Edit tour

Windows Analysis Report
h1HIe1rt4D.exe

Overview

General Information

Sample name:	h1HIe1rt4D.exe renamed because original name is a hash value
Original sample name:	da35f06d5f83c958940b5816901f091a1725f9af4398d94e7347550cf56be86b.exe
Analysis ID:	1588354
MD5:	aca1506ec2fc90d9bd56cbbe91bd6386
SHA1:	d2b443e927e57d8481fd6ddc5c7722d423815a9b
SHA256:	da35f06d5f83c958940b5816901f091a1725f9af4398d94e7347550cf56be86b
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

AI detected suspicious sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Self deletion via cmd or bat file

Tries to detect the country of the analysis system (by using the IP)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

h1HIe1rt4D.exe (PID: 2992 cmdline: "C:\Users\user\Desktop\h1HIe1rt4D.exe" MD5: ACA1506EC2FC90D9BD56CBBE91BD6386)

h1HIe1rt4D.exe (PID: 6136 cmdline: "C:\Users\user\Desktop\h1HIe1rt4D.exe" MD5: ACA1506EC2FC90D9BD56CBBE91BD6386)

cmd.exe (PID: 6600 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\h1HIe1rt4D.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 2872 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7634300667:AAElS97UnedbkmPEFHxIY0TyKl484PsrjZY/sendMessage?chat_id=2135869667", "Token": "7634300667:AAElS97UnedbkmPEFHxIY0TyKl484PsrjZY", "Chat_id": "2135869667", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3988203305.000000000285A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148e9:$a1: get_encryptedPassword 0x14bd5:$a2: get_encryptedUsername 0x146f5:$a3: get_timePasswordChanged 0x147f0:$a4: get_passwordField 0x148ff:$a5: set_encryptedPassword 0x15f51:$a7: get_logins 0x15eb4:$a10: KeyLoggerEventArgs 0x15b1f:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1999c:$x1: $%SMTPDV$ 0x18380:$x2: $#TheHashHere%& 0x19944:$x3: %FTPDV$ 0x18320:$x4: $%TelegramDv$ 0x15b1f:$x5: KeyLoggerEventArgs 0x15eb4:$x5: KeyLoggerEventArgs 0x19968:$m2: Clipboard Logs ID 0x19ba6:$m2: Screenshot Logs ID 0x19cb6:$m2: keystroke Logs ID 0x19f90:$m3: SnakePW 0x19b7e:$m4: \SnakeKeylogger\
00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf40f9:$a1: get_encryptedPassword 0x114d29:$a1: get_encryptedPassword 0x135749:$a1: get_encryptedPassword 0xf43e5:$a2: get_encryptedUsername 0x115015:$a2: get_encryptedUsername 0x135a35:$a2: get_encryptedUsername 0xf3f05:$a3: get_timePasswordChanged 0x114b35:$a3: get_timePasswordChanged 0x135555:$a3: get_timePasswordChanged 0xf4000:$a4: get_passwordField 0x114c30:$a4: get_passwordField 0x135650:$a4: get_passwordField 0xf410f:$a5: set_encryptedPassword 0x114d3f:$a5: set_encryptedPassword 0x13575f:$a5: set_encryptedPassword 0xf5761:$a7: get_logins 0x116391:$a7: get_logins 0x136db1:$a7: get_logins 0xf56c4:$a10: KeyLoggerEventArgs 0x1162f4:$a10: KeyLoggerEventArgs 0x136d14:$a10: KeyLoggerEventArgs
00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf91ac:$x1: $%SMTPDV$ 0x119ddc:$x1: $%SMTPDV$ 0x13a7fc:$x1: $%SMTPDV$ 0xf7b90:$x2: $#TheHashHere%& 0x1187c0:$x2: $#TheHashHere%& 0x1391e0:$x2: $#TheHashHere%& 0xf9154:$x3: %FTPDV$ 0x119d84:$x3: %FTPDV$ 0x13a7a4:$x3: %FTPDV$ 0xf7b30:$x4: $%TelegramDv$ 0x118760:$x4: $%TelegramDv$ 0x139180:$x4: $%TelegramDv$ 0xf532f:$x5: KeyLoggerEventArgs 0xf56c4:$x5: KeyLoggerEventArgs 0x115f5f:$x5: KeyLoggerEventArgs 0x1162f4:$x5: KeyLoggerEventArgs 0x13697f:$x5: KeyLoggerEventArgs 0x136d14:$x5: KeyLoggerEventArgs 0xf9178:$m2: Clipboard Logs ID 0xf93b6:$m2: Screenshot Logs ID 0xf94c6:$m2: keystroke Logs ID
00000002.00000002.3988203305.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: h1HIe1rt4D.exe PID: 2992	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: h1HIe1rt4D.exe PID: 2992	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: h1HIe1rt4D.exe PID: 2992	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x73e3f:$a1: get_encryptedPassword 0x7408a:$a2: get_encryptedUsername 0x73c6e:$a3: get_timePasswordChanged 0x73d50:$a4: get_passwordField 0x73e55:$a5: set_encryptedPassword 0x75d24:$a7: get_logins 0x75ca5:$a10: KeyLoggerEventArgs 0x75a13:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: h1HIe1rt4D.exe PID: 2992	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x75a13:$x5: KeyLoggerEventArgs 0x75ca5:$x5: KeyLoggerEventArgs 0x762cf:$x5: KeyLoggerEventArgs 0x76630:$x5: KeyLoggerEventArgs 0x77d88:$m2: Clipboard Logs ID 0x77e8e:$m2: Screenshot Logs ID 0x77ee4:$m2: keystroke Logs ID 0x78019:$m3: SnakePW 0x77e7a:$m4: \SnakeKeylogger\
Process Memory Space: h1HIe1rt4D.exe PID: 6136	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: h1HIe1rt4D.exe PID: 6136	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: h1HIe1rt4D.exe PID: 6136	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2329a:$a1: get_encryptedPassword 0x2357c:$a2: get_encryptedUsername 0x230b0:$a3: get_timePasswordChanged 0x231ab:$a4: get_passwordField 0x232b0:$a5: set_encryptedPassword 0x25786:$a7: get_logins 0x256e9:$a10: KeyLoggerEventArgs 0x25354:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: h1HIe1rt4D.exe PID: 6136	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x25354:$x5: KeyLoggerEventArgs 0x256e9:$x5: KeyLoggerEventArgs 0x25d8f:$x5: KeyLoggerEventArgs 0x260f0:$x5: KeyLoggerEventArgs 0x27917:$m2: Clipboard Logs ID 0x27a1d:$m2: Screenshot Logs ID 0x27a73:$m2: keystroke Logs ID 0x27ba8:$m3: SnakePW 0x27a09:$m4: \SnakeKeylogger\
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.h1HIe1rt4D.exe.3b89240.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.h1HIe1rt4D.exe.3b89240.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.h1HIe1rt4D.exe.3b89240.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12ce9:$a1: get_encryptedPassword 0x12fd5:$a2: get_encryptedUsername 0x12af5:$a3: get_timePasswordChanged 0x12bf0:$a4: get_passwordField 0x12cff:$a5: set_encryptedPassword 0x14351:$a7: get_logins 0x142b4:$a10: KeyLoggerEventArgs 0x13f1f:$a11: KeyLoggerEventArgsEventHandler
0.2.h1HIe1rt4D.exe.3b89240.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a760:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19992:$a3: \Google\Chrome\User Data\Default\Login Data 0x19dc5:$a4: \Orbitum\User Data\Default\Login Data 0x1ae04:$a5: \Kometa\User Data\Default\Login Data
0.2.h1HIe1rt4D.exe.3b89240.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138b6:$s1: UnHook 0x138bd:$s2: SetHook 0x138c5:$s3: CallNextHook 0x138d2:$s4: _hook
0.2.h1HIe1rt4D.exe.3b89240.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d9c:$x1: $%SMTPDV$ 0x16780:$x2: $#TheHashHere%& 0x17d44:$x3: %FTPDV$ 0x16720:$x4: $%TelegramDv$ 0x13f1f:$x5: KeyLoggerEventArgs 0x142b4:$x5: KeyLoggerEventArgs 0x17d68:$m2: Clipboard Logs ID 0x17fa6:$m2: Screenshot Logs ID 0x180b6:$m2: keystroke Logs ID 0x18390:$m3: SnakePW 0x17f7e:$m4: \SnakeKeylogger\
0.2.h1HIe1rt4D.exe.3b68610.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.h1HIe1rt4D.exe.3b68610.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.h1HIe1rt4D.exe.3b68610.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12ce9:$a1: get_encryptedPassword 0x12fd5:$a2: get_encryptedUsername 0x12af5:$a3: get_timePasswordChanged 0x12bf0:$a4: get_passwordField 0x12cff:$a5: set_encryptedPassword 0x14351:$a7: get_logins 0x142b4:$a10: KeyLoggerEventArgs 0x13f1f:$a11: KeyLoggerEventArgsEventHandler
0.2.h1HIe1rt4D.exe.3b68610.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a760:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19992:$a3: \Google\Chrome\User Data\Default\Login Data 0x19dc5:$a4: \Orbitum\User Data\Default\Login Data 0x1ae04:$a5: \Kometa\User Data\Default\Login Data
0.2.h1HIe1rt4D.exe.3b68610.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138b6:$s1: UnHook 0x138bd:$s2: SetHook 0x138c5:$s3: CallNextHook 0x138d2:$s4: _hook
0.2.h1HIe1rt4D.exe.3b68610.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d9c:$x1: $%SMTPDV$ 0x16780:$x2: $#TheHashHere%& 0x17d44:$x3: %FTPDV$ 0x16720:$x4: $%TelegramDv$ 0x13f1f:$x5: KeyLoggerEventArgs 0x142b4:$x5: KeyLoggerEventArgs 0x17d68:$m2: Clipboard Logs ID 0x17fa6:$m2: Screenshot Logs ID 0x180b6:$m2: keystroke Logs ID 0x18390:$m3: SnakePW 0x17f7e:$m4: \SnakeKeylogger\
2.2.h1HIe1rt4D.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.h1HIe1rt4D.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.h1HIe1rt4D.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.h1HIe1rt4D.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ae9:$a1: get_encryptedPassword 0x14dd5:$a2: get_encryptedUsername 0x148f5:$a3: get_timePasswordChanged 0x149f0:$a4: get_passwordField 0x14aff:$a5: set_encryptedPassword 0x16151:$a7: get_logins 0x160b4:$a10: KeyLoggerEventArgs 0x15d1f:$a11: KeyLoggerEventArgsEventHandler
2.2.h1HIe1rt4D.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c560:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b792:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bbc5:$a4: \Orbitum\User Data\Default\Login Data 0x1cc04:$a5: \Kometa\User Data\Default\Login Data
2.2.h1HIe1rt4D.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156b6:$s1: UnHook 0x156bd:$s2: SetHook 0x156c5:$s3: CallNextHook 0x156d2:$s4: _hook
2.2.h1HIe1rt4D.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b9c:$x1: $%SMTPDV$ 0x18580:$x2: $#TheHashHere%& 0x19b44:$x3: %FTPDV$ 0x18520:$x4: $%TelegramDv$ 0x15d1f:$x5: KeyLoggerEventArgs 0x160b4:$x5: KeyLoggerEventArgs 0x19b68:$m2: Clipboard Logs ID 0x19da6:$m2: Screenshot Logs ID 0x19eb6:$m2: keystroke Logs ID 0x1a190:$m3: SnakePW 0x19d7e:$m4: \SnakeKeylogger\
0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ae9:$a1: get_encryptedPassword 0x35509:$a1: get_encryptedPassword 0x14dd5:$a2: get_encryptedUsername 0x357f5:$a2: get_encryptedUsername 0x148f5:$a3: get_timePasswordChanged 0x35315:$a3: get_timePasswordChanged 0x149f0:$a4: get_passwordField 0x35410:$a4: get_passwordField 0x14aff:$a5: set_encryptedPassword 0x3551f:$a5: set_encryptedPassword 0x16151:$a7: get_logins 0x36b71:$a7: get_logins 0x160b4:$a10: KeyLoggerEventArgs 0x36ad4:$a10: KeyLoggerEventArgs 0x15d1f:$a11: KeyLoggerEventArgsEventHandler 0x3673f:$a11: KeyLoggerEventArgsEventHandler
0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c560:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cf80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b792:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c1b2:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bbc5:$a4: \Orbitum\User Data\Default\Login Data 0x3c5e5:$a4: \Orbitum\User Data\Default\Login Data 0x1cc04:$a5: \Kometa\User Data\Default\Login Data 0x3d624:$a5: \Kometa\User Data\Default\Login Data
0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156b6:$s1: UnHook 0x360d6:$s1: UnHook 0x156bd:$s2: SetHook 0x360dd:$s2: SetHook 0x156c5:$s3: CallNextHook 0x360e5:$s3: CallNextHook 0x156d2:$s4: _hook 0x360f2:$s4: _hook
0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b9c:$x1: $%SMTPDV$ 0x3a5bc:$x1: $%SMTPDV$ 0x18580:$x2: $#TheHashHere%& 0x38fa0:$x2: $#TheHashHere%& 0x19b44:$x3: %FTPDV$ 0x3a564:$x3: %FTPDV$ 0x18520:$x4: $%TelegramDv$ 0x38f40:$x4: $%TelegramDv$ 0x15d1f:$x5: KeyLoggerEventArgs 0x160b4:$x5: KeyLoggerEventArgs 0x3673f:$x5: KeyLoggerEventArgs 0x36ad4:$x5: KeyLoggerEventArgs 0x19b68:$m2: Clipboard Logs ID 0x19da6:$m2: Screenshot Logs ID 0x19eb6:$m2: keystroke Logs ID 0x3a588:$m2: Clipboard Logs ID 0x3a7c6:$m2: Screenshot Logs ID 0x3a8d6:$m2: keystroke Logs ID 0x1a190:$m3: SnakePW 0x3abb0:$m3: SnakePW 0x19d7e:$m4: \SnakeKeylogger\
0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ae9:$a1: get_encryptedPassword 0x35719:$a1: get_encryptedPassword 0x56139:$a1: get_encryptedPassword 0x14dd5:$a2: get_encryptedUsername 0x35a05:$a2: get_encryptedUsername 0x56425:$a2: get_encryptedUsername 0x148f5:$a3: get_timePasswordChanged 0x35525:$a3: get_timePasswordChanged 0x55f45:$a3: get_timePasswordChanged 0x149f0:$a4: get_passwordField 0x35620:$a4: get_passwordField 0x56040:$a4: get_passwordField 0x14aff:$a5: set_encryptedPassword 0x3572f:$a5: set_encryptedPassword 0x5614f:$a5: set_encryptedPassword 0x16151:$a7: get_logins 0x36d81:$a7: get_logins 0x577a1:$a7: get_logins 0x160b4:$a10: KeyLoggerEventArgs 0x36ce4:$a10: KeyLoggerEventArgs 0x57704:$a10: KeyLoggerEventArgs
0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c560:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d190:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5dbb0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b792:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c3c2:$a3: \Google\Chrome\User Data\Default\Login Data 0x5cde2:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bbc5:$a4: \Orbitum\User Data\Default\Login Data 0x3c7f5:$a4: \Orbitum\User Data\Default\Login Data 0x5d215:$a4: \Orbitum\User Data\Default\Login Data 0x1cc04:$a5: \Kometa\User Data\Default\Login Data 0x3d834:$a5: \Kometa\User Data\Default\Login Data 0x5e254:$a5: \Kometa\User Data\Default\Login Data
0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156b6:$s1: UnHook 0x362e6:$s1: UnHook 0x56d06:$s1: UnHook 0x156bd:$s2: SetHook 0x362ed:$s2: SetHook 0x56d0d:$s2: SetHook 0x156c5:$s3: CallNextHook 0x362f5:$s3: CallNextHook 0x56d15:$s3: CallNextHook 0x156d2:$s4: _hook 0x36302:$s4: _hook 0x56d22:$s4: _hook
0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b9c:$x1: $%SMTPDV$ 0x3a7cc:$x1: $%SMTPDV$ 0x5b1ec:$x1: $%SMTPDV$ 0x18580:$x2: $#TheHashHere%& 0x391b0:$x2: $#TheHashHere%& 0x59bd0:$x2: $#TheHashHere%& 0x19b44:$x3: %FTPDV$ 0x3a774:$x3: %FTPDV$ 0x5b194:$x3: %FTPDV$ 0x18520:$x4: $%TelegramDv$ 0x39150:$x4: $%TelegramDv$ 0x59b70:$x4: $%TelegramDv$ 0x15d1f:$x5: KeyLoggerEventArgs 0x160b4:$x5: KeyLoggerEventArgs 0x3694f:$x5: KeyLoggerEventArgs 0x36ce4:$x5: KeyLoggerEventArgs 0x5736f:$x5: KeyLoggerEventArgs 0x57704:$x5: KeyLoggerEventArgs 0x19b68:$m2: Clipboard Logs ID 0x19da6:$m2: Screenshot Logs ID 0x19eb6:$m2: keystroke Logs ID
0.2.h1HIe1rt4D.exe.3ad7f70.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.h1HIe1rt4D.exe.3ad7f70.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.h1HIe1rt4D.exe.3ad7f70.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.h1HIe1rt4D.exe.3ad7f70.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa5189:$a1: get_encryptedPassword 0xc5db9:$a1: get_encryptedPassword 0xe67d9:$a1: get_encryptedPassword 0xa5475:$a2: get_encryptedUsername 0xc60a5:$a2: get_encryptedUsername 0xe6ac5:$a2: get_encryptedUsername 0xa4f95:$a3: get_timePasswordChanged 0xc5bc5:$a3: get_timePasswordChanged 0xe65e5:$a3: get_timePasswordChanged 0xa5090:$a4: get_passwordField 0xc5cc0:$a4: get_passwordField 0xe66e0:$a4: get_passwordField 0xa519f:$a5: set_encryptedPassword 0xc5dcf:$a5: set_encryptedPassword 0xe67ef:$a5: set_encryptedPassword 0xa67f1:$a7: get_logins 0xc7421:$a7: get_logins 0xe7e41:$a7: get_logins 0xa6754:$a10: KeyLoggerEventArgs 0xc7384:$a10: KeyLoggerEventArgs 0xe7da4:$a10: KeyLoggerEventArgs
0.2.h1HIe1rt4D.exe.3ad7f70.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xa5d56:$s1: UnHook 0xc6986:$s1: UnHook 0xe73a6:$s1: UnHook 0xa5d5d:$s2: SetHook 0xc698d:$s2: SetHook 0xe73ad:$s2: SetHook 0xa5d65:$s3: CallNextHook 0xc6995:$s3: CallNextHook 0xe73b5:$s3: CallNextHook 0xa5d72:$s4: _hook 0xc69a2:$s4: _hook 0xe73c2:$s4: _hook
0.2.h1HIe1rt4D.exe.3ad7f70.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xaa23c:$x1: $%SMTPDV$ 0xcae6c:$x1: $%SMTPDV$ 0xeb88c:$x1: $%SMTPDV$ 0xa8c20:$x2: $#TheHashHere%& 0xc9850:$x2: $#TheHashHere%& 0xea270:$x2: $#TheHashHere%& 0xaa1e4:$x3: %FTPDV$ 0xcae14:$x3: %FTPDV$ 0xeb834:$x3: %FTPDV$ 0xa8bc0:$x4: $%TelegramDv$ 0xc97f0:$x4: $%TelegramDv$ 0xea210:$x4: $%TelegramDv$ 0xa63bf:$x5: KeyLoggerEventArgs 0xa6754:$x5: KeyLoggerEventArgs 0xc6fef:$x5: KeyLoggerEventArgs 0xc7384:$x5: KeyLoggerEventArgs 0xe7a0f:$x5: KeyLoggerEventArgs 0xe7da4:$x5: KeyLoggerEventArgs 0xaa208:$m2: Clipboard Logs ID 0xaa446:$m2: Screenshot Logs ID 0xaa556:$m2: keystroke Logs ID
Click to see the 34 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:20:52.136683+0100	2803305	3	Unknown Traffic	192.168.2.6	49715	104.21.96.1	443	TCP
2025-01-11T01:20:52.863785+0100	2803305	3	Unknown Traffic	192.168.2.6	49717	104.21.96.1	443	TCP
2025-01-11T01:20:53.586849+0100	2803305	3	Unknown Traffic	192.168.2.6	49724	104.21.96.1	443	TCP
2025-01-11T01:20:55.535107+0100	2803305	3	Unknown Traffic	192.168.2.6	49736	104.21.96.1	443	TCP
2025-01-11T01:20:56.357402+0100	2803305	3	Unknown Traffic	192.168.2.6	49742	104.21.96.1	443	TCP
2025-01-11T01:20:58.116478+0100	2803305	3	Unknown Traffic	192.168.2.6	49754	104.21.96.1	443	TCP
2025-01-11T01:20:59.028334+0100	2803305	3	Unknown Traffic	192.168.2.6	49761	104.21.96.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:20:50.531041+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49709	193.122.130.0	80	TCP
2025-01-11T01:20:51.531039+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49709	193.122.130.0	80	TCP
2025-01-11T01:20:52.296651+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49709	193.122.130.0	80	TCP
2025-01-11T01:20:53.015530+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49709	193.122.130.0	80	TCP
2025-01-11T01:20:54.874775+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49709	193.122.130.0	80	TCP
2025-01-11T01:20:55.812276+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49709	193.122.130.0	80	TCP
2025-01-11T01:20:57.515395+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49709	193.122.130.0	80	TCP
2025-01-11T01:20:58.437429+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49709	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7634300667:AAElS97UnedbkmPEFHxIY0TyKl484PsrjZY/sendMessage?chat_id=2135869667", "Token": "7634300667:AAElS97UnedbkmPEFHxIY0TyKl484PsrjZY", "Chat_id": "2135869667", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: h1HIe1rt4D.exe	ReversingLabs: Detection: 68%
Source: h1HIe1rt4D.exe	Virustotal: Detection: 56%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: h1HIe1rt4D.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: h1HIe1rt4D.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49714 version: TLS 1.0

Source: h1HIe1rt4D.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: h1HIe1rt4D.exe, 00000000.00000002.3992396437.00000000054B0000.00000004.08000000.00040000.00000000.sdmp, h1HIe1rt4D.exe, 00000000.00000002.3988273829.0000000002A81000.00000004.00000800.00020000.00000000.sdmp

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h1HIe1rt4D.exe.3ad7f70.4.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49709 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49724 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49742 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49736 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49715 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49754 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49717 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49761 -> 104.21.96.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49714 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000278F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000278F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002844000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002838000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000282D000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000284F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000285A000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002822000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.00000000027D2000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: h1HIe1rt4D.exe, h1HIe1rt4D.exe, 00000002.00000002.3988203305.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: h1HIe1rt4D.exe, 00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: h1HIe1rt4D.exe, 00000002.00000002.3988203305.00000000027AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: h1HIe1rt4D.exe	String found in binary or memory: http://schemas.m
Source: h1HIe1rt4D.exe, 00000002.00000002.3988203305.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: h1HIe1rt4D.exe	String found in binary or memory: https://github.com/0xd4d/dnSpy/wiki/Debugging-Unity-Games
Source: h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000278F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002844000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002838000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000282D000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000284F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000285A000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002822000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.00000000027D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: h1HIe1rt4D.exe, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000278F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: h1HIe1rt4D.exe, 00000002.00000002.3988203305.00000000027D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002844000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002838000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000282D000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000284F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000285A000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002822000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.00000000027D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.h1HIe1rt4D.exe.3b89240.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.h1HIe1rt4D.exe.3b89240.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.h1HIe1rt4D.exe.3b89240.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.h1HIe1rt4D.exe.3b89240.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.h1HIe1rt4D.exe.3b68610.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.h1HIe1rt4D.exe.3b68610.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.h1HIe1rt4D.exe.3b68610.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.h1HIe1rt4D.exe.3b68610.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.h1HIe1rt4D.exe.3ad7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.h1HIe1rt4D.exe.3ad7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.h1HIe1rt4D.exe.3ad7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: h1HIe1rt4D.exe PID: 2992, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: h1HIe1rt4D.exe PID: 2992, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: h1HIe1rt4D.exe PID: 6136, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: h1HIe1rt4D.exe PID: 6136, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 0_2_04F9B054 NtUnmapViewOfSection,		0_2_04F9B054
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 0_2_04F9CE10 NtUnmapViewOfSection,		0_2_04F9CE10

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 0_2_04F964B8	0_2_04F964B8
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 0_2_04F9A930	0_2_04F9A930
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 0_2_04F9BF40	0_2_04F9BF40
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 0_2_04F90040	0_2_04F90040
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 0_2_04F9001E	0_2_04F9001E
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 0_2_04F957D8	0_2_04F957D8
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 0_2_04F9BF30	0_2_04F9BF30
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 0_2_08C29780	0_2_08C29780
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00406BDA	2_2_00406BDA
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00B86108	2_2_00B86108
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00B8B328	2_2_00B8B328
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00B8C470	2_2_00B8C470
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00B86730	2_2_00B86730
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00B8C752	2_2_00B8C752
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00B89858	2_2_00B89858
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00B84AD9	2_2_00B84AD9
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00B8CA32	2_2_00B8CA32
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00B8BBD2	2_2_00B8BBD2
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00B8BEB2	2_2_00B8BEB2
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00B8B4F3	2_2_00B8B4F3
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00B83572	2_2_00B83572
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 2_2_00403ABC	2_2_00403ABC

Source: h1HIe1rt4D.exe, 00000000.00000002.3991610726.0000000005330000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe, 00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe, 00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe, 00000000.00000000.2129304200.00000000006EA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInochia.exe0 vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe, 00000000.00000002.3992396437.00000000054B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe, 00000000.00000002.3987313882.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe, 00000000.00000002.3988273829.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe, 00000000.00000002.3988273829.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe	Binary or memory string: OriginalFilename vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe, 00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs h1HIe1rt4D.exe
Source: h1HIe1rt4D.exe	Binary or memory string: OriginalFilenameInochia.exe0 vs h1HIe1rt4D.exe

Source: h1HIe1rt4D.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.h1HIe1rt4D.exe.3b89240.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.h1HIe1rt4D.exe.3b89240.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.h1HIe1rt4D.exe.3b89240.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.h1HIe1rt4D.exe.3b89240.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.h1HIe1rt4D.exe.3b68610.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.h1HIe1rt4D.exe.3b68610.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.h1HIe1rt4D.exe.3b68610.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.h1HIe1rt4D.exe.3b68610.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.h1HIe1rt4D.exe.3ad7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.h1HIe1rt4D.exe.3ad7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.h1HIe1rt4D.exe.3ad7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: h1HIe1rt4D.exe PID: 2992, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: h1HIe1rt4D.exe PID: 2992, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: h1HIe1rt4D.exe PID: 6136, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: h1HIe1rt4D.exe PID: 6136, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: classification engine

Classification label: mal96.troj.evad.winEXE@8/1@2/2

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\h1HIe1rt4D.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1912:120:WilError_03
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Mutant created: NULL

Source: h1HIe1rt4D.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: h1HIe1rt4D.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: h1HIe1rt4D.exe	ReversingLabs: Detection: 68%
Source: h1HIe1rt4D.exe	Virustotal: Detection: 56%

Source: h1HIe1rt4D.exe

String found in binary or memory: F-Stopw

Source: unknown	Process created: C:\Users\user\Desktop\h1HIe1rt4D.exe "C:\Users\user\Desktop\h1HIe1rt4D.exe"
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process created: C:\Users\user\Desktop\h1HIe1rt4D.exe "C:\Users\user\Desktop\h1HIe1rt4D.exe"
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\h1HIe1rt4D.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process created: C:\Users\user\Desktop\h1HIe1rt4D.exe "C:\Users\user\Desktop\h1HIe1rt4D.exe"	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\h1HIe1rt4D.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: h1HIe1rt4D.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: h1HIe1rt4D.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: h1HIe1rt4D.exe

Static PE information: 0x81AF2B24 [Sun Dec 12 04:25:08 2038 UTC]

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 0_2_04F9B4E8 pushfd ; iretd		0_2_04F9B4F1
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Code function: 0_2_08C2ABA9 push 54054CD4h; retf		0_2_08C2ABB5

Source: h1HIe1rt4D.exe

Static PE information: section name: .text entropy: 7.347443352053939

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\h1HIe1rt4D.exe"
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\h1HIe1rt4D.exe"			Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Memory allocated: D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Memory allocated: B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Memory allocated: 26D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Memory allocated: 2430000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 6304	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 3872	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 6720	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe TID: 6304	Thread sleep time: -600000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: h1HIe1rt4D.exe	Binary or memory string: ResumeVirtualMachine
Source: h1HIe1rt4D.exe	Binary or memory string: iqEMUhZ
Source: h1HIe1rt4D.exe	Binary or memory string: InitializeVirtualMachine
Source: h1HIe1rt4D.exe, 00000002.00000002.3987364225.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: h1HIe1rt4D.exe	Binary or memory string: get_VirtualMachine
Source: h1HIe1rt4D.exe	Binary or memory string: get_MonoVirtualMachine
Source: h1HIe1rt4D.exe	Binary or memory string: VirtualMachineManager

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

Memory written: C:\Users\user\Desktop\h1HIe1rt4D.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process created: C:\Users\user\Desktop\h1HIe1rt4D.exe "C:\Users\user\Desktop\h1HIe1rt4D.exe"	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\h1HIe1rt4D.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Queries volume information: C:\Users\user\Desktop\h1HIe1rt4D.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Queries volume information: C:\Users\user\Desktop\h1HIe1rt4D.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\h1HIe1rt4D.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\h1HIe1rt4D.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.h1HIe1rt4D.exe.3b89240.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h1HIe1rt4D.exe.3b68610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h1HIe1rt4D.exe.3ad7f70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3988203305.000000000285A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3988203305.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: h1HIe1rt4D.exe PID: 2992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: h1HIe1rt4D.exe PID: 6136, type: MEMORYSTR

Source: Yara match	File source: 0.2.h1HIe1rt4D.exe.3b89240.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h1HIe1rt4D.exe.3b68610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h1HIe1rt4D.exe.3ad7f70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: h1HIe1rt4D.exe PID: 2992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: h1HIe1rt4D.exe PID: 6136, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.h1HIe1rt4D.exe.3b89240.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h1HIe1rt4D.exe.3b68610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.h1HIe1rt4D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h1HIe1rt4D.exe.3b89240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h1HIe1rt4D.exe.3b68610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h1HIe1rt4D.exe.3ad7f70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3988203305.000000000285A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3988203305.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: h1HIe1rt4D.exe PID: 2992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: h1HIe1rt4D.exe PID: 6136, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
h1HIe1rt4D.exe	68%	ReversingLabs	Win32.Spyware.Snakekeylogger
h1HIe1rt4D.exe	57%	Virustotal		Browse
h1HIe1rt4D.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.96.1	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000278F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002844000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002838000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000282D000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000284F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000285A000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002822000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.00000000027D2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/0xd4d/dnSpy/wiki/Debugging-Unity-Games	h1HIe1rt4D.exe	false	high
http://checkip.dyndns.org	h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000278F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002844000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002838000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000282D000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000284F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000285A000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002822000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.00000000027D2000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002783000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.m	h1HIe1rt4D.exe	false	high
http://checkip.dyndns.com	h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000278F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	h1HIe1rt4D.exe, 00000002.00000002.3988203305.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	h1HIe1rt4D.exe, 00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002844000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002838000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000282D000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000284F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000285A000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.0000000002822000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3988203305.00000000027D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	h1HIe1rt4D.exe, 00000002.00000002.3988203305.00000000027AA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	h1HIe1rt4D.exe, h1HIe1rt4D.exe, 00000002.00000002.3988203305.000000000278F000.00000004.00000800.00020000.00000000.sdmp, h1HIe1rt4D.exe, 00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.96.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588354
Start date and time:	2025-01-11 01:19:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	h1HIe1rt4D.exe renamed because original name is a hash value
Original Sample Name:	da35f06d5f83c958940b5816901f091a1725f9af4398d94e7347550cf56be86b.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@8/1@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 79 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.23.242.162, 20.109.210.53
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target h1HIe1rt4D.exe, PID 6136 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.96.1	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/58m5/
	EIvidclKOb.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/0pqe/
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	www.aonline.top/fqlg/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
193.122.130.0	4AMVusDMPP.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	yqfze5TKW7.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
checkip.dyndns.com	yqfze5TKW7.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	4AMVusDMPP.exe	Get hash	malicious	GuLoader	Browse	193.122.130.0
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ukBQ4ch2nE.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	yqfze5TKW7.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	JGvCEaqruI.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.185.241
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://txto.eu.org/	Get hash	malicious	Unknown	Browse	104.21.16.1
	ru52XOQ1p7.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
ORACLE-BMC-31898US	yqfze5TKW7.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	4AMVusDMPP.exe	Get hash	malicious	GuLoader	Browse	193.122.130.0
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	phish_alert_sp2_2.0.0.0(4).eml	Get hash	malicious	Unknown	Browse	192.29.202.93
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	192.29.202.93
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	192.29.202.93
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	yqfze5TKW7.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1

Process:	C:\Users\user\Desktop\h1HIe1rt4D.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.3367983816294675
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	h1HIe1rt4D.exe
File size:	553'472 bytes
MD5:	aca1506ec2fc90d9bd56cbbe91bd6386
SHA1:	d2b443e927e57d8481fd6ddc5c7722d423815a9b
SHA256:	da35f06d5f83c958940b5816901f091a1725f9af4398d94e7347550cf56be86b
SHA512:	4e7af171c7ca0eb32616e53e63e59d41bda62e52ea801c8e005e8cc8d9f08cbb5aa59ea5203688efaf53a0e1d2c91a64a6cba225481f6a36ba08d4f96454f956
SSDEEP:	12288:YiU+RfWk1Sm5bp+4yZXfcKa6Io24RPlA24:Yi3fWxIbc4yZ0xoDf
TLSH:	AEC4CF2933E8E317D6AF0B7AF43411005776BE93F196EB0D5C84A9EF0D53B9199122A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$+................0..h............... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4887de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x81AF2B24 [Sun Dec 12 04:25:08 2038 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x88790	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x867e4	0x86800	df2d295129eb6017176828fb23590027	False	0.601626031017658	data	7.347443352053939	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x596	0x600	bb337337fd525b603631f27b8432eb2e	False	0.41015625	data	4.03984594780929	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8c000	0xc	0x200	ea0438b2ffa5d5203b31ad259aa8633b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8a0a0	0x30c	data			0.4230769230769231
RT_MANIFEST	0x8a3ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T01:20:50.531041+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49709	193.122.130.0	80	TCP
2025-01-11T01:20:51.531039+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49709	193.122.130.0	80	TCP
2025-01-11T01:20:52.136683+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49715	104.21.96.1	443	TCP
2025-01-11T01:20:52.296651+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49709	193.122.130.0	80	TCP
2025-01-11T01:20:52.863785+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49717	104.21.96.1	443	TCP
2025-01-11T01:20:53.015530+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49709	193.122.130.0	80	TCP
2025-01-11T01:20:53.586849+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49724	104.21.96.1	443	TCP
2025-01-11T01:20:54.874775+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49709	193.122.130.0	80	TCP
2025-01-11T01:20:55.535107+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49736	104.21.96.1	443	TCP
2025-01-11T01:20:55.812276+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49709	193.122.130.0	80	TCP
2025-01-11T01:20:56.357402+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49742	104.21.96.1	443	TCP
2025-01-11T01:20:57.515395+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49709	193.122.130.0	80	TCP
2025-01-11T01:20:58.116478+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49754	104.21.96.1	443	TCP
2025-01-11T01:20:58.437429+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49709	193.122.130.0	80	TCP
2025-01-11T01:20:59.028334+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49761	104.21.96.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:20:47.837996006 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:47.842981100 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:47.843046904 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:47.856111050 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:47.861047029 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:49.375610113 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:49.379993916 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:49.384907007 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:50.483727932 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:50.531040907 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:50.535219908 CET	49714	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:50.535278082 CET	443	49714	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:50.535346031 CET	49714	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:50.541598082 CET	49714	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:50.541615963 CET	443	49714	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:51.175014973 CET	443	49714	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:51.175085068 CET	49714	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:51.178881884 CET	49714	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:51.178893089 CET	443	49714	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:51.179167032 CET	443	49714	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:51.232327938 CET	49714	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:51.275335073 CET	443	49714	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:51.353486061 CET	443	49714	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:51.353566885 CET	443	49714	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:51.353713036 CET	49714	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:51.360564947 CET	49714	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:51.364139080 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:51.369478941 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:51.486066103 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:51.488291979 CET	49715	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:51.488337994 CET	443	49715	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:51.488399029 CET	49715	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:51.488651037 CET	49715	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:51.488663912 CET	443	49715	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:51.531039000 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:51.974980116 CET	443	49715	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:51.977329969 CET	49715	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:51.977372885 CET	443	49715	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:52.136688948 CET	443	49715	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:52.137053967 CET	443	49715	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:52.137130976 CET	49715	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:52.137392044 CET	49715	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:52.139764071 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:52.144596100 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:52.242902040 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:52.243630886 CET	49717	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:52.243683100 CET	443	49717	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:52.243758917 CET	49717	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:52.244163990 CET	49717	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:52.244175911 CET	443	49717	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:52.296650887 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:52.726917028 CET	443	49717	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:52.728549004 CET	49717	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:52.728579044 CET	443	49717	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:52.863810062 CET	443	49717	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:52.863893986 CET	443	49717	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:52.863990068 CET	49717	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:52.864532948 CET	49717	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:52.867229939 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:52.872076988 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:52.974072933 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:52.974997044 CET	49724	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:52.975040913 CET	443	49724	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:52.975128889 CET	49724	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:52.975430012 CET	49724	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:52.975444078 CET	443	49724	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:53.015530109 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:53.430744886 CET	443	49724	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:53.480844021 CET	49724	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:53.480885029 CET	443	49724	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:53.586869001 CET	443	49724	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:53.586961031 CET	443	49724	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:53.587022066 CET	49724	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:53.592891932 CET	49724	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:53.725898027 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:53.730698109 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:54.827960014 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:54.828794956 CET	49736	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:54.828855991 CET	443	49736	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:54.828943968 CET	49736	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:54.829231024 CET	49736	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:54.829245090 CET	443	49736	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:54.874774933 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:55.340523958 CET	443	49736	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:55.342231035 CET	49736	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:55.342259884 CET	443	49736	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:55.535135984 CET	443	49736	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:55.535203934 CET	443	49736	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:55.535259962 CET	49736	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:55.535712004 CET	49736	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:55.538259983 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:55.668843031 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:55.766901016 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:55.767523050 CET	49742	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:55.767577887 CET	443	49742	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:55.767653942 CET	49742	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:55.767891884 CET	49742	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:55.767905951 CET	443	49742	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:55.812275887 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:56.224226952 CET	443	49742	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:56.225824118 CET	49742	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:56.225856066 CET	443	49742	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:56.357425928 CET	443	49742	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:56.357500076 CET	443	49742	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:56.357549906 CET	49742	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:56.357950926 CET	49742	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:56.360944033 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:56.365824938 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:57.464505911 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:57.465270042 CET	49754	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:57.465329885 CET	443	49754	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:57.465401888 CET	49754	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:57.465662003 CET	49754	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:57.465677023 CET	443	49754	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:57.515394926 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:57.968453884 CET	443	49754	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:57.973304987 CET	49754	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:57.973354101 CET	443	49754	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:58.116503000 CET	443	49754	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:58.116599083 CET	443	49754	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:58.116741896 CET	49754	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:58.117189884 CET	49754	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:58.119853973 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:58.124999046 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:58.382019043 CET	80	49709	193.122.130.0	192.168.2.6
Jan 11, 2025 01:20:58.382762909 CET	49761	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:58.382817984 CET	443	49761	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:58.382882118 CET	49761	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:58.383357048 CET	49761	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:58.383368969 CET	443	49761	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:58.437428951 CET	49709	80	192.168.2.6	193.122.130.0
Jan 11, 2025 01:20:58.850301027 CET	443	49761	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:58.851928949 CET	49761	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:58.852010012 CET	443	49761	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:59.028491974 CET	443	49761	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:59.028665066 CET	443	49761	104.21.96.1	192.168.2.6
Jan 11, 2025 01:20:59.028767109 CET	49761	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:59.029197931 CET	49761	443	192.168.2.6	104.21.96.1
Jan 11, 2025 01:20:59.151654959 CET	49709	80	192.168.2.6	193.122.130.0

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:20:47.523252010 CET	58842	53	192.168.2.6	1.1.1.1
Jan 11, 2025 01:20:47.612482071 CET	53	58842	1.1.1.1	192.168.2.6
Jan 11, 2025 01:20:50.525892973 CET	51100	53	192.168.2.6	1.1.1.1
Jan 11, 2025 01:20:50.534387112 CET	53	51100	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 01:20:47.523252010 CET	192.168.2.6	1.1.1.1	0xbde4	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:20:50.525892973 CET	192.168.2.6	1.1.1.1	0x93b1	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 01:20:47.612482071 CET	1.1.1.1	192.168.2.6	0xbde4	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 01:20:47.612482071 CET	1.1.1.1	192.168.2.6	0xbde4	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:20:47.612482071 CET	1.1.1.1	192.168.2.6	0xbde4	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:20:47.612482071 CET	1.1.1.1	192.168.2.6	0xbde4	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:20:47.612482071 CET	1.1.1.1	192.168.2.6	0xbde4	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:20:47.612482071 CET	1.1.1.1	192.168.2.6	0xbde4	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:20:50.534387112 CET	1.1.1.1	192.168.2.6	0x93b1	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:20:50.534387112 CET	1.1.1.1	192.168.2.6	0x93b1	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:20:50.534387112 CET	1.1.1.1	192.168.2.6	0x93b1	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:20:50.534387112 CET	1.1.1.1	192.168.2.6	0x93b1	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:20:50.534387112 CET	1.1.1.1	192.168.2.6	0x93b1	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:20:50.534387112 CET	1.1.1.1	192.168.2.6	0x93b1	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:20:50.534387112 CET	1.1.1.1	192.168.2.6	0x93b1	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49709	193.122.130.0	80	6136	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:20:47.856111050 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 01:20:49.375610113 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:20:49 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c89f53060265ad9f611b08623fc38e3f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 01:20:49.379993916 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 01:20:50.483727932 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:20:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b17fa625ae19cd3f1318420d17ac62d8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 01:20:51.364139080 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 01:20:51.486066103 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:20:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ea25dfb075ba6bd7e78786b183f6fac3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 01:20:52.139764071 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 01:20:52.242902040 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:20:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 21eb928f1b3e10601035791928c55389 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 01:20:52.867229939 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 01:20:52.974072933 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:20:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9d231f332751ded0225b0423f10d386a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 01:20:53.725898027 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 01:20:54.827960014 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:20:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 629d99d709e6ccfb3545f3cbcd3e9f61 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 01:20:55.538259983 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 01:20:55.766901016 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:20:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d02344d9736fe43ae34876a7c0cffd36 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 01:20:56.360944033 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 01:20:57.464505911 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:20:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7072c68800fcb111a1fab1cf61809c5d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 01:20:58.119853973 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 01:20:58.382019043 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:20:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ca02b212f65b359953184e94697802c7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49714	104.21.96.1	443	6136	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:20:51 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 00:20:51 UTC	861	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:20:51 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1869640 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9ana2qCVTiEw03EHfv1Hg8VKHV5ATnGCAXLEMXpGBs0jkJUr%2F1VrJMcb%2BgUp%2FPIkkVg4u2V1%2Ba9zM1CCFiX6IaR1cCJN0ECCBOcLx3YJmmOiqG2T7gJCzACaT1zx%2BxIwU0epaxIs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000be4c886e42c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=40452&min_rtt=34167&rtt_var=17302&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=85462&cwnd=212&unsent_bytes=0&cid=076598cb5fafb06a&ts=219&x=0"
2025-01-11 00:20:51 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49715	104.21.96.1	443	6136	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:20:51 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 00:20:52 UTC	858	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:20:52 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1869641 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5kbhGYk4cVMfZ17x%2Bdu4onNw0wk75eStV%2BgYdffACuuXzB0gux0X61K%2BKcASQghuPSr1UfJY37xquCkg6u4g4PvehXf9Ff4wxZkme8kexp8EOwCyF27c0DsCqOW7ebIsY%2Fcz5Q0y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000be516b124363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4889&min_rtt=1557&rtt_var=2717&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1875401&cwnd=240&unsent_bytes=0&cid=62f2f8a0836c7010&ts=166&x=0"
2025-01-11 00:20:52 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49717	104.21.96.1	443	6136	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:20:52 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 00:20:52 UTC	853	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:20:52 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1869641 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AN2nkdUq0WhJGr2ZCTvMHmj0ZrxmzOudQZPGvov0%2FMDkofeWr6XmuvZyhH8HMllc8LwePiJ19EKvqIwf5icpcVojj1jY5V6zhwaDT0hg2bueAdKVF%2BfimVcHerl75CyHyyM1LP8E"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000be560ff0de9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1854&min_rtt=1672&rtt_var=757&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1746411&cwnd=209&unsent_bytes=0&cid=1563438f6149f9c2&ts=140&x=0"
2025-01-11 00:20:52 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49724	104.21.96.1	443	6136	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:20:53 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 00:20:53 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:20:53 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1869642 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4yFSDABh6E42RrF8abGWyFmLP9DbgB7XB0lqHVxajAXlq9Qk9mI4IeUBkdvAH%2BK6beG0fB%2B4PcKtJcN99etmMVQINzjdP7cfNl3jUL%2FJtPI0xhud66S2ol3zcBvM0Y%2F1BHQ7Df8f"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000be5a996942c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1796&min_rtt=1789&rtt_var=686&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1576673&cwnd=212&unsent_bytes=0&cid=81386513d09ae1db&ts=160&x=0"
2025-01-11 00:20:53 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49736	104.21.96.1	443	6136	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:20:55 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 00:20:55 UTC	861	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:20:55 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1869644 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=miFK0AoWt0Ojbm4UK9P1Ez3pvmsnFgadNjwgN4WMNppelfYO0eLDHyiVg%2Fh%2FR0Su3KUscjSCG8KD4QkE1H4afpzN%2B6xX%2F%2FMDsyurwuH%2Fme2SBgFrXKdR96YFLbvDGKHv81KlDFou"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000be668b0872a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1965&min_rtt=1958&rtt_var=749&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1446977&cwnd=212&unsent_bytes=0&cid=d58a25bf696e8d34&ts=172&x=0"
2025-01-11 00:20:55 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49742	104.21.96.1	443	6136	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:20:56 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 00:20:56 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:20:56 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1869645 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fofmz2FDEeJHzf4MlEwBZ%2FC7c7rsAaGKAPlfJPmkYTSUIm8MPemV%2FkCH0cd0pAj9MUIqljAgbgIdB5ANEI6Z4VX2rOSVdjNRwEBYMJH%2F1AUBMI2O7NEdivOgRFbslSyZXuFAg6Fk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000be6be8dbde9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1679&min_rtt=1664&rtt_var=655&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1632196&cwnd=209&unsent_bytes=0&cid=6046e02fe9522416&ts=138&x=0"
2025-01-11 00:20:56 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49754	104.21.96.1	443	6136	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:20:57 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 00:20:58 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:20:58 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1869647 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PjHtJ57GSKlPCbM3mrqvi8hpdkunYiJAwHluoccaOUSJGIgTRLjWFEhWRmVghxZU17cynKSgvvgrH8PnB32gEWjVEG7YRlpu%2BCRTpKO%2Fl%2F6H9NkyXDnUJGdDX8q3wKcBgpOt8pbh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000be76db9a1a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1948&min_rtt=1944&rtt_var=737&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1476985&cwnd=157&unsent_bytes=0&cid=7a9755b9fc876767&ts=152&x=0"
2025-01-11 00:20:58 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49761	104.21.96.1	443	6136	C:\Users\user\Desktop\h1HIe1rt4D.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:20:58 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 00:20:59 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:20:58 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1869648 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rWHUXu9WjaAxCWpu9drLkRwZ0QERWbvaWV7czlCMsVx3dn2Gk5qR5QNe2Wc2hlL2ghgUI7VxYU9D8PE5s%2BoPpOXgftbSBQYRN%2FZPnXn7DVhZnwmBxDUfKQeuPyvRykqJHRzd%2BxLh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000be7c6d37c32e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1551&min_rtt=1543&rtt_var=596&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1810291&cwnd=178&unsent_bytes=0&cid=ba0cb539ae3b9e4f&ts=168&x=0"
2025-01-11 00:20:59 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	19:20:45
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\h1HIe1rt4D.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\h1HIe1rt4D.exe"
Imagebase:	0x660000
File size:	553'472 bytes
MD5 hash:	ACA1506EC2FC90D9BD56CBBE91BD6386
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.3990117637.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	19:20:46
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\h1HIe1rt4D.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\h1HIe1rt4D.exe"
Imagebase:	0x400000
File size:	553'472 bytes
MD5 hash:	ACA1506EC2FC90D9BD56CBBE91BD6386
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3988203305.000000000285A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.3986621116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3988203305.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	19:20:58
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\h1HIe1rt4D.exe"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:20:58
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:20:58
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x700000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	29.4%
Total number of Nodes:	143
Total number of Limit Nodes:	6

Executed Functions

Function 04F9BF40 Relevance: 1.7, Strings: 1, Instructions: 487
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 04F9C6F0

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: CreateProcess
String ID: (
API String ID: 963392458-3887548279
Opcode ID: 5b8383034293730ee1b0aa8febb2b64da8345bfda201cfaa9335d3ad448f6769
Instruction ID: 468a5c492ebb8f1c5a1eed74365d1d745b95e453aa2dbd3699b8c2f43de8fc05
Opcode Fuzzy Hash: 5b8383034293730ee1b0aa8febb2b64da8345bfda201cfaa9335d3ad448f6769
Instruction Fuzzy Hash: 7032B070E012698FEB68DF65C984BDDB7F2BF89300F1081EA9409A7295DB746E85CF40

Function 04F9CE10 Relevance: 1.5, APIs: 1, Instructions: 44nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL(?,?), ref: 04F9CE6E

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 504475b2df91a520052fa7958d73d2ddf2b8c4f86fc37c6b5dd5bedd14883365
Instruction ID: 1ec27c0de79d2c15badcc1e3fe9a28251ed40b0d96a6d390f3aea89846f39f7c
Opcode Fuzzy Hash: 504475b2df91a520052fa7958d73d2ddf2b8c4f86fc37c6b5dd5bedd14883365
Instruction Fuzzy Hash: 54111EB18003498FEB20DF9AD449BDEFBF8FB48324F20841AD419A7200C378A944CFA5

Function 04F9B054 Relevance: 1.5, APIs: 1, Instructions: 44nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL(?,?), ref: 04F9CE6E

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 9ee06227c5307e17b71e49047b949034f40490405bc43bb8083b8dae564f8473
Instruction ID: b2ce4d42c4edb3efea1d00515fefeb19f25509aeb247abb4f01c631d8868b679
Opcode Fuzzy Hash: 9ee06227c5307e17b71e49047b949034f40490405bc43bb8083b8dae564f8473
Instruction Fuzzy Hash: DA1123B18003498FDB20DF9AD444BDEBFF8EB48324F20845AD519B3200C378A944CFA5

Function 08C29780 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3993059117.0000000008C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c20000_h1HIe1rt4D.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: a3f049bd5dde05036f305baf605913ea1f0b9be5fbd17736497e850e8bb8c8a1
Instruction ID: 625312c60f259e90919340daf1d1635198425f6ccdf2b0b113afb5773e11ba42
Opcode Fuzzy Hash: a3f049bd5dde05036f305baf605913ea1f0b9be5fbd17736497e850e8bb8c8a1
Instruction Fuzzy Hash: 44F13D70A00319CFDB14DFA9C948B9DBBF1FF88315F158169D409AB3A5DB70A94ACB40

Function 04F9BF30 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 25cfda7bdd9e8968f37c7e668d997ac8c2b6a165b86612feecb307b2c5a8b9d4
Instruction ID: c3ae84712c585b05963740d53d44d1571bbbc77674bf3a718f8f79bae27759f6
Opcode Fuzzy Hash: 25cfda7bdd9e8968f37c7e668d997ac8c2b6a165b86612feecb307b2c5a8b9d4
Instruction Fuzzy Hash: E602D471E012698FEB68DF65C840BDDB7F2BF89300F1081EA9509AB295DB746E85CF40

Function 04F9A930 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdea24584b0fd761c0fe9e714435234b43e9612d97960a81e8ac367c53acdb2
Instruction ID: 0739e0ffa183309d755e5e8003df3acebe1a634afe51b799ea4a819f15f4f600
Opcode Fuzzy Hash: dfdea24584b0fd761c0fe9e714435234b43e9612d97960a81e8ac367c53acdb2
Instruction Fuzzy Hash: 36818E35F052599BEF08AF79985477E7BA3AFC8710B14852EE406E7288DF34AC029791

Function 04F964B8 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ace2f59cf964bd429bbd5a9f07e4514ff4fb3b1a516c22c0fc4f15bfb90e14
Instruction ID: 9ef4c8d134068edbe69840b7e7cbf7b7868517c5a4ba08b4334d086821ecc702
Opcode Fuzzy Hash: 05ace2f59cf964bd429bbd5a9f07e4514ff4fb3b1a516c22c0fc4f15bfb90e14
Instruction Fuzzy Hash: CEB1A074E012598FEB14DFA9D594A9DFBF2FF48300F1481AAE448AB355DB34A981CF50

Function 04F9B024 Relevance: 1.6, APIs: 1, Instructions: 140
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,00000000,?), ref: 04F9CBAC

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 333c5b43e6639464d78ab6a79d3266ce76ab0971b24c8cb70544e7e3f88e4ff1
Instruction ID: c2732aeb5028c7e3cbfc37233783728155e749ea60085bc56e265bf4e67417df
Opcode Fuzzy Hash: 333c5b43e6639464d78ab6a79d3266ce76ab0971b24c8cb70544e7e3f88e4ff1
Instruction Fuzzy Hash: CD51F271901369DFEF24CFA9C944BDEBBB6BF49300F10809AE908A7240D775AA85CF51

Function 04F9CA66 Relevance: 1.6, APIs: 1, Instructions: 139
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,00000000,?), ref: 04F9CBAC

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 763a0386d3ca5571ec3293d4d97b263e1eac4828fb17a15af140b58aeb507ffb
Instruction ID: 78cca6458fc10dbfcfbe79d570bc1a5c15710918ef52ba9fa639442a55da8887
Opcode Fuzzy Hash: 763a0386d3ca5571ec3293d4d97b263e1eac4828fb17a15af140b58aeb507ffb
Instruction Fuzzy Hash: DF51D1719013699FEF25CF99C944BDDBBB2AF48300F14809AE508A7250D775AA85CF51

Function 04F9AFC8 Relevance: 1.6, APIs: 1, Instructions: 98
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 04F9CD0B

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 923285144e2b06759eebb5b47baf8f109c60168cd337c8393a937d499d14a465
Instruction ID: e0c1b85cfc3a64cf579b28e40730fa019af58c896dc45425616b8c8a33e695c3
Opcode Fuzzy Hash: 923285144e2b06759eebb5b47baf8f109c60168cd337c8393a937d499d14a465
Instruction Fuzzy Hash: C831C3728087948FEB11DF6EC8557CABFF0EF46320F08809AC094A7242D6789849CFA5

Function 04F94050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04F94111

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: cee96416766dfb332f0390d4104c0bc26f3cdb33b4d0f022aa19a0e3aac077aa
Instruction ID: 8f303a4f680796fdf44d41a62e5c41661db9c6232a473875e903b1539cff3f8b
Opcode Fuzzy Hash: cee96416766dfb332f0390d4104c0bc26f3cdb33b4d0f022aa19a0e3aac077aa
Instruction Fuzzy Hash: 84414CB5900309DFDB14CF99C848AAABBF5FF98314F24C458D519AB321D775A842CFA0

Function 04F9BC18 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04F9BCB0

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ef8980665c17fe89bf425aec3d703be3eed02fd08af84de76ebffc8d5eb95c68
Instruction ID: 5c47f31695ee18fb35a77f733468efb83a621881bf8c4d736c749e804cf2eb94
Opcode Fuzzy Hash: ef8980665c17fe89bf425aec3d703be3eed02fd08af84de76ebffc8d5eb95c68
Instruction Fuzzy Hash: 602148719003199FEF10CFA9D885BDEBBF5FF48310F108429E519A7240C778A951CBA4

Function 04F9BC20 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04F9BCB0

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c2803b918911fc45ec246ffb7329aabbbe179b365ba96f5a3ba6324bf108aa74
Instruction ID: 27b8d43e61ee8c04af9879f5092a20e1548dc0f7c6872619d43894532fd8b7f5
Opcode Fuzzy Hash: c2803b918911fc45ec246ffb7329aabbbe179b365ba96f5a3ba6324bf108aa74
Instruction Fuzzy Hash: 082126719003599FDF10DFA9D885BDEBBF5FF48310F108429E919A7240CB78A950CBA5

Function 04F9BB42 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04F9BBC6

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d45ad04f41fe87014e0fa6e9d6ba4c57e27c10d5e8d8bc027bfecc732e6f6854
Instruction ID: 9492886a77d76f8bfd6c03d6ef6666c64ae02d127454bb48f47b29a71f6051b9
Opcode Fuzzy Hash: d45ad04f41fe87014e0fa6e9d6ba4c57e27c10d5e8d8bc027bfecc732e6f6854
Instruction Fuzzy Hash: 7C213771D003098FEB10DFAAC4857EEBBF4BF88320F14842AD519A7240CB78A945CBA5

Function 04F9BB48 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04F9BBC6

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 56f354e2d19ab873beb23acbd2884b4190a8cbf64d23734196652f0d15aaba91
Instruction ID: 23bd291e6e447ffd644a7f942fd30d9e422e9901a88dcc712693c07135350a1f
Opcode Fuzzy Hash: 56f354e2d19ab873beb23acbd2884b4190a8cbf64d23734196652f0d15aaba91
Instruction Fuzzy Hash: 0D211871D003098FEB10DFAAD4857EEBBF4BF88324F148429D559A7240DB78A945CFA5

Function 04F9CD50 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,00010002), ref: 04F9CDC9

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 403687a27280e7e5ece60f63f5da2e41a8f51bce48bdf6257b70c7c9699eafdb
Instruction ID: c7780a9090b9209bc28d112e8c22955052f3b3ad23db3f3ba9cec1476710d042
Opcode Fuzzy Hash: 403687a27280e7e5ece60f63f5da2e41a8f51bce48bdf6257b70c7c9699eafdb
Instruction Fuzzy Hash: F121E5B58003499FDB10CF9AD884BDEFBF4FB48320F14841AE518A7640D378A945CF65

Function 04F9B048 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,00010002), ref: 04F9CDC9

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 67bd24a11bf125ebd6325c64d741744004f14dc0192717675ab33e844cec4cf7
Instruction ID: 398db84c01c1127c23a628cc3c40bfd55695c535d3e9b3862fc9a1bb7273ad1d
Opcode Fuzzy Hash: 67bd24a11bf125ebd6325c64d741744004f14dc0192717675ab33e844cec4cf7
Instruction Fuzzy Hash: 9C21E4B58003499FDB10CF9AD884ADEBBF4FB48310F14842AE918A3250D378A944DBA5

Function 04F9CC98 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 04F9CD0B

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 485bd173cf63d623ec10249e89ead25cf5eea4cca0db1c35b960f83aa95b324b
Instruction ID: 13230215718b8360c11c5477fceaa0bbe3dd4a27198a822e01ed0870b84eeb73
Opcode Fuzzy Hash: 485bd173cf63d623ec10249e89ead25cf5eea4cca0db1c35b960f83aa95b324b
Instruction Fuzzy Hash: 6C1126B2D002498FDB10CF9AD845BDEBBF4FB88320F14842AD418A3600D778A945CFA5

Function 04F9B030 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 04F9CD0B

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 197b6843898d02efc41893f9c3a10d252c7a7f4e46af38000f6d52882bc65630
Instruction ID: 24b50a517b98d59890bc215914fa7cbd8625ca66ee22e7fece466ef3f924dc5b
Opcode Fuzzy Hash: 197b6843898d02efc41893f9c3a10d252c7a7f4e46af38000f6d52882bc65630
Instruction Fuzzy Hash: A61114B2D002498FEB10CF9AD844BDEBBF4EB88320F54842AD458A3200D778A945CFA5

Function 04F9BD08 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04F9BD7E

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1d9bb3c11314baacf20ddea29929cb05fefccf9f17352f67b109f736b9e825ce
Instruction ID: 3538cee3cd6b3097667cecd4440104ef180f0fc42c888cc61bc7e8c36a4ad950
Opcode Fuzzy Hash: 1d9bb3c11314baacf20ddea29929cb05fefccf9f17352f67b109f736b9e825ce
Instruction Fuzzy Hash: 261136728002499BDF10DFAAD845BDEBBF5EB88320F14881AE519A7250C779A910CBA1

Function 04F9BD10 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04F9BD7E

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9119d9a59e9159964694e2cee2949eecf73b5a814a0273a2a78493d17b5631cb
Instruction ID: e69058b226a9fc0c10f6f173dd93c814c179e1dcf4e277f1b8c4a09d4f34bdba
Opcode Fuzzy Hash: 9119d9a59e9159964694e2cee2949eecf73b5a814a0273a2a78493d17b5631cb
Instruction Fuzzy Hash: EE1147718003499FDF10DFAAD844BDEBBF5AF88320F148419E519A7250C775A910CBA1

Function 04F9BDC8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04F9BE32

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: dc7ef5bb587b4d5d228408d40844679241110c7a0db6840dfba39c563b39a16d
Instruction ID: 5595b6fd9446375a0c1bce0fd570b6e8643274a37b227de39e7784b1c27fe812
Opcode Fuzzy Hash: dc7ef5bb587b4d5d228408d40844679241110c7a0db6840dfba39c563b39a16d
Instruction Fuzzy Hash: CE1149719003498FEF10DFAAD4457DFBBF5EB88220F148419D519A7240CB79A901CB95

Function 08C20580 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 08C205E5

Memory Dump Source

Source File: 00000000.00000002.3993059117.0000000008C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c20000_h1HIe1rt4D.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 28c64c754a2084604c16081e4069df684af6436fbc0cfcb6339e96916eeb13b7
Instruction ID: 531447a35a9216eab970bf56ae7dd5b9f976626453e5bf51a8c8465ba65f5472
Opcode Fuzzy Hash: 28c64c754a2084604c16081e4069df684af6436fbc0cfcb6339e96916eeb13b7
Instruction Fuzzy Hash: 9F1125B2800749DFDB10CF9AC985BEEBBF8FB48720F10841AE554A3240D378A944CFA5

Function 04F9BDD0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04F9BE32

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 369d8758f196263e2aa419696b8bc42f81f0197b7c05206dcafe9e26b6d188bf
Instruction ID: 69d33b25c43ca8039c09af9a8592b9786d0d7176a1db0f6622095e32e83adeec
Opcode Fuzzy Hash: 369d8758f196263e2aa419696b8bc42f81f0197b7c05206dcafe9e26b6d188bf
Instruction Fuzzy Hash: FF1158719003498FEB20DFAAD44579FFBF9AF88320F208419D519A7240CB79A900CB95

Function 08C20588 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 08C205E5

Memory Dump Source

Source File: 00000000.00000002.3993059117.0000000008C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c20000_h1HIe1rt4D.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2d8da67276ff654bd6a0db8e4407795564cae9d11d55f6afa600ba086bd79e73
Instruction ID: 9c393511b4b0b8a0be199b8c97d5b7c7d4739c7510b4b6326f5efc4d3033b738
Opcode Fuzzy Hash: 2d8da67276ff654bd6a0db8e4407795564cae9d11d55f6afa600ba086bd79e73
Instruction Fuzzy Hash: 3D11F5B5800749DFDB10CF9AC945BEEBBF8EB48320F10841AE554A3240D378A554CFA5

Function 08C208D8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 08C21F1D

Memory Dump Source

Source File: 00000000.00000002.3993059117.0000000008C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c20000_h1HIe1rt4D.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3f7e01b2d9f200b6e0f083d11b4b040c232e4cbac0f78ed362f21b7db1eef6a4
Instruction ID: 827484c89993aa2bbc1aa58e9df91e21f77b419e0596ba7f7b7ad5db7aef6ba4
Opcode Fuzzy Hash: 3f7e01b2d9f200b6e0f083d11b4b040c232e4cbac0f78ed362f21b7db1eef6a4
Instruction Fuzzy Hash: D31133B1804358CFDB20DF9AD548B9EBBF8EB48320F24841AE519A3240C378A944CFA5

Function 08C27B3C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,08C29AA7), ref: 08C2A545

Memory Dump Source

Source File: 00000000.00000002.3993059117.0000000008C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c20000_h1HIe1rt4D.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 3fe45f42b38e7518bad613ddab1478fefa02fb00a3bd21cf7a45e604559029c0
Instruction ID: dd2e0c358c2fd33a1ee634071dd762a933cd251d1034121a56ac3504b1babd85
Opcode Fuzzy Hash: 3fe45f42b38e7518bad613ddab1478fefa02fb00a3bd21cf7a45e604559029c0
Instruction Fuzzy Hash: F611E0B1C04659CFDB20DF9AD548B9EFBF4EB48224F10842AE519A7240D378A544CFA5

Function 08C2A4E0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,08C29AA7), ref: 08C2A545

Memory Dump Source

Source File: 00000000.00000002.3993059117.0000000008C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c20000_h1HIe1rt4D.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 6766a3cc7f39ff67c903fa2308d328d2be90953383fc06d20a0ca5cd9293af54
Instruction ID: 2ffb9cad694267455a0972c0d52f583bbde665eb26966e283db3948ca61b8cfe
Opcode Fuzzy Hash: 6766a3cc7f39ff67c903fa2308d328d2be90953383fc06d20a0ca5cd9293af54
Instruction Fuzzy Hash: 541110B1C00659CFCB10DFAAE448BCEBBF4AB48224F14842AE518A3240D378A544CFA5

Function 08C21EC0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 08C21F1D

Memory Dump Source

Source File: 00000000.00000002.3993059117.0000000008C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c20000_h1HIe1rt4D.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c3211104693cc725c1e55b085de68bf589b9a9312a86b7553d0b2b13c091e7b4
Instruction ID: 2ec6571cee775527cd0af085706ee83548dbbb09af712150ce1507b98bcf26c0
Opcode Fuzzy Hash: c3211104693cc725c1e55b085de68bf589b9a9312a86b7553d0b2b13c091e7b4
Instruction Fuzzy Hash: 8A1115B5800359DFDB20DF9AD885BDEBBF4EB48324F24841AD519A7240D378A544CFA5

Non-executed Functions

Function 04F90040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef742ad66f5beae92c251960a08373227f0daaaef037e185c6612f0a03bc6f4
Instruction ID: 56fdda367a151c9879257ab1d0f819916279aebe252abb0a030056c07146834b
Opcode Fuzzy Hash: bef742ad66f5beae92c251960a08373227f0daaaef037e185c6612f0a03bc6f4
Instruction Fuzzy Hash: E71276B0402B498EE730EF65ED4E2893AB1B785314F51430DD2E61AAE9D7BE154BCF84

Function 04F9001E Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e4716e5809de58d572f1c1d3c760421ffa3b497d8779ca4d41624346a22ef5
Instruction ID: 4afdb4e92c84ae19eac7f36a16c0a6a7c7037b634f73d3432216e180a60d05bd
Opcode Fuzzy Hash: 94e4716e5809de58d572f1c1d3c760421ffa3b497d8779ca4d41624346a22ef5
Instruction Fuzzy Hash: ADC1D6B08027498FD730DF65EC4A2897BB1BB85314B51430DD2A26BAD9DBBE154BCF84

Function 04F957D8 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3991390337.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d408157aba17287c899afda6ffcb5c007527451fe034385140cb248e6bc1be7a
Instruction ID: d041afd8519b9bc650fe456c7263eefd1aa93b95a97b1c48eb8279ad508e766e
Opcode Fuzzy Hash: d408157aba17287c899afda6ffcb5c007527451fe034385140cb248e6bc1be7a
Instruction Fuzzy Hash: 22610831E003199FEF05EFA4C9949DEBBF6FF89304B255169D409AB261EB30AD46CB50

Analysis Process: h1HIe1rt4D.exePID: 6136, Parent PID: 2992COMMON

Executed Functions

Function 00B8B4F3 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

~, xrefs: 00B8B4AA

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: c08e041e0102aa2c12bc4bade9d72399ab42adcdc6ba5b0b7dab45ea1e1ac901
Instruction ID: 752474490c6128055510181f0eca63cd1614780a13857a71d01d6350e74835be
Opcode Fuzzy Hash: c08e041e0102aa2c12bc4bade9d72399ab42adcdc6ba5b0b7dab45ea1e1ac901
Instruction Fuzzy Hash: 7371F674E042488FEB18DFAAD884A9DBBF2FF89310F14816AD814AB365DB745942CF10

Function 00B89858 Relevance: .9, Instructions: 858COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e03eddf76bb79f3d937ff99ab8ec87087de37101267325817952a0642dfd44a
Instruction ID: ef35a9a7e4375c1d639f49e97f138b1ca201ed29128451e497534800715b59e4
Opcode Fuzzy Hash: 4e03eddf76bb79f3d937ff99ab8ec87087de37101267325817952a0642dfd44a
Instruction Fuzzy Hash: E4729271A00209DFDF15EF68C884AAEBBF2FF89300F158596E805AB2A1D730ED45DB51

Function 00B86108 Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c5630e4f4019c5ac416a911dd786ba6afbc5ae82cc00ff438f9a46ab43bc1fc
Instruction ID: 638294707bc08b4a48ec03bb26ad6082bfd6682e56512cdbffa079df92132741
Opcode Fuzzy Hash: 1c5630e4f4019c5ac416a911dd786ba6afbc5ae82cc00ff438f9a46ab43bc1fc
Instruction Fuzzy Hash: 7A127E70A002199FDB14EFA9C854BAEBBF6FFC8304F248569E5059B3A5DB309D45CB90

Function 00B86730 Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce19351a3c58b4882fc61e4bd1e631eb123dbaff1cadecafe5ee62f63179c1be
Instruction ID: 346c3ce1bf68e8e341a5eefcb14c6f85cfd78bab767c08c6f368257c3cbbed22
Opcode Fuzzy Hash: ce19351a3c58b4882fc61e4bd1e631eb123dbaff1cadecafe5ee62f63179c1be
Instruction Fuzzy Hash: 7A121B71A00219DFCB15DFA8C984AADBBF2FF88304F1585AAE855EB2A1D730DD41CB51

Function 00B83572 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0521bd2a0511c5c6b1b8c5e143205baaf167ef2b7a6b4065bfe304e343ddacf
Instruction ID: 325900cb971ed3dc91ce5023672fe49c514e45d9e46f7197cc7d5d242d9ecf2f
Opcode Fuzzy Hash: e0521bd2a0511c5c6b1b8c5e143205baaf167ef2b7a6b4065bfe304e343ddacf
Instruction Fuzzy Hash: 5FF15C74F052488FDB08EFB9D8945AEBBF2BFC8700B148569E406E7359DB349802DB51

Function 00B8B328 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03c1c5fd6f198554c347ddcc3824abe05530c08d92065a103535429f0a814728
Instruction ID: 2c1aef479d53cfb645e151f8c997027f5fa54d7db2390bcb54591bb83200df1c
Opcode Fuzzy Hash: 03c1c5fd6f198554c347ddcc3824abe05530c08d92065a103535429f0a814728
Instruction Fuzzy Hash: 0DE1E874A00619CFDB14DFA9C885A9DBBF1FF49310F1981A9E819AB362DB30AD41CF50

Function 00B8C470 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f9dab757d1390a3a01e389eeb7264749bb2f97c42efb5dd1d45efb9a1c599b
Instruction ID: e2d2667e9eb033b073082fb074349500d6823bdb4b5baf4a2b0afcc305658f17
Opcode Fuzzy Hash: 06f9dab757d1390a3a01e389eeb7264749bb2f97c42efb5dd1d45efb9a1c599b
Instruction Fuzzy Hash: C5A1D8B4E00218CFDB14DFA9D994AADBBF2FF89300F2491A9D419A7365DB709941CF60

Function 00B8BBD2 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de3ffbf8dfd86401162d004884584f9a096a2f70e0f68ac5616e82eb6e96e470
Instruction ID: c046d476f043a457b08200ef7ed4c235badf8a895e977676a41d5c5b41118d53
Opcode Fuzzy Hash: de3ffbf8dfd86401162d004884584f9a096a2f70e0f68ac5616e82eb6e96e470
Instruction Fuzzy Hash: 8C91D674E04218DFDB14DFA9D894A9DBBF2FF89300F1491A9D459AB365DB305981CF10

Function 00B8BEB2 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc20aaee6c4383e17963a2c79efb342ded7e2dcccf21dbc86d996fb14d407727
Instruction ID: 35c4cfe25c323b87152de245a4bebc6cdcc4d92295442e37dd6c51f9dcc57206
Opcode Fuzzy Hash: cc20aaee6c4383e17963a2c79efb342ded7e2dcccf21dbc86d996fb14d407727
Instruction Fuzzy Hash: D391B374E04218CFDB14EFA9D894A9DBBF2FF89300F1490A9D819AB365DB309945DF11

Function 00B8C752 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23fcb62549143238b36319527b61a879dfd682094f48b408cc0a7f4d4d1cd86b
Instruction ID: c699c6e562e64b8202da9742f1012164532bd306a85b1dc8fa83ab0f8af7e803
Opcode Fuzzy Hash: 23fcb62549143238b36319527b61a879dfd682094f48b408cc0a7f4d4d1cd86b
Instruction Fuzzy Hash: 8481A274E00218DFEB54DFA9D894A9DBBF2BF89300F14D1A9E419AB365DB709941CF10

Function 00B8CA32 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9514fb1259bd6cc3231e341d0a2b76da4ff974e3325b3e5ecf5056d478ec63
Instruction ID: 8dccee89baa000024606a587e562edb53b539369ad18f58533f9fc9b05fa8946
Opcode Fuzzy Hash: 1b9514fb1259bd6cc3231e341d0a2b76da4ff974e3325b3e5ecf5056d478ec63
Instruction Fuzzy Hash: 438191B4E00218DFDB14DFA9D994A9DBBF2FF88300F1491A9E419AB365DB709941CF50

Function 00B84AD9 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b45148768ffa765ff513e2072a14c124681cffc573f6b23d1fa8a0190dff77b
Instruction ID: 70078985caef44c1af069471c16d5c23e9f2f5f452c016f3c7cae3585124a034
Opcode Fuzzy Hash: 4b45148768ffa765ff513e2072a14c124681cffc573f6b23d1fa8a0190dff77b
Instruction Fuzzy Hash: 8181A174E01219CFDB14DFAAD994A9DBBF2FF88300F1490A9E819AB365DB709945CF10

Function 00B877F0 Relevance: .7, Instructions: 704COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a187807356e29e2fa9d53680eb5cb10d6cf40b4cb341e10322b934ba99fac3c2
Instruction ID: b01cb5ff227641814fa4e86212b77b5d451071a4af6d82acde8a665ad6077336
Opcode Fuzzy Hash: a187807356e29e2fa9d53680eb5cb10d6cf40b4cb341e10322b934ba99fac3c2
Instruction Fuzzy Hash: 80521134E00219CFEB159BE4C860B9EBB72FF84301F1081AAD21A6B365DE359E85DF55

Function 00B887E9 Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc8cc54ecc62a732fb9c3273023b7dedd25cefefd63e202fd633ba1f4e91248
Instruction ID: 4d1c48c01fb9b377e1baa33eba0d3d3f67c799edad27623fa81912d02d2cf69c
Opcode Fuzzy Hash: 5bc8cc54ecc62a732fb9c3273023b7dedd25cefefd63e202fd633ba1f4e91248
Instruction Fuzzy Hash: F7F19D703052018FDB29AA29C994B3937DAEF85700FA944FAE506CF3B1EE65DC81DB51

Function 00B86E58 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c704f70fa4005c0361dd10f998506043183ec3206159062faf8955336870c69
Instruction ID: de74b182734e22b8124dee35444da9fcde89bb839c94ff343003145b4eefe59c
Opcode Fuzzy Hash: 6c704f70fa4005c0361dd10f998506043183ec3206159062faf8955336870c69
Instruction Fuzzy Hash: 95124C30A44249DFCB15EF69D884A9EBBF1FF89318F248599E909DB261DB30ED41CB50

Function 00B8A818 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a8edc7bda8c8d6fa2abbd327ce7c647da9c9d592bdfacec4d7fc8fc2d78589
Instruction ID: 3f5f979df4d6a847935dbf35e5b72b216325f880ab07978e89b99b9e91e76b73
Opcode Fuzzy Hash: f9a8edc7bda8c8d6fa2abbd327ce7c647da9c9d592bdfacec4d7fc8fc2d78589
Instruction Fuzzy Hash: F5F11D75A405148FDB04DF6CC984AADBBF2FF88310B1A819AE515AB372CB35EC41CB51

Function 00B80C8F Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db368d61cc00db18323200b2acbaf7f7f964f6fea5dcdee2b6b543db9df595bc
Instruction ID: 4d2459c725e85ac4c5ec32264701bafc1a21e5206dcf6fb27759f776e5336e87
Opcode Fuzzy Hash: db368d61cc00db18323200b2acbaf7f7f964f6fea5dcdee2b6b543db9df595bc
Instruction Fuzzy Hash: 10221B38D0121ACFCB95EF64E894A9DBBB2FF88305F10A5A9D509A7368DB306D55CF40

Function 00B80CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157bc63362185c1ee63bc78f8ee0134ad4d5f9bdb859b1fcec86b3dee23ab1fd
Instruction ID: 178d2a2a0c1881ac878c502eb4a4df17b91fd66f5ecec4101953a2d2fd80cf97
Opcode Fuzzy Hash: 157bc63362185c1ee63bc78f8ee0134ad4d5f9bdb859b1fcec86b3dee23ab1fd
Instruction Fuzzy Hash: 3A220C38D0121ACFCB95EF64E894A9DBBB2FF88305F10A5A9D509A7368DB306D55CF40

Function 00B856A8 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408935876178ec765180a3c8992f8eafbad00a0a6276de982347d7ddd3bf7df9
Instruction ID: 92e64cc71e4e3f33f37e584a0bcf51600fb221e201fd74082b238cb51b306ccd
Opcode Fuzzy Hash: 408935876178ec765180a3c8992f8eafbad00a0a6276de982347d7ddd3bf7df9
Instruction Fuzzy Hash: 2EB1B0347046548FDB26AF74C894B6A7BE2EFC8310F1485AAE406CB3A1DB74CC41DB95

Function 00B85C08 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb52cbcd933d2df83e17d4b7ace41289decdfa5025a3b8f817fa0fa9e10fb44
Instruction ID: 1e58f27e77a65ad274badece28de3bbfb6458c3131d04390ddc992b042b74d41
Opcode Fuzzy Hash: edb52cbcd933d2df83e17d4b7ace41289decdfa5025a3b8f817fa0fa9e10fb44
Instruction Fuzzy Hash: A5816E35A00A058FCB24EFA9C888AA9B7F2FF89315B2481A9D805DB375D731ED41CF51

Function 00B87438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd19392030e626a3e707d0dac4d08e5adddf0d385c151abc6be6aa11d0f55310
Instruction ID: dd2cc52a94762fc7102b8965ac7f81fe8118ae5107964467d73b78749f6e2b50
Opcode Fuzzy Hash: fd19392030e626a3e707d0dac4d08e5adddf0d385c151abc6be6aa11d0f55310
Instruction Fuzzy Hash: 0671F6347846058FCB15EF28C498AAA7BE5EF59708B2904E9E902CB3B1DF71DC41DB90

Function 00B8CEC7 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b2afed5fddd7b7c8ea9e5375f9fb5294143919b02238849c4de98166fa44b3
Instruction ID: 2e1a8aed7d27d466e76faf7f3ce7fc8d1a35d5c2f224bef35ec927a34f292cc2
Opcode Fuzzy Hash: d3b2afed5fddd7b7c8ea9e5375f9fb5294143919b02238849c4de98166fa44b3
Instruction Fuzzy Hash: A751B3348B67878FC78A2F30A9EC16ABB70FB0F3177456D14E50E850269B715869EE18

Function 00B8CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb12ec84676fc9bf06f75abcb10e1afd440cd8a54f7f974ca1d6f6e40a3d783
Instruction ID: a55c0ea9827c62dea870ca012218de75a48f38768e5c22bd9d7e6504d7275f0b
Opcode Fuzzy Hash: 1cb12ec84676fc9bf06f75abcb10e1afd440cd8a54f7f974ca1d6f6e40a3d783
Instruction Fuzzy Hash: 2B51A4348B67878FC68A2F30A5EC13EBB74FB0F3177456C10E10E850229B715869EE18

Function 00B8CD10 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98fbaac3bccda1d861cf6479732bd799f9d3dfbb4cff3cc7f57a8135dbd7b452
Instruction ID: 55273c3d7f86fc4c5d02c3a002eb28a58a8efb1aaa7895f9ebf3bee5a525a709
Opcode Fuzzy Hash: 98fbaac3bccda1d861cf6479732bd799f9d3dfbb4cff3cc7f57a8135dbd7b452
Instruction Fuzzy Hash: 4651A374E01248DFDB54DFA9D9849DDBBF2BF89300F20816AE819AB365DB30A901CF50

Function 00B83908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b62b3c9763c07e5a4da2bb38d8af8a6337c083435f60cbf72371dafa0d29482
Instruction ID: c8f5f793b10cd5da1726ebcb823fadd616abdf2069e49637cfed344135dfdad4
Opcode Fuzzy Hash: 0b62b3c9763c07e5a4da2bb38d8af8a6337c083435f60cbf72371dafa0d29482
Instruction Fuzzy Hash: DD51A474E01208CFCB48EFA9D59499DBBF2FF89301B609569E805AB324DB31AD42CF50

Function 00B89A63 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c1f3b5c656eef0df2c8810466fc59da2d68b3a20a1660c526b6e20662f6429
Instruction ID: eae81a99b55e8c7bdd8ec5a1b04f8610880d3066057f02c0398891537bb68c7f
Opcode Fuzzy Hash: d4c1f3b5c656eef0df2c8810466fc59da2d68b3a20a1660c526b6e20662f6429
Instruction Fuzzy Hash: CB41C031A04249DFCF15DFA8D844AEDBFF2EF89310F188596E811AB2A1D331D915DB60

Function 00B8A650 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe02dd104772ea2bff1056f2418355d0445c1d74071c92a59e19bc1d1f131651
Instruction ID: 0af4589dada856d80fcb920b1069679145f463df52aa9dce32037c9f76f46455
Opcode Fuzzy Hash: fe02dd104772ea2bff1056f2418355d0445c1d74071c92a59e19bc1d1f131651
Instruction Fuzzy Hash: BC410D35B002048FDB15AF78D8546AE7BF6ABC8321F24806AE906D7391CE319C06DBA5

Function 00B83428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f7c33c2a5eb95abca0c5a381882775d5a76b07c4ec7f638d0a05ee9377d2be
Instruction ID: d943f1b6b9d5da203db438965262ff98e634fc660ce54a92e817d071500b5cf9
Opcode Fuzzy Hash: f0f7c33c2a5eb95abca0c5a381882775d5a76b07c4ec7f638d0a05ee9377d2be
Instruction Fuzzy Hash: 5231E131B042258BDB596AAA889427E66DAEBD4F10F1C447DD806C33A0DFB4CE05D7A1

Function 00B84DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc985fef9c10d38940d804714d9ed9df66fd960a980dbe30271b423b64d60778
Instruction ID: 5aacfc5356a9475cf27f3dfb9d1495ea99ba98cf9790ff2a84b7d79a10ea494e
Opcode Fuzzy Hash: bc985fef9c10d38940d804714d9ed9df66fd960a980dbe30271b423b64d60778
Instruction Fuzzy Hash: 3731B03164010A9FCB06AF64D894AAF3BE2FF88302F108465F9158B364CB35CD25DBA5

Function 00B876D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78e5ec547e4e1d4ef524c8b932dd95df549ebdd07e70409f9b688249c6e0680
Instruction ID: 08a061ac58d87adb9b2529ac7fc48d098563cca5055405393cae493c9ffbb7b5
Opcode Fuzzy Hash: a78e5ec547e4e1d4ef524c8b932dd95df549ebdd07e70409f9b688249c6e0680
Instruction Fuzzy Hash: F421F7383882414BEB1667398894A7D7BD7EFD970D72840B5D606CB7A9EE14CC42E380

Function 00B8A809 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07d130551c29e00a47f7a559ace214825b476c6b019fc22cd5f58fcaf4f56cb
Instruction ID: 29700c09f44731dd152bee9882691b9ce86a5358706516a5ac660e2457e9dc58
Opcode Fuzzy Hash: e07d130551c29e00a47f7a559ace214825b476c6b019fc22cd5f58fcaf4f56cb
Instruction Fuzzy Hash: 7331A171E041058FDB04DF69C8849AEBBF2FF85360B15829AE5159B3B2CB34AC02CF91

Function 00B876E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a90a3a45eff9898cd427fcf6fe86adbfe3593a1028621731f323ac6fb7e91e3
Instruction ID: 7dbcbb1decd4a8adb6cf2669dc6159fe56cf78fabc11992bc6ff0e946a88c18b
Opcode Fuzzy Hash: 2a90a3a45eff9898cd427fcf6fe86adbfe3593a1028621731f323ac6fb7e91e3
Instruction Fuzzy Hash: 4A21A43C34820547EB156A258894A7E76C7DFC871DF3840B5D606CB7A8EE65CC42E780

Function 00B85A60 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361091ea8178661e2558bcab86b5108ccd5cb0756ebdcc57c6f3d8b7ba6d892c
Instruction ID: de81bc14cd10f45a7456f1eeaefc94fe3adf73f8bc3e6e7773f7a23231bb9e00
Opcode Fuzzy Hash: 361091ea8178661e2558bcab86b5108ccd5cb0756ebdcc57c6f3d8b7ba6d892c
Instruction Fuzzy Hash: 8A21CF35742A118FC72AAB24C4A456AB7A2FFC975171582A9E806CB361CE30DC06CBC4

Function 00B82060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3acdbb95cb02e0effe45db3519df620ba74ce9abd9678d1384852eb42d8a1b42
Instruction ID: 8d17ca777285dbc56867f315b8d7c6f35a4e92e5404e1cbb5f97dcf11ee09e5a
Opcode Fuzzy Hash: 3acdbb95cb02e0effe45db3519df620ba74ce9abd9678d1384852eb42d8a1b42
Instruction Fuzzy Hash: 2F21F135A001169FCB14EF24D8509AE77E5EBD8360F60C499E80A9B354DB31EE42CBD1

Function 009DD404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987005763.00000000009DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9dd000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c71d64ba436edeb870984e9fc61fb82482143f8b6e5e870ae475ae9eceab827
Instruction ID: 24d3edc37b6da4c79e151b124d4aa4347e1eb62e7df28e6620f1f1221892aa49
Opcode Fuzzy Hash: 5c71d64ba436edeb870984e9fc61fb82482143f8b6e5e870ae475ae9eceab827
Instruction Fuzzy Hash: D5210372545244EFDB14DF14D9C0B26BF69FB94324F20C56AE9090B3A6C33AE856CAA1

Function 00B8D123 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a18a6d84f0ecc159f05efca4036d30a96f46e0d2ca8f3b5a8bd0fe013807f9e
Instruction ID: 775f935d0ac9e90c38cea8e8bc9340e25b2143988cbcc6e5915bcb30543b754d
Opcode Fuzzy Hash: 4a18a6d84f0ecc159f05efca4036d30a96f46e0d2ca8f3b5a8bd0fe013807f9e
Instruction Fuzzy Hash: AB21F831C11659CECB11EFE8E8446ECFBB0FF4A301F10966AE91577254EB706A9ACB50

Function 00B8D218 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9fa848df6e15db231caf48adf2138b36053bb0216850c497360f25dd1bb3565
Instruction ID: b5d365c3bfce8985808f5b3205139b21f7d982ad7a56c808b450bad0f661a1dd
Opcode Fuzzy Hash: f9fa848df6e15db231caf48adf2138b36053bb0216850c497360f25dd1bb3565
Instruction Fuzzy Hash: A9212974E422498FDB04DFB0E851AEDB7B2FB8A305F10A569C412773A4CB359942CF68

Function 00B8215C Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a563e37bb7cb5dddd30c8e4caaed291295a6a54cb7628d5b085ddb30849f83fc
Instruction ID: 600ac961434d73df35292a81d4d2ebad4d55f24b6274f1082e3e6d0baeacc171
Opcode Fuzzy Hash: a563e37bb7cb5dddd30c8e4caaed291295a6a54cb7628d5b085ddb30849f83fc
Instruction Fuzzy Hash: 9D112975E052599BCF01EFF8DC105EEB7B0FF89310B258796D616B7150EA312906C791

Function 00B8D228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe0448981f4cd90e2c439aa666fdf245a030a31e1aa63cb74b2c7926156808e
Instruction ID: 897def318c60d829e3e387e3fe202b224e1cabe8d34db3f2afda78eb646c7cde
Opcode Fuzzy Hash: abe0448981f4cd90e2c439aa666fdf245a030a31e1aa63cb74b2c7926156808e
Instruction Fuzzy Hash: C7210674D022488BDB08DFB0D850AEDB7B2FB89305F10A429D411773A4CB359D41CF69

Function 00B85A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e66b96eba497920f17203c2da841a8093196aca0e4c3b0994601d813946a4bb
Instruction ID: c66f09eac5448e15078378b560e1f7c4324031016602eed17010fb2d0173a374
Opcode Fuzzy Hash: 1e66b96eba497920f17203c2da841a8093196aca0e4c3b0994601d813946a4bb
Instruction Fuzzy Hash: 5D1170357419129BC72AAE29C49452AB7E6FFC475171545A8E906CB360DE30DC02C7D4

Function 00B81F08 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb654bda52c66f144734c74910e3ae84de26b0982e39e7cdea96f86c5512d15b
Instruction ID: 9a3fc8a16a99953f79611048951407b17802f770f67d9b5448a3bec2e6763e6b
Opcode Fuzzy Hash: cb654bda52c66f144734c74910e3ae84de26b0982e39e7cdea96f86c5512d15b
Instruction Fuzzy Hash: 59213570C052498FCB01EFB8C4984EDBFF4BF09301F1455AAD405BB260EB305A89DBA2

Function 009DD3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987005763.00000000009DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9dd000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: fa0bf4d85226f64dc0834790b3b7eb2f162d2c2c6bb9e7d5c5cc7e47913a88cf
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 5A11D376545284DFCB15CF10D5C4B16BF71FB94324F24C5AAD8090B766C33AE856CBA1

Function 00B81F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a360ab709a3cb8e3794752a2ee7f36ff6ba6160bffa538e60d217975cf6d3f2
Instruction ID: 28167f4c3cb7cb4ff4544cbbfc2d9d4ce119ac90456dd14bd2fbacf83f6fe0ce
Opcode Fuzzy Hash: 6a360ab709a3cb8e3794752a2ee7f36ff6ba6160bffa538e60d217975cf6d3f2
Instruction Fuzzy Hash: AE21F2B4C052498FCB41EFA8D8545EEBBF4BB09300F10556AD805B7320EB305A55DBA1

Function 00B85607 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe7d38bbfa3ba077417cb73b663412c75b101370c850066fecea72d382143fd
Instruction ID: e0a60d3f067cd9ccc1396c7a8f0d518550f658ca4c51ac255d83fea8fa61841a
Opcode Fuzzy Hash: fbe7d38bbfa3ba077417cb73b663412c75b101370c850066fecea72d382143fd
Instruction Fuzzy Hash: 9A01B172B001146FDB129E64D810BEF3BD7EFC8752F28806AF915DB294EA71C811D7A5

Function 00B82010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b8082e69540cd2bd9eed756bd9775a8998346e5707cde11b33c7dc92add602
Instruction ID: 8d789d90677e8863df631fa34a2310efd19e6dbcd30ed7e7713d6df3dc963089
Opcode Fuzzy Hash: 68b8082e69540cd2bd9eed756bd9775a8998346e5707cde11b33c7dc92add602
Instruction Fuzzy Hash: 75E0D831C613E65BCB0297B5B8504EEBF30EE92220B1552A7DA617B141E760254ECBB0

Function 00B82020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef897ebb85b9c5e2edbbac9d0b97de06efc5cf6b36101399c1ff1dfd866082d3
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: ef897ebb85b9c5e2edbbac9d0b97de06efc5cf6b36101399c1ff1dfd866082d3
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 00B88258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 8a61e79e891ade9216b322c459f244acb662fd5e0bbe538b7cb0ed71059efc58
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 28C0123320C1286BA624608E7C80AA3AB8CC2C17B4A6501B7F91CE3210A842AC8082A8

Function 00B8A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92e49e83145c4afde90b11baa81ae9d6e88a688504153ba396a4894430ffd75
Instruction ID: ca41dba65b48b78ae91e4f4dc86209addf74f1679bd46002e927cb4522a9fe53
Opcode Fuzzy Hash: f92e49e83145c4afde90b11baa81ae9d6e88a688504153ba396a4894430ffd75
Instruction Fuzzy Hash: 56D0173BB000089FCB048F88E8408DDB7B6FB8C221B008026E911A3220C6319821DB50

Function 00B85EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8e7f2bbb320a80457d253adb8396626f4dab41cd7a662cbf2ae7d0827d08b7
Instruction ID: 3e1b56cfa41ed8db0c7db5d0d7a927bb9d17d2547d0095f25b76ba9ec91c4fb2
Opcode Fuzzy Hash: 2c8e7f2bbb320a80457d253adb8396626f4dab41cd7a662cbf2ae7d0827d08b7
Instruction Fuzzy Hash: C5D0C2308083874BD716AB31A5950983F21AAC1304B50A599AC404914BDEA9085E876A

Function 00B85EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3987337503.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b80000_h1HIe1rt4D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3dec9c5da4aeef84f8e3af5ad3393ff2d167d7716203a1e1167686f4b05bafd
Instruction ID: 4db479e32888d13101225f548a691ecbb623817d405577bd43a7578be98238e8
Opcode Fuzzy Hash: c3dec9c5da4aeef84f8e3af5ad3393ff2d167d7716203a1e1167686f4b05bafd
Instruction Fuzzy Hash: E4C0123094434B8BD649FB75E9455153B5AAAC0301F40A918B1090511DDFF8195856DE

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report h1HIe1rt4D.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\h1HIe1rt4D.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
h1HIe1rt4D.exe

Function 04F9BF40 Relevance: 1.7, Strings: 1, Instructions: 487
COMMON

Function 04F9B024 Relevance: 1.6, APIs: 1, Instructions: 140
processCOMMON

Function 04F9CA66 Relevance: 1.6, APIs: 1, Instructions: 139
processCOMMON

Function 04F9AFC8 Relevance: 1.6, APIs: 1, Instructions: 98
threadCOMMON

Function 04F94050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 04F9BC18 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Function 04F9BC20 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 04F9BB42 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Function 04F9BB48 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 04F9CD50 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Function 04F9B048 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Function 04F9CC98 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Function 04F9B030 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON