328F20C56DE8090B256C736D856CAA2

Function 00A5D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2752028307.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a5d000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614d36cfde99d2bed27c2e9e83c2e20090f5b651c325ecff695338f5139a02fd
Instruction ID: d3d99ce02f7144d21aec11ac58a196b7598564e91389881313f8f48d237cbdeb
Opcode Fuzzy Hash: 614d36cfde99d2bed27c2e9e83c2e20090f5b651c325ecff695338f5139a02fd
Instruction Fuzzy Hash: 43210771504304EFDB24DF10D5C4B16BBA5FB84315F20C56DEC4A4B296C336D84BCA62

Function 00A5D2BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2752028307.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a5d000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c296094b5a9cc8b2c1284ff02347b60590b5c541198c8d0e64b5f2b711aa486
Instruction ID: 0630e8edc9f3bd446a659136803c0d536a025b785719b0bb666139167d8200db
Opcode Fuzzy Hash: 7c296094b5a9cc8b2c1284ff02347b60590b5c541198c8d0e64b5f2b711aa486
Instruction Fuzzy Hash: 3E21F375504344EFDB24DF10D9C4B2ABBA5FB84335F24C569EC490F242C33AD84ACAA2

Function 00A5D005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2752028307.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a5d000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3633f6e3bee8f44f4040937dbf61f5c381a2b0213c2b9beb6eb57b7627b7f73
Instruction ID: ab29d829b2f2da7d2a732c7800f2726abc4c3928df0a1d0c0c104919c8b36832
Opcode Fuzzy Hash: a3633f6e3bee8f44f4040937dbf61f5c381a2b0213c2b9beb6eb57b7627b7f73
Instruction Fuzzy Hash: AE2162755093808FDB16CF20D994715BF71FB46314F28C5EAD8498B6A7C33A980ACB62

Function 00A4D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2751954911.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a4d000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
Instruction ID: 765a0ad077ced4fd2c18d77e1f8c0eab2e0ec7fe7c575a8846c532d3fd150622
Opcode Fuzzy Hash: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
Instruction Fuzzy Hash: 2A11D376504280CFCB16CF10D5C4B16BF72FB94318F24C6A9D8494B656C336D856CBA2

Function 00A5D2B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2752028307.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a5d000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca871f52264e9b8da73702b15f35b287a484b59dff092dee76100ef6f35c3e24
Instruction ID: 0dba5d3c2ee61ba075f4180dfc9c5a26cb9ab4e14560fad44f04c73ca5901ce5
Opcode Fuzzy Hash: ca871f52264e9b8da73702b15f35b287a484b59dff092dee76100ef6f35c3e24
Instruction Fuzzy Hash: C711B275504280DFDB21CF10D5C4B19FB61FB84324F24C6AADC494F656C33AD80ACB92

Non-executed Functions

Function 00D1D364 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2752645461.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d10000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0699e69a7e6a27afa2362f5dca694ed96059c9d45d8b19ed31a85c553f46d5cb
Instruction ID: cca6e54d4fc0df8722eabe36fdbce9d69e05ba13bafa8e0d9c3600de75ce6cca
Opcode Fuzzy Hash: 0699e69a7e6a27afa2362f5dca694ed96059c9d45d8b19ed31a85c553f46d5cb
Instruction Fuzzy Hash: 96A14B36E002099FCF05DFA4D9445DEB7B2FF89304B15857AE905AB262DF31E986CB60

Analysis Process: h1HIe1rt4D.exePID: 5740, Parent PID: 6728COMMON

Executed Functions

Function 00CA9858 Relevance: .8, Instructions: 849COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4acf7119939c6b5fc6d2a086eed169dc247e13c11b070410e9b390aefdc16f85
Instruction ID: d9592bdb2a3f40a097d87e255c76b460ecbb21e8b5ad17e151998f3fca81344c
Opcode Fuzzy Hash: 4acf7119939c6b5fc6d2a086eed169dc247e13c11b070410e9b390aefdc16f85
Instruction Fuzzy Hash: F372A031A0020ADFCF15CFA4C984AAEBBF2FF89318F158559E9159B2A1D730ED81DB51

Function 00CA6108 Relevance: .5, Instructions: 507COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10d4f993edc545654dbbb31fce291447d51292999cdea086b355498c2d43a38
Instruction ID: 9e236837a9078c0dbccaccff37aeb92b181407c9c29ff135800e1cee32d036f5
Opcode Fuzzy Hash: b10d4f993edc545654dbbb31fce291447d51292999cdea086b355498c2d43a38
Instruction Fuzzy Hash: D8129070A002199FDB14DFA9C854BAEBBF6FF89304F148569E416EB391DB349D42CB90

Function 00CA6730 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7523630dd6a7db2363bb7ee40346dbc16b4800764fca7edbb3a299fffb42cb90
Instruction ID: 4a8b658368e02c4f46a4f3e94c3b9617e5fdacfb679a3ec87a157cc352c6cbe3
Opcode Fuzzy Hash: 7523630dd6a7db2363bb7ee40346dbc16b4800764fca7edbb3a299fffb42cb90
Instruction Fuzzy Hash: A5026170A0011ADFCB14CFA9D984AAEBBB2FF89318F198465E455EB2A1D730DD41DB50

Function 00CAB328 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e1560b290998aff919f6834dd55ff1a912f2faa36a8fb15211b08d8edee37a
Instruction ID: 5447132feaa56b6d252581c6fe869abeb65e37c1f177607a894468b7ef91856f
Opcode Fuzzy Hash: 49e1560b290998aff919f6834dd55ff1a912f2faa36a8fb15211b08d8edee37a
Instruction Fuzzy Hash: 6DE11D74E00659CFDB14CFA9D884A9DBBB1FF8A314F1580A9E819AB362DB319D41CF50

Function 00CAC470 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb45a1adeb86a8d30ff22c44e4062a47610f2f75a24b44223a26140b908d7b3
Instruction ID: 90d0577fa415b441250f59af2b3d02f972beabbd8498046ce4c627e1d5ad82d0
Opcode Fuzzy Hash: 4cb45a1adeb86a8d30ff22c44e4062a47610f2f75a24b44223a26140b908d7b3
Instruction Fuzzy Hash: B181C474E00219CFDB14DFAAD884B9DBBF2BF89314F14806AE419AB365DB709941CF11

Function 00CAC193 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5cf39386f2cba6ddddf18abaebcbb83050bd584d667dbefad89bed64fbffbab
Instruction ID: 4b889f9d51a9aaed4a210b0541649a122cded0bc14758c00e726efa3d3a176ef
Opcode Fuzzy Hash: b5cf39386f2cba6ddddf18abaebcbb83050bd584d667dbefad89bed64fbffbab
Instruction Fuzzy Hash: 1581C174E00219DFEB14DFAAD884A9DBBF2BF89304F24C069E419AB365DB709941CF50

Function 00CAC753 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa8d0d74d552ed8db754fd3d0e078cbce72a020d1d24bbff061d1a51085dca6
Instruction ID: 819eb50341abf42056a90b402c1397d54f6371cb1935fab4cff67bd5096f5885
Opcode Fuzzy Hash: 9fa8d0d74d552ed8db754fd3d0e078cbce72a020d1d24bbff061d1a51085dca6
Instruction Fuzzy Hash: 8381C274E00219DFEB14DFAAD884B9DBBF2BF89314F248069E419AB365DB749941CF10

Function 00CA4AD9 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a213ef9922bb0d34fa3efcd1615320b2b0376dfa7bb8f2f596b1b57b34a12321
Instruction ID: e01277f8422339e9a2fd5d91478f633124d350696cbcc3a6e8a83740f4cdf8f2
Opcode Fuzzy Hash: a213ef9922bb0d34fa3efcd1615320b2b0376dfa7bb8f2f596b1b57b34a12321
Instruction Fuzzy Hash: 0B81D574E00219CFDB18DFAAD884B9DBBF2BF89314F248069E419AB365DB709941CF10

Function 00CACA33 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 483fcfc6284b63f339b45374098dba063120831f8e792fb109cc0420a7681420
Instruction ID: 80cc55930452e13c493a0c256cf61677e950f90d5de6d35245043a8a4e2b0099
Opcode Fuzzy Hash: 483fcfc6284b63f339b45374098dba063120831f8e792fb109cc0420a7681420
Instruction Fuzzy Hash: C681C374E00219CFDB14DFAAD984A9DBBF2BF89314F14C069E819AB365DB719941CF10

Function 00CABEB7 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ddcce8ed0c786df54bac52e50c213f15e19fe61fb2b714fd812fa833ed0d904
Instruction ID: 01bba3a6a094405e884221256fc2ea58c995f3693cbe386b2593f667bf2280d3
Opcode Fuzzy Hash: 5ddcce8ed0c786df54bac52e50c213f15e19fe61fb2b714fd812fa833ed0d904
Instruction Fuzzy Hash: E681B374E00219CFDB14DFAAD984A9DBBF2BF89304F14C06AE419AB365DB319981CF10

Function 00CAB4F3 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03346a654d945a314947f2502d30c1fba706b6f1d1b0122518238e4eff75303c
Instruction ID: e7e0d27f5fb8b84fed43c8b7ac854b3cb27556e9ea462894fc026a3daafce384
Opcode Fuzzy Hash: 03346a654d945a314947f2502d30c1fba706b6f1d1b0122518238e4eff75303c
Instruction Fuzzy Hash: 1161E474E00649DFDB18DFAAD984A9DBBF2BF8A314F14C069E418AB366DB705941CF10

Function 00CA95D7 Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

T, xrefs: 00CA95E6

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID: T
API String ID: 0-3187964512
Opcode ID: 148adfc4a6a90ec048f7bc22c88d3a06233a1f975750b88d48a07871d3cf8307
Instruction ID: 700921f8c041ee7f7c8fdc846017df78d7e256e953ad3b3365db857bbdd0dbfd
Opcode Fuzzy Hash: 148adfc4a6a90ec048f7bc22c88d3a06233a1f975750b88d48a07871d3cf8307
Instruction Fuzzy Hash: 4E5119707042468FDB06CB79C8557BEBBB5DF87314F1885A6E411CB292EA34CD41C761

Function 00CA77F0 Relevance: .7, Instructions: 702COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273c0e9d7d942a685b8f1aab5739ba1ea6c9b7591f78a9facddb88898873a055
Instruction ID: bf429cfa21699e487ae13befb4a55c8acd53b7c1ca772a8b279c5cbebd434be3
Opcode Fuzzy Hash: 273c0e9d7d942a685b8f1aab5739ba1ea6c9b7591f78a9facddb88898873a055
Instruction Fuzzy Hash: 20520474A002588FEB24DBA0D950BEEB772FF84300F1081AAD20A6B3A5DF755E85DF55

Function 00CA87E9 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e7dd8da9f189588fe5f2f1e7be5dd57b133f8897c18ab4dd4abdb3157b46667
Instruction ID: 0fb18aef06370156162ff5883bdbcc64252d9e718b95dbbf7fea0a229b2bea45
Opcode Fuzzy Hash: 9e7dd8da9f189588fe5f2f1e7be5dd57b133f8897c18ab4dd4abdb3157b46667
Instruction Fuzzy Hash: 93F1A0707142028FDB199A39DC58B397796AF83718F1800AAE512CF3E1EF28CD89D761

Function 00CA6E58 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249d8f5961a26447ebbdbfe16b61d8dfebe4f9c04bad5d138e7d62f38b8e7290
Instruction ID: 23c887f7b9b84802c63185c7ec5ab3796bdb36351ed9cc9415120bd47bfc6ce7
Opcode Fuzzy Hash: 249d8f5961a26447ebbdbfe16b61d8dfebe4f9c04bad5d138e7d62f38b8e7290
Instruction Fuzzy Hash: 0A125D30A0424ADFCB15CFA9D984A9EBBF2FF8A318F158659E815DB261D730ED41CB50

Function 00CAA818 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 393118f2fddd1ec16540de7d349f907446305e0422291af84643cd7bbd067d79
Instruction ID: e8931cc0db9e7f812e225a5817c4fe4efee06a8fd422d828708a3373b9785a87
Opcode Fuzzy Hash: 393118f2fddd1ec16540de7d349f907446305e0422291af84643cd7bbd067d79
Instruction Fuzzy Hash: 36F14E75A40215CFCB04CFADD988AADBBF2FF89314B1A8059E415AB361CB35ED41CB61

Function 00CA0C8F Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7b7376d5ddc0f60be1a73c1b3d6714032760c724dd67364b0aa98a84e094a8
Instruction ID: 7e6e5ef56af649bb81797d6a4b79afd8e7d40163a07d3ba591482d8e9bae5fa3
Opcode Fuzzy Hash: fe7b7376d5ddc0f60be1a73c1b3d6714032760c724dd67364b0aa98a84e094a8
Instruction Fuzzy Hash: AE229278A00619DFCB54EF64E894B9DBBB2FF88311F108AA5D809A7364DB706D85CF41

Function 00CA0CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd9b1120477753250435f707baf4ae951edc58874ae05827f98b9aef803ae4f
Instruction ID: 6184ec5f2180aa8b49ac730aa8882509dddacb7a14aae58e7c3b175cf09ee320
Opcode Fuzzy Hash: 0bd9b1120477753250435f707baf4ae951edc58874ae05827f98b9aef803ae4f
Instruction Fuzzy Hash: 16229278A00619DFCB54EF64E894B9DBBB2FF88311F108AA5D809A7364DB706D85CF41

Function 00CA56A8 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc8aec0691984900938519692b893bff6d23555126d34adafd43f93a7610ab5
Instruction ID: 926744addb89d287c6cb0e797ab83720ff0d4cb6b3e52769e769a09d653ee44a
Opcode Fuzzy Hash: 7fc8aec0691984900938519692b893bff6d23555126d34adafd43f93a7610ab5
Instruction Fuzzy Hash: 60B1CD30704606DFDB259F79D848B7E7BA2AB8A318F14CA29E816CB391DB35CD41D790

Function 00CA5C08 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9450b0365c627c3668005eb9bcf9b852cc557c47b63dca0e8acae90ffce90daa
Instruction ID: adb16c6e83aca37ba8a90513bc972a88d7a051fb91b61fe99fe103ab5674e58a
Opcode Fuzzy Hash: 9450b0365c627c3668005eb9bcf9b852cc557c47b63dca0e8acae90ffce90daa
Instruction Fuzzy Hash: F681A335B00A06DFCB14CFA9C988AADB7B2BF8A318B24C169D416EB365D735DD41CB50

Function 00CA7438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5ed2d64c690d0b96c77a1fd3a8d9637531121a1897cb963c8a4cc9c92e181a
Instruction ID: 4f225467f3bc7f8275f2617ded9ba77253aacf26e6f3396ba7ee1e1b75b3d646
Opcode Fuzzy Hash: fc5ed2d64c690d0b96c77a1fd3a8d9637531121a1897cb963c8a4cc9c92e181a
Instruction Fuzzy Hash: 32711C347086068FCB15DF29C898AAD7BE5BF5A708F1542A9E912CB3B1DB70DD41CB90

Function 00CACEC7 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b48482d9bdc9d3b0b880643f8f6c8165c7e0678c496c9c7539b867bb211a03e
Instruction ID: 2facc69249100e6a08ca71d48a2e88c7468ffdccd9c6bb2e0cbf1954d05212ff
Opcode Fuzzy Hash: 8b48482d9bdc9d3b0b880643f8f6c8165c7e0678c496c9c7539b867bb211a03e
Instruction Fuzzy Hash: 0E51AE748A1746EFC7043B30A9BC66EBBB1FB1F3277157E04A10EA50A5DB7054E5CA21

Function 00CACED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb0e6c50c8faf91e8d5cce6f322d9ecbb89ad1bf45eeab43f0c43d3deeddb8d
Instruction ID: 569da77b800b87b2749ea55843b84770f011dd73683bc83eedba2e441b1641e8
Opcode Fuzzy Hash: 2eb0e6c50c8faf91e8d5cce6f322d9ecbb89ad1bf45eeab43f0c43d3deeddb8d
Instruction Fuzzy Hash: F1519D748A1707EFC3043B30AABC62EBBB5FB4F3277547E00A10EA50A58B7054E5CA21

Function 00CA9390 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb5227d6f9088f6cdaf6afeafa9d3c5408db051bf73f9832ad34307a8a8ec3e
Instruction ID: 7e746a9a4677862791edfee5c8877503de9477470fa7a39457e8b1530d98b77e
Opcode Fuzzy Hash: 8eb5227d6f9088f6cdaf6afeafa9d3c5408db051bf73f9832ad34307a8a8ec3e
Instruction Fuzzy Hash: 9F51A0347002169FDB01DFA9C844BAEBBE6EF8D354F148465E918CB291DB71CD42CB51

Function 00CACD10 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e74624c8421dd6ae110fbb2ebfd5e868a8a052e564af601dbe25e1e4f1c80b
Instruction ID: e01e45610136babb18e1203f8eab511831a252573d01d7acc8cfc978c6d4a8ec
Opcode Fuzzy Hash: 76e74624c8421dd6ae110fbb2ebfd5e868a8a052e564af601dbe25e1e4f1c80b
Instruction Fuzzy Hash: 07517474E01218DFDB58DFA9D584A9DBBF2FF89300F208169E415AB365DB31A941CF50

Function 00CA964C Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98d27b3e53df7508b069464e7dd8f71fd5810b07a58ea744f40d64692645a74
Instruction ID: 09f36ef6e43da24eb8910fd4afd21143cb9e898fc76fbe3134949f0bee79bc84
Opcode Fuzzy Hash: a98d27b3e53df7508b069464e7dd8f71fd5810b07a58ea744f40d64692645a74
Instruction Fuzzy Hash: 2541F774B041078FDF55DB69C881ABFB7B9EF8A308F248565F511DB251EA34CD418BA0

Function 00CA3908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3961ea2157da27abe4bfbeb51eaa22db65dc51ce1c6ebcc61e6837dd1acc455
Instruction ID: ca6d028a471ac277943df424f86831deab03283252dced2b729d1ec11fb9af1d
Opcode Fuzzy Hash: f3961ea2157da27abe4bfbeb51eaa22db65dc51ce1c6ebcc61e6837dd1acc455
Instruction Fuzzy Hash: B7519075E01248CFCB08DFA9D99499DBBF2FF89304B248569E805AB364DB35A942CF50

Function 00CA9A63 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0246514a1ee2148f55d80a0c6151ff659252ec6d1c37919379b26fefb3cd2287
Instruction ID: eb9155dcfa24d8b7a29dcd606142b92934829a293bef4c032fd0a050f3d8b394
Opcode Fuzzy Hash: 0246514a1ee2148f55d80a0c6151ff659252ec6d1c37919379b26fefb3cd2287
Instruction Fuzzy Hash: DF41C031A0424ADFCF11CFA8D845A9DBFB2FF4A318F148556E811AB2A1D330DD51DB60

Function 00CAA650 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b06595aa73e31768b3454f0f791f6a89bd01daf5e4922d1fe165f233e91c7bea
Instruction ID: ee7d6b672d59c56293c1be9eb41eae94b2135703b060b3020a6472583636a603
Opcode Fuzzy Hash: b06595aa73e31768b3454f0f791f6a89bd01daf5e4922d1fe165f233e91c7bea
Instruction Fuzzy Hash: A4410135B002049FCB159BB8DD14AAE7BB2BFC9320F148669E912E7390CF309C02CB91

Function 00CA3428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 146cda365bc77860b3e008dcdd32157a4838c4e10bdf9d49a36604fb9b444043
Instruction ID: 638d3c06bc015c92bc19d8b70c36132b48dc82e0ffb7e0bed45e98fb3ee6e47f
Opcode Fuzzy Hash: 146cda365bc77860b3e008dcdd32157a4838c4e10bdf9d49a36604fb9b444043
Instruction Fuzzy Hash: 08315F31F003568BDF1885AA58B437E6AD6BBCA324F144439F816D3380DF74CF009665

Function 00CA4DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16513801065973746380a8283527e76931305cfb55a16a168f03564b3d61ba46
Instruction ID: 2f4783cdd210ded268309830f0bd47bcf88776b7fb7f9de2893e49492aa8a18a
Opcode Fuzzy Hash: 16513801065973746380a8283527e76931305cfb55a16a168f03564b3d61ba46
Instruction Fuzzy Hash: 4831803170414AAFCF09AFA4D854AAFBBA2FB88304F104915F9158B351CB78CD61DBA0

Function 00CA92DC Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f05cb681aada77444545992021218eb94af4d34d52262e851c013bb0f24b18c
Instruction ID: 21d981222e27143c0d98f38d4e83fd167a2e794c79a44b1c326f50e5a90592e6
Opcode Fuzzy Hash: 4f05cb681aada77444545992021218eb94af4d34d52262e851c013bb0f24b18c
Instruction Fuzzy Hash: 8431F830501646DFCB11CF68D8806AFBBF5FF8A320F648566E855DB251D331E912CBA1

Function 00CA76D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a91d9c4ab6dd9fd114de05abbc83b11e3c71e3a13d5aff40e1fefeb8072499
Instruction ID: e180f13ad6704fcda56d63783f50651bc084f42ee3b942b568ff05279dc847ab
Opcode Fuzzy Hash: a3a91d9c4ab6dd9fd114de05abbc83b11e3c71e3a13d5aff40e1fefeb8072499
Instruction Fuzzy Hash: AC2103383082024BEB17163A9D94ABD6B97BFD671CB184379D512CBB95EE24CC42E790

Function 00CA76E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b88c408ac9f50bd09ff7650fbbe8b0c1b9b8a2e953216179cf5eca773fcb8139
Instruction ID: 38f8a4700b10d80d15abb2f336403393155ec5fb3fcacaf30ad385429a23edcb
Opcode Fuzzy Hash: b88c408ac9f50bd09ff7650fbbe8b0c1b9b8a2e953216179cf5eca773fcb8139
Instruction Fuzzy Hash: 7F2107383082064BEB16163A8D54A7E7687BFC6B1CF244238D512CB795EE25CC81E7D0

Function 00CAA809 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab528790139cb19669bd3b085f2eb6ea262a8326200854f39d87ec54fb4866bd
Instruction ID: 673ddac10139d7978abb0581a1db861e775563754f112a37e84c93560e78f03f
Opcode Fuzzy Hash: ab528790139cb19669bd3b085f2eb6ea262a8326200854f39d87ec54fb4866bd
Instruction Fuzzy Hash: 09319171A0050A8FCB04CF7DC884AAFBBB2BF89314B168155E5159B3A5CB349D42CB91

Function 00CA2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143b14896da76ebb69b9c55eebedeef0854d957b36c31e4115cf83f9348c613c
Instruction ID: 70a902439786b66a2215f2871eba15a03f6e5b73ace7fbb7ac07eb0ccaa139f5
Opcode Fuzzy Hash: 143b14896da76ebb69b9c55eebedeef0854d957b36c31e4115cf83f9348c613c
Instruction Fuzzy Hash: 8E219C31A001299FCF14DF78C8509AF7BB5EB99760B10C459D92A8B340DB35EE42CBA1

Function 00CA5A63 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f91bdbe3c2f826e2ddf130418e5e1fbb165df2a3dfb7c0baa03911c55e1b4e
Instruction ID: e8e820629d4363c43bbe6aa98b75bb069372a95370740749bf534c2a51b19006
Opcode Fuzzy Hash: 96f91bdbe3c2f826e2ddf130418e5e1fbb165df2a3dfb7c0baa03911c55e1b4e
Instruction Fuzzy Hash: F9212535704A129FC3259B69D89453FBBA2FF8A71471486AAE912CB351CF34CC02D7D0

Function 00C4D404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920395223.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c4d000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e267dd197b22edbce5fbec0c5347000f714c25e7a44b4163d93128c83ff6d6
Instruction ID: 9119b12e9eabe3d028b2afc55b9951b7550665bb1d72f0728770c9022207bf99
Opcode Fuzzy Hash: 23e267dd197b22edbce5fbec0c5347000f714c25e7a44b4163d93128c83ff6d6
Instruction Fuzzy Hash: EB213A71504344EFDB15EF10D8C0B16BF65FB94324F20C5A9E90A0B246C336E856CBA1

Function 00CAD117 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7951434393b262c7ee1ae3eb55aadada852a01696b1637c8ad0715e40ce00881
Instruction ID: 25f6dcaa4886b46a1146032b419b9a70369d11d53200f291933f454d9cc8660d
Opcode Fuzzy Hash: 7951434393b262c7ee1ae3eb55aadada852a01696b1637c8ad0715e40ce00881
Instruction Fuzzy Hash: A2213931C10619CECB00EFE8D8446ECFBB4FF4A315F109629D515B7254EB306A9ACB50

Function 00CAD218 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11fa0bccda78b673de555517161f33f0b9319afe96460dfbd12b8a59e38bc02
Instruction ID: 76de98230340086a5f72225ad0563fa31f114a2fdf702f699ab437a9cacf8a8c
Opcode Fuzzy Hash: c11fa0bccda78b673de555517161f33f0b9319afe96460dfbd12b8a59e38bc02
Instruction Fuzzy Hash: 452157359412099BDF09DFB4D850ADDB7B2FF8A300F109A69C816733A0DB359A42CB25

Function 00CA4DBB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cba265d470ce5279865429a34740957c4eceb4267233c4ec498a07788a74047
Instruction ID: 092922fb214457455d174f9c8f74c0affa63706ad13aabeb8c3670097505df29
Opcode Fuzzy Hash: 5cba265d470ce5279865429a34740957c4eceb4267233c4ec498a07788a74047
Instruction Fuzzy Hash: FC21F2317041469FCB1A9FA8D4546ABBFA2FBC9318F104869F8158B252CB78CD56DBD0

Function 00CA215C Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54f6059276534c52133cf9e6b7079ab3f60e98b6c65251f7345d0b87a5ff9ca
Instruction ID: 945a1630e54e6e248b54b58c58bc5cc7a5680c76e3bccbb90bdd337321bc5544
Opcode Fuzzy Hash: d54f6059276534c52133cf9e6b7079ab3f60e98b6c65251f7345d0b87a5ff9ca
Instruction Fuzzy Hash: CE115E31E043599BCF019BBCAC005DEFB30FF86320B258796D62677151EA311906C7A1

Function 00CA8EC1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2894d2ef47d2c0545ac73c0a2870b52b158cbb531522c746d78b62ae2e165db
Instruction ID: 0583d8c7a0242b3cdd0566b7bf7f42914222655c38c35b395f0cfd483acc48cc
Opcode Fuzzy Hash: a2894d2ef47d2c0545ac73c0a2870b52b158cbb531522c746d78b62ae2e165db
Instruction Fuzzy Hash: 3A215A71E0124AEFDB05DFE1D950AEEBBB6AF49304F24846AE411E6290DB30DA41DB60

Function 00CAD228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde091c61b1f12c2fc22cce46de4e70005af747e70a990987bd7016bd4415c77
Instruction ID: 2d655a7f7152da97795bc50e4e0eba1bbdd26fbd332c503f0a54c08775648443
Opcode Fuzzy Hash: bde091c61b1f12c2fc22cce46de4e70005af747e70a990987bd7016bd4415c77
Instruction Fuzzy Hash: 062117749412089BDF08DFB4D850AEDB7B2FF8A305F109929C416733A4CB359A41CF65

Function 00CA1F08 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d65339c4e133d4ed9cc2170a76f88e9ae09f4abf0f6bcb37aad5512449eb36
Instruction ID: 8845f5964f7a0b8685817cc43c35600c97cf375eb289a90ab596f949096f7353
Opcode Fuzzy Hash: c9d65339c4e133d4ed9cc2170a76f88e9ae09f4abf0f6bcb37aad5512449eb36
Instruction Fuzzy Hash: B1213974C0464ACFCB10DFA8D8445EEBFF0BF4A314F18556AD815A7214EB311A94CBA6

Function 00CA5A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aebde832cc93271fe647975659c1ebfaa4ef36196cd598f7af2186388d986d0
Instruction ID: 7e4fbcbc418879eedaf364b6b2f2d22e36b1ddadecece36ddda05709849d14ac
Opcode Fuzzy Hash: 5aebde832cc93271fe647975659c1ebfaa4ef36196cd598f7af2186388d986d0
Instruction Fuzzy Hash: 5D112131700A129FC3299A2AD89893FB7A6FFC97617148279E916CB350CF20DC0287D0

Function 00C4D3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920395223.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c4d000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
Instruction ID: 807a3040e8618823a8253e1f2e50d70b4c6dcdc184c3fac14053a3a2fcc09a02
Opcode Fuzzy Hash: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
Instruction Fuzzy Hash: 2211E676504280DFCB16DF10D5C4B16BF72FB94324F24C5A9DC4A0B656C33AE956CBA1

Function 00CA1F61 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8b70c178036e244ce093362e48ac51ead35003ecc50efcc9db8cf3a95d404c
Instruction ID: f595deb8cb270c3cd279685d62cd0430f031f4b08549525d27349a003015a237
Opcode Fuzzy Hash: 4b8b70c178036e244ce093362e48ac51ead35003ecc50efcc9db8cf3a95d404c
Instruction Fuzzy Hash: 0821EEB4C0120A8FCB00EFA8D9856EEBBF4FB49300F50566AD805B3210EB305A95CBA1

Function 00CA5607 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187ebc5e8c396f0fd33f26b2312bf8f54e863adeb804840d70a517a9e588a8a6
Instruction ID: 672187b2b8fff02b973ee8bd820c070c03b2568535b1ca1b67d162c716e3a06e
Opcode Fuzzy Hash: 187ebc5e8c396f0fd33f26b2312bf8f54e863adeb804840d70a517a9e588a8a6
Instruction Fuzzy Hash: 8001F172A04005AFDB059EA59800AFF3BE7EBC9351F18812AF904CB290DA71CD1297A0

Function 00CA2010 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f20830debc259b522ec9f3394b0a2ee56b7699c73dfbfda5c38929fbd1d4c9f7
Instruction ID: 50dec443e9889870a695ffcf23c3c1559f6653def09b333c7cf27bd82edc1635
Opcode Fuzzy Hash: f20830debc259b522ec9f3394b0a2ee56b7699c73dfbfda5c38929fbd1d4c9f7
Instruction Fuzzy Hash: 16E04F3191022A97CB05EBB9DD459DFFBB8EF92710F505662D5203B140EB7026598AA0

Function 00CA2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704711261ae076bdb4b033b819c20e2abf7b86c5e0822ea1809f9be9148ecba6
Instruction ID: c8304c53151226d54f0c9d3a3f5e6c8c03e030300ef8879c3aee508963828839
Opcode Fuzzy Hash: 704711261ae076bdb4b033b819c20e2abf7b86c5e0822ea1809f9be9148ecba6
Instruction Fuzzy Hash: 3BD05B31D2022A57CB00E7A5DC044DFFB38EFD6721B514666D55437140FB702659C6F1

Function 00CA8258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: ae906eac30adc4eccce3c5c1909e5e29c2c3d201def1468e2def9e2e719dcc59
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 9FC0123320D1282BAA28108F7C40AB3AB8CC2C27B8A250237F96CA3240A8429C8401A8

Function 00CAA70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811621644ef2742dbcdb732b1e70149ab9c6100f44784a65c5ba09933830410d
Instruction ID: dfd579ec1ba4ad7d9cc613e847223a522da34bfa84482cc01c1fb510978d5f47
Opcode Fuzzy Hash: 811621644ef2742dbcdb732b1e70149ab9c6100f44784a65c5ba09933830410d
Instruction Fuzzy Hash: 40D0677BB51008AFCB149F98EC409DDB7B6FB9C221B449516E915A3260C6319961DB50

Function 00CA5EA8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9967a724c2b1edcc9fd23c4c386107584e037befc1986bc4d507b37a846b38ea
Instruction ID: e709e9f7f76f72d0bd22411d05a486fd7d2b9b92a5629c270c06323cb4d000a0
Opcode Fuzzy Hash: 9967a724c2b1edcc9fd23c4c386107584e037befc1986bc4d507b37a846b38ea
Instruction Fuzzy Hash: 88D0A7F45083899FD302F770FE564583B227BC4214B444AE6F4060962BEFF48C499B62

Function 00CA5EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1920595745.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ca0000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0912e211e00510bb16f057ff731e7064cf288af254327cd0246646a0af65d059
Instruction ID: 56fc4bf2a06251f16670557cd047b2fe21604cfcf98be4de699e094c7d07fa47
Opcode Fuzzy Hash: 0912e211e00510bb16f057ff731e7064cf288af254327cd0246646a0af65d059
Instruction Fuzzy Hash: E9C012B054470D97D601F771E945559335A76C0620F405A60B50A09219DFF499444B95

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report h1HIe1rt4D.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\h1HIe1rt4D.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
h1HIe1rt4D.exe

Function 05A194F8 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Function 00D1D429 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Function 00D1D438 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 00D1ADA8 Relevance: 1.7, APIs: 1, Instructions: 207
COMMON

Function 00D1590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 00D14248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 00D1D680 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 00D1D679 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 05A10562 Relevance: 1.6, APIs: 1, Instructions: 61
windowCOMMON

Function 05A10588 Relevance: 1.5, APIs: 1, Instructions: 48
windowCOMMON

Function 00D1AF98 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 05A187C4 Relevance: 1.5, APIs: 1, Instructions: 46
windowCOMMON

Function 05A11EC0 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Function 05A108A0 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Function 05A1A258 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON