Edit tour

Windows Analysis Report
wZ6VEnOkie.exe

Overview

General Information

Sample name:	wZ6VEnOkie.exe renamed because original name is a hash value
Original sample name:	d87d4991c4a32c635ebb3e24e1e5aabaa92b397afe5f0c28471e97c986b21144.exe
Analysis ID:	1588773
MD5:	ef77fad0f48dc9dafdb6833d92faadc3
SHA1:	570c28749cf913d248049b8bbe127695675d6417
SHA256:	d87d4991c4a32c635ebb3e24e1e5aabaa92b397afe5f0c28471e97c986b21144
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

AI detected suspicious sample

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

wZ6VEnOkie.exe (PID: 2228 cmdline: "C:\Users\user\Desktop\wZ6VEnOkie.exe" MD5: EF77FAD0F48DC9DAFDB6833D92FAADC3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7979504653:AAFm_-f-R46w_TvBkt1kfgnnTRSttNIPYiY/sendMessage?chat_id=5600682828", "Token": "7979504653:AAFm_-f-R46w_TvBkt1kfgnnTRSttNIPYiY", "Chat_id": "5600682828", "Version": "5.1"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
wZ6VEnOkie.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
wZ6VEnOkie.exe	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
wZ6VEnOkie.exe	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x145a0:$a1: get_encryptedPassword 0x14884:$a2: get_encryptedUsername 0x143ac:$a3: get_timePasswordChanged 0x144a7:$a4: get_passwordField 0x145b6:$a5: set_encryptedPassword 0x15c0d:$a7: get_logins 0x15b70:$a10: KeyLoggerEventArgs 0x157db:$a11: KeyLoggerEventArgsEventHandler
wZ6VEnOkie.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bf62:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b194:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b5c7:$a4: \Orbitum\User Data\Default\Login Data 0x1c606:$a5: \Kometa\User Data\Default\Login Data
wZ6VEnOkie.exe	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1516d:$s1: UnHook 0x15174:$s2: SetHook 0x1517c:$s3: CallNextHook 0x15189:$s4: _hook
wZ6VEnOkie.exe	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1959c:$x1: $%SMTPDV$ 0x17f80:$x2: $#TheHashHere%& 0x19544:$x3: %FTPDV$ 0x17f20:$x4: $%TelegramDv$ 0x157db:$x5: KeyLoggerEventArgs 0x15b70:$x5: KeyLoggerEventArgs 0x19568:$m2: Clipboard Logs ID 0x197a6:$m2: Screenshot Logs ID 0x198b6:$m2: keystroke Logs ID 0x19b90:$m3: SnakePW 0x1977e:$m4: \SnakeKeylogger\
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2043345170.0000000000112000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000000.2043345170.0000000000112000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x143a0:$a1: get_encryptedPassword 0x14684:$a2: get_encryptedUsername 0x141ac:$a3: get_timePasswordChanged 0x142a7:$a4: get_passwordField 0x143b6:$a5: set_encryptedPassword 0x15a0d:$a7: get_logins 0x15970:$a10: KeyLoggerEventArgs 0x155db:$a11: KeyLoggerEventArgsEventHandler
00000000.00000000.2043345170.0000000000112000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1939c:$x1: $%SMTPDV$ 0x17d80:$x2: $#TheHashHere%& 0x19344:$x3: %FTPDV$ 0x17d20:$x4: $%TelegramDv$ 0x155db:$x5: KeyLoggerEventArgs 0x15970:$x5: KeyLoggerEventArgs 0x19368:$m2: Clipboard Logs ID 0x195a6:$m2: Screenshot Logs ID 0x196b6:$m2: keystroke Logs ID 0x19990:$m3: SnakePW 0x1957e:$m4: \SnakeKeylogger\
00000000.00000002.4485115089.00000000025AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.4485115089.0000000002401000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: wZ6VEnOkie.exe PID: 2228	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: wZ6VEnOkie.exe PID: 2228	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x58660:$a1: get_encryptedPassword 0x5893a:$a2: get_encryptedUsername 0x58476:$a3: get_timePasswordChanged 0x58571:$a4: get_passwordField 0x58676:$a5: set_encryptedPassword 0x5ab24:$a7: get_logins 0x5aa87:$a10: KeyLoggerEventArgs 0x5a6f2:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: wZ6VEnOkie.exe PID: 2228	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5a6f2:$x5: KeyLoggerEventArgs 0x5aa87:$x5: KeyLoggerEventArgs 0x5b38e:$x5: KeyLoggerEventArgs 0x5b6ef:$x5: KeyLoggerEventArgs 0x5ccb2:$m2: Clipboard Logs ID 0x5cdb8:$m2: Screenshot Logs ID 0x5ce0e:$m2: keystroke Logs ID 0x5cf43:$m3: SnakePW 0x5cda4:$m4: \SnakeKeylogger\
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.wZ6VEnOkie.exe.110000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.wZ6VEnOkie.exe.110000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.0.wZ6VEnOkie.exe.110000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x145a0:$a1: get_encryptedPassword 0x14884:$a2: get_encryptedUsername 0x143ac:$a3: get_timePasswordChanged 0x144a7:$a4: get_passwordField 0x145b6:$a5: set_encryptedPassword 0x15c0d:$a7: get_logins 0x15b70:$a10: KeyLoggerEventArgs 0x157db:$a11: KeyLoggerEventArgsEventHandler
0.0.wZ6VEnOkie.exe.110000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bf62:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b194:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b5c7:$a4: \Orbitum\User Data\Default\Login Data 0x1c606:$a5: \Kometa\User Data\Default\Login Data
0.0.wZ6VEnOkie.exe.110000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1516d:$s1: UnHook 0x15174:$s2: SetHook 0x1517c:$s3: CallNextHook 0x15189:$s4: _hook
0.0.wZ6VEnOkie.exe.110000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1959c:$x1: $%SMTPDV$ 0x17f80:$x2: $#TheHashHere%& 0x19544:$x3: %FTPDV$ 0x17f20:$x4: $%TelegramDv$ 0x157db:$x5: KeyLoggerEventArgs 0x15b70:$x5: KeyLoggerEventArgs 0x19568:$m2: Clipboard Logs ID 0x197a6:$m2: Screenshot Logs ID 0x198b6:$m2: keystroke Logs ID 0x19b90:$m3: SnakePW 0x1977e:$m4: \SnakeKeylogger\
Click to see the 1 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T05:20:44.532986+0100	2803305	3	Unknown Traffic	192.168.2.5	49706	104.21.80.1	443	TCP
2025-01-11T05:20:45.838644+0100	2803305	3	Unknown Traffic	192.168.2.5	49708	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T05:20:42.784006+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-11T05:20:43.971521+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-11T05:20:45.268418+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49707	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: wZ6VEnOkie.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.4485115089.0000000002401000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7979504653:AAFm_-f-R46w_TvBkt1kfgnnTRSttNIPYiY/sendMessage?chat_id=5600682828", "Token": "7979504653:AAFm_-f-R46w_TvBkt1kfgnnTRSttNIPYiY", "Chat_id": "5600682828", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: wZ6VEnOkie.exe	Virustotal: Detection: 73%			Perma Link
Source: wZ6VEnOkie.exe	ReversingLabs: Detection: 91%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: wZ6VEnOkie.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: wZ6VEnOkie.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49705 version: TLS 1.0

Source: wZ6VEnOkie.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 022DF1F6h	0_2_022DF018
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 022DFB80h	0_2_022DF018
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	0_2_022DE528
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 06107C4Dh	0_2_06107910
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 06106A59h	0_2_061067B0
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 06104A91h	0_2_061047E8
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 06106EB1h	0_2_06106C08
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 06104EE9h	0_2_06104C40
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 06100741h	0_2_06100498
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 06107761h	0_2_061074B8
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 06105799h	0_2_061054F0
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 06100FF1h	0_2_06100D48
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 06106049h	0_2_06105DA0
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 061064CBh	0_2_06106220
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 06104611h	0_2_06104368
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 061002E9h	0_2_06100040
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 06107309h	0_2_06107060
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 06105341h	0_2_06105098
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 06100B99h	0_2_061008F0
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 4x nop then jmp 06105BF1h	0_2_06105948

Networking

Yara detected Generic Downloader

Source: Yara match	File source: wZ6VEnOkie.exe, type: SAMPLE
Source: Yara match	File source: 0.0.wZ6VEnOkie.exe.110000.0.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49708 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49705 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000024C4000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002564000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002557000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002580000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002572000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000025AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002507000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000024C4000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002564000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000024B8000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002557000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002580000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.000000000258E000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002572000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000025AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: wZ6VEnOkie.exe	String found in binary or memory: http://checkip.dyndns.org/q
Source: wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002564000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002557000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002580000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000024DC000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002572000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000025AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002507000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000024C4000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002564000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002557000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002580000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002572000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000025AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: wZ6VEnOkie.exe	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000025AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002507000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002564000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002557000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002580000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002572000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000025AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

System Summary

Malicious sample detected (through community Yara rule)

Source: wZ6VEnOkie.exe, type: SAMPLE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: wZ6VEnOkie.exe, type: SAMPLE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: wZ6VEnOkie.exe, type: SAMPLE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: wZ6VEnOkie.exe, type: SAMPLE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.0.wZ6VEnOkie.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.0.wZ6VEnOkie.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.0.wZ6VEnOkie.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.0.wZ6VEnOkie.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000000.2043345170.0000000000112000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000000.2043345170.0000000000112000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: wZ6VEnOkie.exe PID: 2228, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: wZ6VEnOkie.exe PID: 2228, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_022DB328	0_2_022DB328
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_022DF018	0_2_022DF018
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_022D6118	0_2_022D6118
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_022DC190	0_2_022DC190
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_022DC751	0_2_022DC751
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_022DC470	0_2_022DC470
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_022D3580	0_2_022D3580
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_022DCA31	0_2_022DCA31
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_022D4AD9	0_2_022D4AD9
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_022DBBD2	0_2_022DBBD2
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_022D9858	0_2_022D9858
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_022DBEB0	0_2_022DBEB0
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_022DF007	0_2_022DF007
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_022DB4F2	0_2_022DB4F2
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_022DE528	0_2_022DE528
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_022DE517	0_2_022DE517
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_0610BE00	0_2_0610BE00
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06109E78	0_2_06109E78
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06107F68	0_2_06107F68
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_0610B7B0	0_2_0610B7B0
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_0610C448	0_2_0610C448
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_0610A4C0	0_2_0610A4C0
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_0610AB10	0_2_0610AB10
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06109830	0_2_06109830
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06107910	0_2_06107910
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_0610B160	0_2_0610B160
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_061011A0	0_2_061011A0
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_061091E0	0_2_061091E0
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06103600	0_2_06103600
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06109E67	0_2_06109E67
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06107F58	0_2_06107F58
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_061067B0	0_2_061067B0
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_061067A0	0_2_061067A0
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_0610B7A0	0_2_0610B7A0
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_061047E3	0_2_061047E3
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_061047E8	0_2_061047E8
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06106C03	0_2_06106C03
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06106C08	0_2_06106C08
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06104C37	0_2_06104C37
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_0610C438	0_2_0610C438
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06104C40	0_2_06104C40
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06100493	0_2_06100493
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06100498	0_2_06100498
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_0610A4B2	0_2_0610A4B2
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_061074B3	0_2_061074B3
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_061074B8	0_2_061074B8
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_061054F0	0_2_061054F0
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_061054E1	0_2_061054E1
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06100D40	0_2_06100D40
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06100D48	0_2_06100D48
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06105D91	0_2_06105D91
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06105DA0	0_2_06105DA0
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_0610BDFB	0_2_0610BDFB
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06106210	0_2_06106210
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06106220	0_2_06106220
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_0610AB02	0_2_0610AB02
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_0610435C	0_2_0610435C
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06104368	0_2_06104368
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_0610003D	0_2_0610003D
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_0610982A	0_2_0610982A
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06107054	0_2_06107054
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06100040	0_2_06100040
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06107060	0_2_06107060
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06105098	0_2_06105098
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_0610508F	0_2_0610508F
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_061008F0	0_2_061008F0
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_061008EB	0_2_061008EB
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06102900	0_2_06102900
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_0610790B	0_2_0610790B
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06105938	0_2_06105938
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_0610B150	0_2_0610B150
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_06105948	0_2_06105948
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Code function: 0_2_061091D6	0_2_061091D6

Source: wZ6VEnOkie.exe, 00000000.00000002.4483047270.00000000004F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs wZ6VEnOkie.exe
Source: wZ6VEnOkie.exe, 00000000.00000002.4483282253.000000000071E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs wZ6VEnOkie.exe
Source: wZ6VEnOkie.exe, 00000000.00000000.2043387496.0000000000132000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs wZ6VEnOkie.exe
Source: wZ6VEnOkie.exe	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs wZ6VEnOkie.exe

Source: wZ6VEnOkie.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: wZ6VEnOkie.exe, type: SAMPLE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: wZ6VEnOkie.exe, type: SAMPLE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: wZ6VEnOkie.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: wZ6VEnOkie.exe, type: SAMPLE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.0.wZ6VEnOkie.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.0.wZ6VEnOkie.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.wZ6VEnOkie.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.0.wZ6VEnOkie.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000000.2043345170.0000000000112000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000000.2043345170.0000000000112000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: wZ6VEnOkie.exe PID: 2228, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: wZ6VEnOkie.exe PID: 2228, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@1/0@2/2

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe

Mutant created: NULL

Source: wZ6VEnOkie.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: wZ6VEnOkie.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wZ6VEnOkie.exe, 00000000.00000002.4485115089.000000000267D000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002689000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002656000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002638000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4487516889.000000000348C000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002647000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: wZ6VEnOkie.exe	Virustotal: Detection: 73%
Source: wZ6VEnOkie.exe	ReversingLabs: Detection: 91%

Source: wZ6VEnOkie.exe

String found in binary or memory: F-Stopw

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: wZ6VEnOkie.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: wZ6VEnOkie.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Memory allocated: 2280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Memory allocated: 2400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Memory allocated: 4400000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 598885	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 598202	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 597874	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 596999	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 596780	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 596671	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 596341	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 596233	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 596074	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 595965	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 595749	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 594546	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 594437	Jump to behavior

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Window / User API: threadDelayed 1656			Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Window / User API: threadDelayed 8200			Jump to behavior

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 4592	Thread sleep count: 1656 > 30	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 4592	Thread sleep count: 8200 > 30	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -598885s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -598421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -598202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -598093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -597874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -597546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -597218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -596999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -596780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -596671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -596341s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -596233s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -596074s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -595965s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -595749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -595640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -595421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -595093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -594765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -594546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe TID: 6656	Thread sleep time: -594437s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 598885	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 598202	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 597874	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 596999	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 596780	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 596671	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 596341	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 596233	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 596074	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 595965	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 595749	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 594546	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Thread delayed: delay time: 594437	Jump to behavior

Source: wZ6VEnOkie.exe, 00000000.00000002.4483282253.0000000000757000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Queries volume information: C:\Users\user\Desktop\wZ6VEnOkie.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: wZ6VEnOkie.exe, type: SAMPLE
Source: Yara match	File source: 0.0.wZ6VEnOkie.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2043345170.0000000000112000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4485115089.00000000025AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4485115089.0000000002401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wZ6VEnOkie.exe PID: 2228, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\wZ6VEnOkie.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: wZ6VEnOkie.exe, type: SAMPLE
Source: Yara match	File source: 0.0.wZ6VEnOkie.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2043345170.0000000000112000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4485115089.00000000025AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4485115089.0000000002401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wZ6VEnOkie.exe PID: 2228, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
wZ6VEnOkie.exe	73%	Virustotal		Browse
wZ6VEnOkie.exe	92%	ReversingLabs	Win32.Keylogger.NotFound
wZ6VEnOkie.exe	100%	Avira	TR/ATRAPS.Gen
wZ6VEnOkie.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.80.1	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002507000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000024C4000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002564000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002557000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002580000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002572000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000025AE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002507000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000024C4000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002564000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000024B8000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002557000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002580000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.000000000258E000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002572000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000025AE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000024C4000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002564000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002557000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002580000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002572000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000025AE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002401000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	wZ6VEnOkie.exe	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002507000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002564000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002557000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002580000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002572000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000025AE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002564000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002557000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002580000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000024DC000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.0000000002572000.00000004.00000800.00020000.00000000.sdmp, wZ6VEnOkie.exe, 00000000.00000002.4485115089.00000000025AE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	wZ6VEnOkie.exe	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.80.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588773
Start date and time:	2025-01-11 05:19:49 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wZ6VEnOkie.exe renamed because original name is a hash value
Original Sample Name:	d87d4991c4a32c635ebb3e24e1e5aabaa92b397afe5f0c28471e97c986b21144.exe
Detection:	MAL
Classification:	mal100.troj.spyw.winEXE@1/0@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 109 Number of non-executed functions: 41
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.44, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target wZ6VEnOkie.exe, PID 2228 because it is empty
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:20:42	API Interceptor	11169369x Sleep call for process: wZ6VEnOkie.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.80.1	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.aziziyeescortg.xyz/2pcx/
	qlG7x91YXH.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/0hqe/
	6uHfmjGMfL.exe	Get hash	malicious	Amadey	Browse	clientservices.sgoogleapis.observer/api/index.php
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	my.cradaygo.com/smmylet
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/pmpa/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	hiranetwork.com/administrator/index.php
	downloader2.hta	Get hash	malicious	XWorm	Browse	2k8u3.org/wininit.exe
132.226.247.73	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
reallyfreegeoip.org	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	ZcshRk2lgh.exe	Get hash	malicious	FormBook	Browse	104.21.15.100
	ydJaT4b5N8.exe	Get hash	malicious	FormBook	Browse	104.21.48.1
	leUmNO9XPu.exe	Get hash	malicious	HawkEye, MailPassView	Browse	104.19.223.79
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	ZeAX5i7cGB.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	jKqPSehspS.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	104.21.32.1
	A6AHI7Uk18.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Wru9ycO2MJ.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
UTMEMUS	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.838275450388981
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	wZ6VEnOkie.exe
File size:	131'584 bytes
MD5:	ef77fad0f48dc9dafdb6833d92faadc3
SHA1:	570c28749cf913d248049b8bbe127695675d6417
SHA256:	d87d4991c4a32c635ebb3e24e1e5aabaa92b397afe5f0c28471e97c986b21144
SHA512:	2110703d533254c9aa0acf4097a289a73b87ccd1c16d7af9b40b17b47047f4826086f78ff3f807be856f1884e1071e23b88688caac258d3ee17a5d1637fb33d0
SSDEEP:	3072:Z99yINAgKjV545jbvk5Hbe7fMuJN07TcD1vzSF2XO9p9JbYsiTmWzwvcXrtgbY:kINAgKjV5Cjbvk5Hbe7fMuJN07T9bJis
TLSH:	44D319493BF89804E1FF997302716111C779B8135A26DF1D5BC2E86A2A3D6D1CE06F93
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-.f..............P.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x420afe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66972DD9 [Wed Jul 17 02:35:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x20ab0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22000	0x108f	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x24000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1eb04	0x1ec00	b365e568195d7c8971250b634b5fd5d8	False	0.3542381224593496	data	5.852372519965909	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x22000	0x108f	0x1200	f59392b7fa5e8b22ad0c6b19a0b07c20	False	0.3663194444444444	data	4.868462934974607	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x24000	0xc	0x200	7b4fc16570212618dfad5e88c970437f	False	0.041015625	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x220a0	0x394	OpenPGP Secret Key			0.42358078602620086
RT_MANIFEST	0x22434	0xc5b	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.3926651912741069

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T05:20:42.784006+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-11T05:20:43.971521+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-11T05:20:44.532986+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49706	104.21.80.1	443	TCP
2025-01-11T05:20:45.268418+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49707	132.226.247.73	80	TCP
2025-01-11T05:20:45.838644+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49708	104.21.80.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:20:40.834305048 CET	49704	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:40.839282990 CET	80	49704	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:40.839376926 CET	49704	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:40.839577913 CET	49704	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:40.844481945 CET	80	49704	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:42.511837959 CET	80	49704	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:42.530174971 CET	49704	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:42.534996033 CET	80	49704	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:42.738507032 CET	80	49704	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:42.784006119 CET	49704	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:42.833177090 CET	49705	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:42.833199024 CET	443	49705	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:42.833255053 CET	49705	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:42.840388060 CET	49705	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:42.840396881 CET	443	49705	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:43.316611052 CET	443	49705	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:43.316732883 CET	49705	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:43.322237015 CET	49705	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:43.322251081 CET	443	49705	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:43.322746992 CET	443	49705	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:43.377729893 CET	49705	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:43.420602083 CET	49705	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:43.463330030 CET	443	49705	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:43.695405960 CET	443	49705	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:43.695471048 CET	443	49705	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:43.695643902 CET	49705	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:43.702572107 CET	49705	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:43.706290007 CET	49704	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:43.711090088 CET	80	49704	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:43.917665005 CET	80	49704	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:43.920615911 CET	49706	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:43.920654058 CET	443	49706	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:43.920725107 CET	49706	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:43.921014071 CET	49706	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:43.921022892 CET	443	49706	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:43.971520901 CET	49704	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:44.392323017 CET	443	49706	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:44.396812916 CET	49706	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:44.396843910 CET	443	49706	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:44.533071041 CET	443	49706	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:44.533248901 CET	443	49706	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:44.533359051 CET	49706	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:44.534010887 CET	49706	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:44.537679911 CET	49704	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:44.539051056 CET	49707	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:44.542671919 CET	80	49704	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:44.542748928 CET	49704	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:44.543909073 CET	80	49707	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:44.543981075 CET	49707	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:44.544075012 CET	49707	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:44.548897982 CET	80	49707	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:45.220374107 CET	80	49707	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:45.237380028 CET	49708	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:45.237436056 CET	443	49708	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:45.237551928 CET	49708	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:45.241616011 CET	49708	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:45.241630077 CET	443	49708	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:45.268418074 CET	49707	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:45.702457905 CET	443	49708	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:45.704135895 CET	49708	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:45.704219103 CET	443	49708	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:45.838655949 CET	443	49708	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:45.838722944 CET	443	49708	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:45.838773012 CET	49708	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:45.839431047 CET	49708	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:45.844845057 CET	49709	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:45.849756002 CET	80	49709	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:45.849827051 CET	49709	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:45.849977016 CET	49709	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:45.854773998 CET	80	49709	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:48.555803061 CET	80	49709	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:48.557501078 CET	49710	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:48.557607889 CET	443	49710	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:48.557745934 CET	49710	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:48.558072090 CET	49710	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:48.558103085 CET	443	49710	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:48.596575022 CET	49709	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:49.036986113 CET	443	49710	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:49.039206028 CET	49710	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:49.039244890 CET	443	49710	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:49.193722963 CET	443	49710	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:49.193821907 CET	443	49710	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:49.193891048 CET	49710	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:49.194958925 CET	49710	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:49.199040890 CET	49709	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:49.199656963 CET	49711	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:49.205466986 CET	80	49711	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:49.205604076 CET	49711	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:49.205735922 CET	49711	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:49.205740929 CET	80	49709	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:49.205795050 CET	49709	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:49.210556030 CET	80	49711	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:50.901266098 CET	80	49711	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:50.902929068 CET	49712	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:50.902983904 CET	443	49712	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:50.903064966 CET	49712	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:50.903309107 CET	49712	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:50.903326988 CET	443	49712	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:50.955857992 CET	49711	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:51.366010904 CET	443	49712	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:51.367805958 CET	49712	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:51.367839098 CET	443	49712	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:51.505702972 CET	443	49712	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:51.505774021 CET	443	49712	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:51.505829096 CET	49712	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:51.506324053 CET	49712	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:51.509568930 CET	49711	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:51.510580063 CET	49713	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:51.514508009 CET	80	49711	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:51.514590979 CET	49711	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:51.515423059 CET	80	49713	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:51.515507936 CET	49713	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:51.515633106 CET	49713	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:51.520361900 CET	80	49713	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:52.207678080 CET	80	49713	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:52.209336042 CET	49714	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:52.209397078 CET	443	49714	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:52.209505081 CET	49714	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:52.209804058 CET	49714	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:52.209816933 CET	443	49714	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:52.252881050 CET	49713	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:52.673780918 CET	443	49714	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:52.675502062 CET	49714	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:52.675529957 CET	443	49714	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:52.823784113 CET	443	49714	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:52.823856115 CET	443	49714	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:52.823921919 CET	49714	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:52.824373960 CET	49714	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:52.827915907 CET	49713	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:52.828582048 CET	49715	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:52.833089113 CET	80	49713	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:52.833165884 CET	49713	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:52.833524942 CET	80	49715	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:52.833600998 CET	49715	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:52.833810091 CET	49715	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:52.838679075 CET	80	49715	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:53.505932093 CET	80	49715	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:53.507355928 CET	49716	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:53.507462025 CET	443	49716	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:53.507577896 CET	49716	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:53.507867098 CET	49716	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:53.507905006 CET	443	49716	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:53.553430080 CET	49715	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:53.969679117 CET	443	49716	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:53.971652985 CET	49716	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:53.971683979 CET	443	49716	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:54.118185997 CET	443	49716	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:54.118252993 CET	443	49716	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:54.118371964 CET	49716	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:54.118886948 CET	49716	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:54.122279882 CET	49715	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:54.123512030 CET	49717	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:54.127346992 CET	80	49715	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:54.127469063 CET	49715	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:54.128401995 CET	80	49717	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:54.128472090 CET	49717	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:54.128596067 CET	49717	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:54.133351088 CET	80	49717	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:54.823743105 CET	80	49717	132.226.247.73	192.168.2.5
Jan 11, 2025 05:20:54.825356007 CET	49718	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:54.825409889 CET	443	49718	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:54.825527906 CET	49718	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:54.825771093 CET	49718	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:54.825783968 CET	443	49718	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:54.878987074 CET	49717	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:20:55.307250023 CET	443	49718	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:55.309211016 CET	49718	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:55.309242964 CET	443	49718	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:55.448110104 CET	443	49718	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:55.448169947 CET	443	49718	104.21.80.1	192.168.2.5
Jan 11, 2025 05:20:55.448230982 CET	49718	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:20:55.448705912 CET	49718	443	192.168.2.5	104.21.80.1
Jan 11, 2025 05:21:50.220096111 CET	80	49707	132.226.247.73	192.168.2.5
Jan 11, 2025 05:21:50.220213890 CET	49707	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:21:59.825443029 CET	80	49717	132.226.247.73	192.168.2.5
Jan 11, 2025 05:21:59.825529099 CET	49717	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:22:34.839580059 CET	49717	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:22:34.844526052 CET	80	49717	132.226.247.73	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:20:40.820606947 CET	65025	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:20:40.827428102 CET	53	65025	1.1.1.1	192.168.2.5
Jan 11, 2025 05:20:42.825365067 CET	65328	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:20:42.832458019 CET	53	65328	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 05:20:40.820606947 CET	192.168.2.5	1.1.1.1	0x92b1	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:42.825365067 CET	192.168.2.5	1.1.1.1	0x6c8f	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 05:20:40.827428102 CET	1.1.1.1	192.168.2.5	0x92b1	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 05:20:40.827428102 CET	1.1.1.1	192.168.2.5	0x92b1	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:40.827428102 CET	1.1.1.1	192.168.2.5	0x92b1	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:40.827428102 CET	1.1.1.1	192.168.2.5	0x92b1	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:40.827428102 CET	1.1.1.1	192.168.2.5	0x92b1	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:40.827428102 CET	1.1.1.1	192.168.2.5	0x92b1	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:42.832458019 CET	1.1.1.1	192.168.2.5	0x6c8f	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:42.832458019 CET	1.1.1.1	192.168.2.5	0x6c8f	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:42.832458019 CET	1.1.1.1	192.168.2.5	0x6c8f	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:42.832458019 CET	1.1.1.1	192.168.2.5	0x6c8f	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:42.832458019 CET	1.1.1.1	192.168.2.5	0x6c8f	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:42.832458019 CET	1.1.1.1	192.168.2.5	0x6c8f	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:42.832458019 CET	1.1.1.1	192.168.2.5	0x6c8f	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	132.226.247.73	80	2228	C:\Users\user\Desktop\wZ6VEnOkie.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:20:40.839577913 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 05:20:42.511837959 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 05:20:42.530174971 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 05:20:42.738507032 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 05:20:43.706290007 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 05:20:43.917665005 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49707	132.226.247.73	80	2228	C:\Users\user\Desktop\wZ6VEnOkie.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:20:44.544075012 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 05:20:45.220374107 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49709	132.226.247.73	80	2228	C:\Users\user\Desktop\wZ6VEnOkie.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:20:45.849977016 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 05:20:48.555803061 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49711	132.226.247.73	80	2228	C:\Users\user\Desktop\wZ6VEnOkie.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:20:49.205735922 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 05:20:50.901266098 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49713	132.226.247.73	80	2228	C:\Users\user\Desktop\wZ6VEnOkie.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:20:51.515633106 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 05:20:52.207678080 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49715	132.226.247.73	80	2228	C:\Users\user\Desktop\wZ6VEnOkie.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:20:52.833810091 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 05:20:53.505932093 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:53 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49717	132.226.247.73	80	2228	C:\Users\user\Desktop\wZ6VEnOkie.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:20:54.128596067 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 05:20:54.823743105 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	104.21.80.1	443	2228	C:\Users\user\Desktop\wZ6VEnOkie.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:20:43 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 04:20:43 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1884032 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xh%2BIW2rfWC0%2Fl0bHNaUWv3y0rQ4w4fRds1Mk8gg2FwBYsF9MSv3ml9XTeFcU2Chi0TsRQ1jjuu0F9gO1Wi%2Bt0DlpYicbM2t3xzXyXnSDONDtGrqwEa2tSrTIYPRfW10slXFaEHQw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90021dabc9ee8c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1945&min_rtt=1939&rtt_var=739&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1468812&cwnd=223&unsent_bytes=0&cid=1048875510ac04ec&ts=233&x=0"
2025-01-11 04:20:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	104.21.80.1	443	2228	C:\Users\user\Desktop\wZ6VEnOkie.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:20:44 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 04:20:44 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:44 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1884033 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XFSqXyNphZBtaGlzT8uUZlo4eVAQm310gPear%2Bmnmn7BVwm5bKfNjfm%2Bojnr0f1TsJqV8fkJgAfO%2BpMyjf7GvqwnlUzruVkSx1RkXT2ncSHcy6cQxfnArvLFJVqiIlfuLyeL6Y5P"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90021db20a9e42d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1627&min_rtt=1595&rtt_var=662&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1576673&cwnd=229&unsent_bytes=0&cid=30141a19506cf159&ts=149&x=0"
2025-01-11 04:20:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49708	104.21.80.1	443	2228	C:\Users\user\Desktop\wZ6VEnOkie.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:20:45 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 04:20:45 UTC	859	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:45 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1884034 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GuDTa%2BKIvPOSa17WQxgg1HdYfFSD7Pl751GWDW7%2FG76atKgqRgCtDPOGkbwgEEzkyZaLwjN2SI1Vgbn%2B50zBR3J%2FtvjBUg%2ButhCOP61sjBWeEWUFc447bvzckLYLqIQIXXH9UE0a"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90021dba3cf242d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1634&min_rtt=1621&rtt_var=617&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1801357&cwnd=229&unsent_bytes=0&cid=36a29afb31ce276f&ts=145&x=0"
2025-01-11 04:20:45 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49710	104.21.80.1	443	2228	C:\Users\user\Desktop\wZ6VEnOkie.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:20:49 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 04:20:49 UTC	865	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:49 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1884038 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r7WlYySvT1Le%2BdQ%2BUlS43xAsBWbsW%2Bi%2B8WwFbs9WGSEDNUv0RB57GL4ck4SYwJar0aa9a72fNq4G6Et2kBRos%2BB0u%2Bw%2FxUkgesJuNsph4t4RdCHLJjLEaYlScTmkZQfqr5l%2Fapfx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90021dcf1a877d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1930&min_rtt=1924&rtt_var=734&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1479229&cwnd=244&unsent_bytes=0&cid=7a85bee7f4275e8f&ts=162&x=0"
2025-01-11 04:20:49 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49712	104.21.80.1	443	2228	C:\Users\user\Desktop\wZ6VEnOkie.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:20:51 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 04:20:51 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:51 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1884040 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ww3TuZ2MUwvVK9hKo8rBnsWb2aK2Gd1AHI5mQl5XIyjMFZnhfwURTUo%2BaBw0BoKzPUIkLMm%2FrIdNYtkXq3KCvPD1Ukj9tqZrzZYfx8lG4%2F30JECDFi%2FDQa9NvKrWlBThghwUVrKg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90021ddd9eec8c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1962&min_rtt=1956&rtt_var=746&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1454907&cwnd=223&unsent_bytes=0&cid=aee4ad8d6685fb12&ts=147&x=0"
2025-01-11 04:20:51 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49714	104.21.80.1	443	2228	C:\Users\user\Desktop\wZ6VEnOkie.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:20:52 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 04:20:52 UTC	853	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:52 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1884041 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gy7tPSWTRbFP0Z%2FMNz8VJdW8xYBqtk%2FiUMRBT9IHyrvjtMdfo9AhGVpnd8CtI7YpYm1ELdcdTIHNjWYaQrdtfvmZdeDhrRbwS0k5vZont3ddPVhlvQbW5l6uUjViZtLGHMWNny5g"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90021de5d8d08c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1966&min_rtt=1961&rtt_var=745&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1459270&cwnd=223&unsent_bytes=0&cid=935d08ec84f7eeba&ts=153&x=0"
2025-01-11 04:20:52 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49716	104.21.80.1	443	2228	C:\Users\user\Desktop\wZ6VEnOkie.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:20:53 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 04:20:54 UTC	853	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:54 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1884043 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wSPfbbKhBX966RdOuoy%2FVZNEz5Qtz32RknDUb7GwhQXfohcEcJXxhhdlDQ3yRmjbFiyb7q0VcASdjWCUy98FwHnefYUMRoi0uga%2FG5ufuFFcBDZ8h8u4GLPQrbPXJ7Y3mv8238oO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90021dedfd1442d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1566&min_rtt=1557&rtt_var=603&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1785932&cwnd=229&unsent_bytes=0&cid=8e92f40a2cbc9fe6&ts=157&x=0"
2025-01-11 04:20:54 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49718	104.21.80.1	443	2228	C:\Users\user\Desktop\wZ6VEnOkie.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:20:55 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 04:20:55 UTC	853	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:55 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1884044 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ox5s6Zpcx%2FVYGoI%2BLOFenlmLlaoOn6oIsj6WZczipAfLK5pCt0WNwZLFYoogaO5Iop3X0JA6QksVbOWNpIaoobeSIFZfbxbvavEGS9ZtcjEWZj4yv3FsJij3UpI7UsCPKTjrLZ3R"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90021df62fd642d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1589&min_rtt=1588&rtt_var=599&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1821584&cwnd=229&unsent_bytes=0&cid=f8d5cf90da097728&ts=144&x=0"
2025-01-11 04:20:55 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	23:20:39
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\wZ6VEnOkie.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wZ6VEnOkie.exe"
Imagebase:	0x110000
File size:	131'584 bytes
MD5 hash:	EF77FAD0F48DC9DAFDB6833D92FAADC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.2043345170.0000000000112000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000000.2043345170.0000000000112000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.2043345170.0000000000112000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.4485115089.00000000025AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.4485115089.0000000002401000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 022D6118 Relevance: 9.7, Strings: 7, Instructions: 919COMMON

Download Yara Rule

Strings

(o]q, xrefs: 022D6642
Haq, xrefs: 022D650E
(o]q, xrefs: 022D6CA5
(o]q, xrefs: 022D6988
(o]q, xrefs: 022D697A
,aq, xrefs: 022D69F2
,aq, xrefs: 022D6A00

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$,aq$,aq$Haq
API String ID: 0-105717579
Opcode ID: a49cf7c63e1b571282b5f8fc15cffa7b9cf0ece6c1c0adbdab7adece601412ad
Instruction ID: d05261f6289276431059b7fc5add6cb98b6099b283fdd949ab487766f9ba95c3
Opcode Fuzzy Hash: a49cf7c63e1b571282b5f8fc15cffa7b9cf0ece6c1c0adbdab7adece601412ad
Instruction Fuzzy Hash: 10727070A1021A9FDB14CFA9D944AAEBBFAFF88304F148469E405EB399DB34DD45CB50

Function 022D9858 Relevance: 3.4, Strings: 2, Instructions: 860COMMON

Download Yara Rule

Strings

(o]q, xrefs: 022D9C78
4']q, xrefs: 022DA273

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: (o]q$4']q
API String ID: 0-176817397
Opcode ID: 19b87cc975bff58c45e25d1e3b7f9c253c4923006470daf55156239e116bf6c7
Instruction ID: f5f3fbaab6e319514521d848fa8041594cf7845567c372a615b375b61337d1f9
Opcode Fuzzy Hash: 19b87cc975bff58c45e25d1e3b7f9c253c4923006470daf55156239e116bf6c7
Instruction Fuzzy Hash: 37728071A1020ADFCB15CFA8C984EAEBBF2FF48304F158565E8059B2A9D735ED85CB50

Function 022D3580 Relevance: 2.9, Strings: 2, Instructions: 415COMMON

Download Yara Rule

Strings

Xaq, xrefs: 022D35AF
$]q, xrefs: 022D3596

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: 3e810da2afe0a490acfde405e9b12fbb62deee821cd781012cc1a15e318c7c48
Instruction ID: 6ddef155749fbcf29560cd8ca858e533e621b090f7e4da9b3272b8e3e606d26c
Opcode Fuzzy Hash: 3e810da2afe0a490acfde405e9b12fbb62deee821cd781012cc1a15e318c7c48
Instruction Fuzzy Hash: 8CF15874F142488FCB48DFB8D9946AEBBF2BF88710B548569D406EB358DF349842CB51

Function 022DB328 Relevance: 2.9, Strings: 2, Instructions: 362COMMON

Download Yara Rule

Strings

PH]q, xrefs: 022DB758
PH]q, xrefs: 022DB747

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: d35bfcf263e0636aaa67857c2f244f2a14d3b5606e641cc3a215b2f988cee08f
Instruction ID: b5ca09ca4d1bbad9ed117e92299f65a170fdc6104a9e608c8a56025d4ca83076
Opcode Fuzzy Hash: d35bfcf263e0636aaa67857c2f244f2a14d3b5606e641cc3a215b2f988cee08f
Instruction Fuzzy Hash: B3E12B75E10259CFDB14CFA9C8A4A9DBBB2FF49314F168069E819AB366D730E841CF50

Function 022DBEB0 Relevance: 2.7, Strings: 2, Instructions: 202COMMON

Download Yara Rule

Strings

PH]q, xrefs: 022DC107
PH]q, xrefs: 022DC118

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: a5447248728866887d8289fed939abec402354444941c03f69e68604b3e1154f
Instruction ID: bb9d85207c311fff510b21eea2d81868d8a670b64d235b3140638cb1444923cb
Opcode Fuzzy Hash: a5447248728866887d8289fed939abec402354444941c03f69e68604b3e1154f
Instruction Fuzzy Hash: E791D674E10218CFDB18DFA9D984A9DFBF2BF89305F14806AE419AB369DB309945CF10

Function 022DBBD2 Relevance: 2.7, Strings: 2, Instructions: 198COMMON

Download Yara Rule

Strings

PH]q, xrefs: 022DBE27
PH]q, xrefs: 022DBE38

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 2cfc74c489f04152c8f15595d27c47d60c349490a0277df4d0207a4fd24351cf
Instruction ID: 9ad307d1ab0bb41fa2e6fd2b70f985759e37afe73e895d676ee727c55c6f11ac
Opcode Fuzzy Hash: 2cfc74c489f04152c8f15595d27c47d60c349490a0277df4d0207a4fd24351cf
Instruction Fuzzy Hash: C091E574E10218CFDB18DFA9D894A9DBBF2FF89304F118469E419AB369DB309941CF10

Function 022DC190 Relevance: 2.7, Strings: 2, Instructions: 197COMMON

Download Yara Rule

Strings

PH]q, xrefs: 022DC3E7
PH]q, xrefs: 022DC3F8

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 890f185262b813fc90c229d3393b30661e90124b1e38737b1109b4c3d04b2d2d
Instruction ID: a7a3269dacf31a96ec49995ac407d84533b5262bf4a25d22ecf94d1aa10d30d2
Opcode Fuzzy Hash: 890f185262b813fc90c229d3393b30661e90124b1e38737b1109b4c3d04b2d2d
Instruction Fuzzy Hash: BE91C474E10218CFDB58DFAAD984A9DBBF2BF89300F14C06AE419AB365DB709945CF10

Function 022DB4F2 Relevance: 2.7, Strings: 2, Instructions: 192COMMON

Download Yara Rule

Strings

PH]q, xrefs: 022DB758
PH]q, xrefs: 022DB747

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: bdb3ef1b8755cd68a53f360a13f0c5c1cc12f6aad01fe1836f0d2b2a52b91467
Instruction ID: c6e9628697ffc684901735491d78081d4dd0ea9d720daa03786f1fc8fb94d1ac
Opcode Fuzzy Hash: bdb3ef1b8755cd68a53f360a13f0c5c1cc12f6aad01fe1836f0d2b2a52b91467
Instruction Fuzzy Hash: 0B810974E102499FDB14DFAAD994A9DBBF2FF89304F15C069E408AB365DB309942CF50

Function 022DC470 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PH]q, xrefs: 022DC6C7
PH]q, xrefs: 022DC6D8

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 824d322d94078270f8b2ef6e896f976cf372f6ef355644afb3a5b4af34ecd39f
Instruction ID: 377cee160561cc06165d294da785f351ef33b175c4a30549c139e8b712f8cfca
Opcode Fuzzy Hash: 824d322d94078270f8b2ef6e896f976cf372f6ef355644afb3a5b4af34ecd39f
Instruction Fuzzy Hash: CD81D474E10218CFDB18DFA9D984A9DBBF2BF89300F14D46AE419AB365DB309941CF50

Function 022DC751 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PH]q, xrefs: 022DC9A7
PH]q, xrefs: 022DC9B8

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: a41d9d1ceb2a5862c96f1e2d1724fe907b68f0b826dd549f7e9a101a579f9194
Instruction ID: 1c2adf2fb5695acbb23f57d56e0bb15d855efcca872c01a6f63aeb2244509bdc
Opcode Fuzzy Hash: a41d9d1ceb2a5862c96f1e2d1724fe907b68f0b826dd549f7e9a101a579f9194
Instruction Fuzzy Hash: 6F81C774E10218CFDB58DFAAD984A9DBBF2BF89300F14C46AE419AB365DB309945CF10

Function 022DCA31 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PH]q, xrefs: 022DCC87
PH]q, xrefs: 022DCC98

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 41c3c4f8f2849c294f88f49a7a4418e52ed06c67a8b2bc09d0255f408fa0ca9e
Instruction ID: 07bb2434253bb7507b54a41efc34758d4c05524ef236277a1b4f2f04837db7cd
Opcode Fuzzy Hash: 41c3c4f8f2849c294f88f49a7a4418e52ed06c67a8b2bc09d0255f408fa0ca9e
Instruction Fuzzy Hash: 0A81B574E10218CFDB18DFA9D984A9DBBF2BF88300F14C46AE919AB365DB349945CF10

Function 022D4AD9 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PH]q, xrefs: 022D4D41
PH]q, xrefs: 022D4D30

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: ad9f3a26e2c5aa7c741cffc4d901fe359e1c37512559128110f62230bb252d40
Instruction ID: 57cebc207401d7c4bd78e1d0ca6522f7b7160b9a44a3c7f31c94534d6d489e94
Opcode Fuzzy Hash: ad9f3a26e2c5aa7c741cffc4d901fe359e1c37512559128110f62230bb252d40
Instruction Fuzzy Hash: 9981B574E10258CFDB58DFA9D984A9DBBF2BF89300F14C469E819AB369DB309945CF10

Function 06107F68 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PH]q, xrefs: 061081A2
PH]q, xrefs: 061081B3

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: cb1387a8a82603ae131d12aad302ed324506cbd1f5ce50bd90ce15f639a060e9
Instruction ID: db6adb25e0430e47390a978c796f46ccecb9319dc56fe1d66e2ad69931064a46
Opcode Fuzzy Hash: cb1387a8a82603ae131d12aad302ed324506cbd1f5ce50bd90ce15f639a060e9
Instruction Fuzzy Hash: FA81E170E04218CFEF98DFA9D85469EBBF2BF88300F20806AD419AB394DB745945CF50

Function 061011A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32370fffa26403c93b87647401855b9ca63b40224cfa83c2e496da0ce67b456f
Instruction ID: 16ec0cdcb6b9e522d9641befcfb0d8db0d4297a60ffa45056b635fab7f57cd54
Opcode Fuzzy Hash: 32370fffa26403c93b87647401855b9ca63b40224cfa83c2e496da0ce67b456f
Instruction Fuzzy Hash: 38827C74E012299FDB64DF69C984BDDBBB2BB89300F1481EAD80DA7264DB345E85CF41

Function 022DF018 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78cd3dcbccee9db086496205b9b48452f0d248d93884b0401b16a02b34a976d0
Instruction ID: 60ef49fdec7dda99aaec0705a85dcd790fa231f45603e72577de70aedead3101
Opcode Fuzzy Hash: 78cd3dcbccee9db086496205b9b48452f0d248d93884b0401b16a02b34a976d0
Instruction Fuzzy Hash: B972DD74E012298FDB64DF69C984BD9BBB2BF49304F5481E9D40DAB259DB30AE81CF40

Function 06107910 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af2b30ca1e7ddfc68c4cab7887b079c23b02396372e1b05d3a4cf6a90e7f6d6
Instruction ID: 3e487a6084cb6779ed52c493fdc41bd477077b9935fa9e75a0b73354dce1b6da
Opcode Fuzzy Hash: 2af2b30ca1e7ddfc68c4cab7887b079c23b02396372e1b05d3a4cf6a90e7f6d6
Instruction Fuzzy Hash: 7BE1D274E01218CFEB64DFA5D944B9DBBB2BF88304F2081A9D408AB394DB755E85CF51

Function 0610B7B0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b95d18d22bb60e6c553a9ab4b1ac2de1fc0a72dd76ef9dff9c5b1938900588
Instruction ID: 2bc078007c7bbefe42420e170519a9a573bb2ffbfdff2915efecd3b376dfc1f3
Opcode Fuzzy Hash: d3b95d18d22bb60e6c553a9ab4b1ac2de1fc0a72dd76ef9dff9c5b1938900588
Instruction Fuzzy Hash: 8EA1B1B4E052188FEB68CF6AC944B9DFAF2AF89300F14C4AAD40CB7254DB715A85CF51

Function 0610C448 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80bc6af7ad31eb10ba5d1b3e670e3876804356561e3650615cc1bbea12edca7
Instruction ID: c0b869e9d2ac3c068a9bf5cf6a24b1132422347c2454b648acda3322e31cba50
Opcode Fuzzy Hash: c80bc6af7ad31eb10ba5d1b3e670e3876804356561e3650615cc1bbea12edca7
Instruction Fuzzy Hash: F7A1A174E01218CFEB68CF6AC944B9DBBF2BF89300F14C1AAD409A7255DB745A85CF51

Function 0610A4C0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040297a4f48294dd5391351b5b1d0a5a28aeca6d4903138466034e314e637b29
Instruction ID: 77dff8f35f9f4888211c1f38f48d7d544ad1e7fc8fcac55477e72b41f7da8aa5
Opcode Fuzzy Hash: 040297a4f48294dd5391351b5b1d0a5a28aeca6d4903138466034e314e637b29
Instruction Fuzzy Hash: 9FA1A175E01218CFEB68CF6AC944B9EFBF2AF89300F14C0AAD409A7255DB745A85CF51

Function 0610AB10 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6364a286ca160ddb4513c2283d580f8fc108771f065602e0e718471aed27cef9
Instruction ID: 661e74d85a2c60cf59112070fccd60ae2e99d880f127e0885a503b2f1b85e649
Opcode Fuzzy Hash: 6364a286ca160ddb4513c2283d580f8fc108771f065602e0e718471aed27cef9
Instruction Fuzzy Hash: FAA1A074E012288FEB68CF6AD944B9DBBF2AF89300F14C0AAD40DA7255DB745A85CF51

Function 0610B160 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc891ff4f8ecb46ab5be7ccd10c4e325854c5553a759478d80a38bbf413f2322
Instruction ID: 45ea02bc2faee3b71db4e1d14a679bf6695745f4bb2f0cd3cd1aacacd23e8400
Opcode Fuzzy Hash: fc891ff4f8ecb46ab5be7ccd10c4e325854c5553a759478d80a38bbf413f2322
Instruction Fuzzy Hash: 7FA1A074E05228CFEB68CF6AC944B9DBBF2AF89300F14C0AAD40DA7255DB715A85CF51

Function 061091E0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c79d6e23dd39f7ee19874977ffbf1242badc3f438d5743c9d9a9edcc49cac23
Instruction ID: 828e3671a873cc4f3caf9c45ec21a72f38af202b5d8b8c64235728efe66f31f1
Opcode Fuzzy Hash: 7c79d6e23dd39f7ee19874977ffbf1242badc3f438d5743c9d9a9edcc49cac23
Instruction Fuzzy Hash: 0FA1B274E012188FEB68CF6AC944B9EBBF2BF89300F14D4AAD40DA7255DB705A85CF51

Function 0610BE00 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d824a862a2e7e7009449893dfe7cbb0e7642882d3d4ca8ddcffe4dd955650508
Instruction ID: 365b3514ebc60fb3b7f67310dfc00d4e0bfbbe935985f83f5812298bdc83e67f
Opcode Fuzzy Hash: d824a862a2e7e7009449893dfe7cbb0e7642882d3d4ca8ddcffe4dd955650508
Instruction Fuzzy Hash: FBA192B4E012188FEB68CF6AC944B9DFAF2AF89300F14C1AAD409B7255DB745A85CF51

Function 06109E78 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92d0b3991b1f596245a1cbd40e089743859c5ea14b04f74acb4b5bc28873bba
Instruction ID: 09f437c299d1fce2c6d229e55817f7b549d87d9bdaacf3243475d17f19fb17d7
Opcode Fuzzy Hash: f92d0b3991b1f596245a1cbd40e089743859c5ea14b04f74acb4b5bc28873bba
Instruction Fuzzy Hash: CCA19174E012288FEB68CF6AC944B9DFBF2AF89300F14C0AAD409B7255DB745A85CF51

Function 06109830 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa54298cc295922cefbf02c8e2d91690e38f0d91161a2447ca0682f201f24f8
Instruction ID: 804f1a6d3c9a3bd747578714eba525afd38c4e6d3c2265812613c9f4b549ed25
Opcode Fuzzy Hash: 0aa54298cc295922cefbf02c8e2d91690e38f0d91161a2447ca0682f201f24f8
Instruction Fuzzy Hash: 12A1B170E01228CFEB68CF6AC944B9DFBF2AF89300F14D4AAD409A7255DB745A85CF10

Function 022DF007 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ff921b78268a8ff9940c0b125a43d5007427a2f91d97ecbc08e23c7de09e34
Instruction ID: ab71c8d738924710c07333e3a57220449ff9bd81800f0189a2e166924a574bad
Opcode Fuzzy Hash: 42ff921b78268a8ff9940c0b125a43d5007427a2f91d97ecbc08e23c7de09e34
Instruction Fuzzy Hash: F871E675E01628CFDB68DF66C9847DDBBF2BF89304F1484AAD409AB254D7349A86CF40

Function 06109E67 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35156099c393c62907ee81e087745e551e3e5ba53afb38d4af9f12155496855a
Instruction ID: fae10dafc653a0030dfa193aede4e9aea8d0358cae5fcb4e3e4cf9d611e9fdcb
Opcode Fuzzy Hash: 35156099c393c62907ee81e087745e551e3e5ba53afb38d4af9f12155496855a
Instruction Fuzzy Hash: 39719270E006288FEB68CF6AC944B9DBBF2AF89300F14C1AAD40DA7255DB745A85CF51

Function 0610BDFB Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc4114c2d8ce035c478d9e1bb0c18053053bed4585b48799a77d4f691b0ebe6
Instruction ID: 0598d2c668b806512a9a513cf2b83f06b6f3e8e2578e027c7c2321efe59c39c8
Opcode Fuzzy Hash: 6cc4114c2d8ce035c478d9e1bb0c18053053bed4585b48799a77d4f691b0ebe6
Instruction Fuzzy Hash: A17194B0E00628CFEB68CF6AC94479DBAF2AF89300F14C5AAD40DA7255DB744A85CF51

Function 0610982A Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58fedfdf6351c9b294a00f995d97abcb804225b47e43fe2d0aaaeb42975f85f6
Instruction ID: 71ad04094a54a18f3290f67be19260f2a98d03d517404a0b5f6404edc64a39f1
Opcode Fuzzy Hash: 58fedfdf6351c9b294a00f995d97abcb804225b47e43fe2d0aaaeb42975f85f6
Instruction Fuzzy Hash: 1E719470E006288FEB68CF6AC944B9DFBF2AF89300F14C5AAD40DA7255DB744A85CF51

Function 0610B150 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0160c567f09da8dfff4b96e0fa02bb02da4d4079d0b76fd27682069444a07ce
Instruction ID: f8055e294ead1286ce7f096b042a76999863712755a111003118551d879e078a
Opcode Fuzzy Hash: c0160c567f09da8dfff4b96e0fa02bb02da4d4079d0b76fd27682069444a07ce
Instruction Fuzzy Hash: 474178B1E016189BEB58CF6BD9457C9FBF3AFC8200F04C1AAC50CA6255EB750A868F51

Function 0610790B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b861858a97927aedc90737b6d7aa2d56ce9db5605cc394af328aed81a84a1ce6
Instruction ID: b7c00f8da89e2754f41925c872264582f0e76d66e5775fe2a521c80600d7059b
Opcode Fuzzy Hash: b861858a97927aedc90737b6d7aa2d56ce9db5605cc394af328aed81a84a1ce6
Instruction Fuzzy Hash: EC41B0B1D016088BEF18DFAAD8447DEBBF2AF88304F24C569C418BB294DB755946CF64

Function 0610B7A0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f614119632ee6501e5268e7a76c7585a46a373b4297074dbd782591fea4c116
Instruction ID: 064e399aa332b2ecff759f4984f5165fbe928c864064c889c4a89835acb77a3d
Opcode Fuzzy Hash: 9f614119632ee6501e5268e7a76c7585a46a373b4297074dbd782591fea4c116
Instruction Fuzzy Hash: D94159B1D016188BEB58CF6BC9457C9FAF3AFC8210F04C1AAC50CA6264DB740A868F51

Function 0610A4B2 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3fab794ad3dfe5ee9a17b1ff12754485a9a97c4d1620d720d3807fbd9ffc694
Instruction ID: 2cd50cea740f4d6a7571825d8a3e4f7d5b7a66ed2ed4593719b1b0119c3acfe9
Opcode Fuzzy Hash: e3fab794ad3dfe5ee9a17b1ff12754485a9a97c4d1620d720d3807fbd9ffc694
Instruction Fuzzy Hash: 2C415AB1D016188BEB58CF6BDD457C9FAF3AFC8310F14C1AAC50CA6265DB740A868F51

Function 0610AB02 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4dfb74b2ed1a4e1265daacfd0ffd87cd48da60bdc128c2a64f009a819e1d62
Instruction ID: 1e65005821c1516552f1433f540009a4e0cbd31b9a0e4868f49895281c4ee7a3
Opcode Fuzzy Hash: ad4dfb74b2ed1a4e1265daacfd0ffd87cd48da60bdc128c2a64f009a819e1d62
Instruction Fuzzy Hash: A0417BB1D016188BEB58CF6BD9457CDFAF3AFC8314F14C1AAC50CA6265DB740A868F51

Function 0610C438 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448e74eb97ee7841b79d3ab0bac1eb862de53f35d97929c9049d0a44ec6c88bf
Instruction ID: 4152b4cc6a565cc8851a854dce164b7b4781f698fd648e2757b962a60e4871e9
Opcode Fuzzy Hash: 448e74eb97ee7841b79d3ab0bac1eb862de53f35d97929c9049d0a44ec6c88bf
Instruction Fuzzy Hash: AB417B71D016188BEB58CF6BCD447C9FAF3AFC8310F04C1AAC50CA6264DB740A868F51

Function 061091D6 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c744161815162a5c18b889a3e36f9ee346961e9e1e2c541dfd8fd6892cfab1
Instruction ID: 1a6ae67bfa9a7f0c0aa24fe74576c51c6e5a34153a76c4c2b0f0c5ca7f2fe3ee
Opcode Fuzzy Hash: 87c744161815162a5c18b889a3e36f9ee346961e9e1e2c541dfd8fd6892cfab1
Instruction Fuzzy Hash: 5A416CB1D016188BEB58CF6BD9457CEFAF3AFC8310F04C1AAC51CA6265DB740A858F51

Function 022D6E68 Relevance: 10.5, Strings: 8, Instructions: 475COMMON

Download Yara Rule

Strings

(o]q, xrefs: 022D6F7D
(o]q, xrefs: 022D6E96
(o]q, xrefs: 022D701A
(o]q, xrefs: 022D7377
(o]q, xrefs: 022D7367
(o]q, xrefs: 022D6F51
,aq, xrefs: 022D7308
,aq, xrefs: 022D72F8

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-1435242062
Opcode ID: 41ff85eed562a36574fc18251acc9626ed2c74cb26057bdcbe8c9bdcb5ab13bf
Instruction ID: 63dffe4bc02c757eb1d1dcb3fff886edd254ab1bd51739bf57d2129751c82755
Opcode Fuzzy Hash: 41ff85eed562a36574fc18251acc9626ed2c74cb26057bdcbe8c9bdcb5ab13bf
Instruction Fuzzy Hash: 3E126E30A106498FCB14CFA9D984EAEBBF6FF48314F148569E815DB2A9D734ED41CB50

Function 022D21E8 Relevance: 8.1, Strings: 6, Instructions: 625COMMON

Download Yara Rule

Strings

Xaq, xrefs: 022D22C7
Xaq, xrefs: 022D3435
Xaq, xrefs: 022D220E
Xaq, xrefs: 022D345E
Xaq, xrefs: 022D2248
Xaq, xrefs: 022D2314

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq$Xaq$Xaq
API String ID: 0-499371476
Opcode ID: 1c9605cbcd8c4d522c98b75c4c145b3e2138177a33272950e3618447e8c4ecb3
Instruction ID: 9da4caecfef0ab7c0b9ca2f45dd3f2281a1698591308e3236630aa78eee50885
Opcode Fuzzy Hash: 1c9605cbcd8c4d522c98b75c4c145b3e2138177a33272950e3618447e8c4ecb3
Instruction Fuzzy Hash: AA32E7F3D843820BC7864EBC4BDF7A53F61EB25125B99479C8484F3A8EE919C9078752

Function 022D6E58 Relevance: 5.3, Strings: 4, Instructions: 275COMMON

Download Yara Rule

Strings

(o]q, xrefs: 022D6F7D
(o]q, xrefs: 022D6E96
(o]q, xrefs: 022D701A
(o]q, xrefs: 022D6F51

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q
API String ID: 0-1261621458
Opcode ID: 1ca5b1f53f80a7e05d9f8e3758aa1a64b6115961d35499087b0d671411d49b92
Instruction ID: bb645f6d5fd0be4267d5bfee6e157a466ad3ab44c5548e306d8241a1e9b00559
Opcode Fuzzy Hash: 1ca5b1f53f80a7e05d9f8e3758aa1a64b6115961d35499087b0d671411d49b92
Instruction Fuzzy Hash: 00C16830A1064A9FCB14CFA9D984EAEFBF6FF48304F148559E815AB2A9D735E841CB50

Function 022D87F8 Relevance: 4.2, Strings: 3, Instructions: 500COMMON

Download Yara Rule

Strings

;]q, xrefs: 022D8C2C
4']q, xrefs: 022D8811
4']q, xrefs: 022D8837

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: 4']q$4']q$;]q
API String ID: 0-1096896373
Opcode ID: 7fc25e0362a13f869ea7bec5da081fa36607209012c45ed6364941fd74d78c5c
Instruction ID: e4ac715ab298ede6fc2e6423a1e15f47d9485fd03b1f8d514d4a4d33b3ec0604
Opcode Fuzzy Hash: 7fc25e0362a13f869ea7bec5da081fa36607209012c45ed6364941fd74d78c5c
Instruction Fuzzy Hash: 13F190703741028FDB299BB9C958B393796EF85604F1444AAE506CF3A9EBA9CC43C753

Function 022D77F0 Relevance: 3.2, Strings: 2, Instructions: 707COMMON

Download Yara Rule

Strings

$]q, xrefs: 022D8314
$]q, xrefs: 022D8337

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: c85f21b4c850e4120e54b38c5a1b2d95ddbd9c6c557da1ed0ce5a0137dc0ed96
Instruction ID: c74b4dcba5d5035dbbe04bc1dcbffd893633047287f7b5fd5c41f600b050ffaf
Opcode Fuzzy Hash: c85f21b4c850e4120e54b38c5a1b2d95ddbd9c6c557da1ed0ce5a0137dc0ed96
Instruction Fuzzy Hash: 36524374A40268CFEB55DBA4C950B9EBBB7EF84300F1080A9C51A7B3A5CB349D45DF92

Function 022D56A8 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

Haq, xrefs: 022D57C6
Haq, xrefs: 022D5793

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: 7bb75f064ef79d250a142754ee87f484d1ea0be6459efc247a1a9eb247a913c5
Instruction ID: 6c2153acb953dda765099a759c9e98e61c77076c05a23fbe5a27fd2c103a74e6
Opcode Fuzzy Hash: 7bb75f064ef79d250a142754ee87f484d1ea0be6459efc247a1a9eb247a913c5
Instruction Fuzzy Hash: 17B1D0317142128FDB259FB8C894B7A7BA2EF88314F548469E406CB399DFB9CC51CB91

Function 022D5C08 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

,aq, xrefs: 022D5CE8
,aq, xrefs: 022D5CDE

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: cf025c043eccfb074843483e82f5df18900c135cad0f1127735741abd03e455a
Instruction ID: 3908ede5ea6f4e3d2091af271deb5587e883463ef8d37ab76f455c646d489439
Opcode Fuzzy Hash: cf025c043eccfb074843483e82f5df18900c135cad0f1127735741abd03e455a
Instruction Fuzzy Hash: B4819030B201068FDB14DFF9C888A6AB7B2FF89205B948569D405DB368D7B1EC51CF61

Function 06108818 Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

(&]q, xrefs: 06108933
(aq, xrefs: 061089F2

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: (&]q$(aq
API String ID: 0-1602648543
Opcode ID: 54b7b43aac30ea1d4b3856c20337eda4c439529ba3bcf43a68977c1a5cad2b8e
Instruction ID: 969cd3edbcadff35eddcc03042dde957c702e491bb6567983a2a2cb9a2e836f2
Opcode Fuzzy Hash: 54b7b43aac30ea1d4b3856c20337eda4c439529ba3bcf43a68977c1a5cad2b8e
Instruction Fuzzy Hash: C571BE31F042199FDF45EFA9C8506AEBBB2AFC8700F148569D416A7380DF74AD02CB92

Function 022D0C8F Relevance: 1.7, Strings: 1, Instructions: 404COMMON

Download Yara Rule

Strings

LR]q, xrefs: 022D0E5E

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 4211c3cbe912b503f17a6ac87a28f2dda05f2495b16b08ca937ada2f9be78bfd
Instruction ID: 1a5ddab8481b6686ab7099574dda3c80b29785f3a68d68a540f57d7e342e3385
Opcode Fuzzy Hash: 4211c3cbe912b503f17a6ac87a28f2dda05f2495b16b08ca937ada2f9be78bfd
Instruction Fuzzy Hash: 3122A674A00219DFCB54EF74EA98A9DBBB2FF48304F1086A5D409AB368DB745E85CF40

Function 022D0CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR]q, xrefs: 022D0E5E

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 1c099a4effd32e1eed7c9095fc196a271d99368a083d144ebda4c72629be150f
Instruction ID: c2775bc3a4bcc53d1f8008e532e30334f942cffdfcb9f3b89a92d8e4572a353d
Opcode Fuzzy Hash: 1c099a4effd32e1eed7c9095fc196a271d99368a083d144ebda4c72629be150f
Instruction Fuzzy Hash: 70229774A00219DFCB54EF64EA98A9DBBF2FF48305F1086A5D409AB368DB745E85CF40

Function 022DA660 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

(o]q, xrefs: 022DA7D9

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: d40ad7d9656d6520098ad405503866fded171c6454ada10dfe55cb3e14f2dacb
Instruction ID: 1225e0ac83148f8288b6e82e003902ef39ff13711ddc8224e8418fd36fd6cd14
Opcode Fuzzy Hash: d40ad7d9656d6520098ad405503866fded171c6454ada10dfe55cb3e14f2dacb
Instruction Fuzzy Hash: 0041DD35B142048FCB189FA8D954AAE7BF6EF88610F244469E906DB395CF399C02CB90

Function 022D77E0 Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3935db766824b2c2df44557fd50dbb1fa46d4b2a5a7ccbe337760f48cbb96438
Instruction ID: afb604976896993a317fd7ba82b0d64d6b4759b91124a7e64bac6b14558cd3d9
Opcode Fuzzy Hash: 3935db766824b2c2df44557fd50dbb1fa46d4b2a5a7ccbe337760f48cbb96438
Instruction Fuzzy Hash: AA421C74A40268CFEB55DBA4C960B9EBBB7EF84300F1080A9C50A7B3A5CB355E45DF91

Function 022DA818 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23197e3a7ad094a6c91c3e008d1855eabf659496fd32743bbab355d0a28019f
Instruction ID: 128d054881f9c3cb1d9e96512bd5e15b18a36ad2fa94d42f43b0c0262f8fc791
Opcode Fuzzy Hash: b23197e3a7ad094a6c91c3e008d1855eabf659496fd32743bbab355d0a28019f
Instruction Fuzzy Hash: 6CF13E75A102158FCB14CFADD984E9DBBF6FF88314B1A8069E415AB3A5C735EC42CB50

Function 022D7438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e323278834983d0cdadf160105045efb094be51ff58e2dd2a4fbe2f60617711
Instruction ID: 36256bf31643057407f6576ce6bc9041df7687a46ce1a1b214af77fe74b44808
Opcode Fuzzy Hash: 0e323278834983d0cdadf160105045efb094be51ff58e2dd2a4fbe2f60617711
Instruction Fuzzy Hash: D4712E347102168FCB15DFA8C494A6DBBF5EF49204F1900A9E855CB3B5DB79EC41CB91

Function 022DCEC7 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd357c84dd5e7d1c38363ac5f98a62cbc03b77ea8aaac3a6db13e477c5628b18
Instruction ID: 9258201c04bbe8f2a28107dcc9e9416bdf9906fa2ea29b606c7d6ba50af823c4
Opcode Fuzzy Hash: bd357c84dd5e7d1c38363ac5f98a62cbc03b77ea8aaac3a6db13e477c5628b18
Instruction Fuzzy Hash: 5851D230469603DFD6602F61E6AC56F7FA1FF1F32B7506E20E11E850458B3A5999CB50

Function 0610119B Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c823cc9977d2052553d5c988128d333c1e684e5f98480932f82d9d7db1e8baf
Instruction ID: 8f3584687aec93917e4d7cae47718a16d98f68479f01fea11dfe5131e098b23b
Opcode Fuzzy Hash: 3c823cc9977d2052553d5c988128d333c1e684e5f98480932f82d9d7db1e8baf
Instruction Fuzzy Hash: 0281A074E412299FEB64DF65DD80BDDBBB2BB89300F1081EAD848A7294DB315E81CF41

Function 022DCED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2133640d7d8462f4e1777a9793375aaeca0f040c9c20d28f9d9a08a506b3732c
Instruction ID: 94cc0d489531f631dadd7c3d4105e5ab4d66ea3cafd0934e2f909101ae5ad0ff
Opcode Fuzzy Hash: 2133640d7d8462f4e1777a9793375aaeca0f040c9c20d28f9d9a08a506b3732c
Instruction Fuzzy Hash: 2851D230469703DFD6603F61E6AC52FBFA6FB0F32B7906E20E11E850458B3A5994CB60

Function 022DE2E8 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8473e2e9d50288bff5a359f728b25ac94ec01104ae3c4749dcd409ab70fd5a6
Instruction ID: 97ebffb2fdc5298e91160de2e940a1f8e776359ff7ae346f5a4724a9d2177592
Opcode Fuzzy Hash: d8473e2e9d50288bff5a359f728b25ac94ec01104ae3c4749dcd409ab70fd5a6
Instruction Fuzzy Hash: F7511374E01318CFDB14DFA5D9446AEBBB2FF48304F208529D809AB259DB355945CF41

Function 022D38F9 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3471bcb2c8e5c5f4df13ed589fdde3e651ff49e4cb82816bfb7a57d5fec5ebd6
Instruction ID: 5a6bed052975bd23868b9dd4b38e9adac1e7f794453931669e610f46cf852e0b
Opcode Fuzzy Hash: 3471bcb2c8e5c5f4df13ed589fdde3e651ff49e4cb82816bfb7a57d5fec5ebd6
Instruction Fuzzy Hash: 6E517374E11208CFCB48DFB9D59499DBBF2FF89304B209469E409AB368DB75A946CF40

Function 022DCD10 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2378184d8d24238d3126264567954bcd05915cd3887f33e12481ac738fda61a4
Instruction ID: 5ccc5a547669d36dd54fa5237588ad0b21c01a3ac3ebc8df95bbc119f0a1e7bc
Opcode Fuzzy Hash: 2378184d8d24238d3126264567954bcd05915cd3887f33e12481ac738fda61a4
Instruction Fuzzy Hash: CD518274E01208DFDB48DFA9D5849DDBBF2BF89310F208169E419AB365DB31A801CF10

Function 0610CA98 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72fc88ef0db309e0067a5fa02e697931aa1a80368ef9b10675c17a9f87c256c2
Instruction ID: 8b26743fbd5a1a16fc1548f1987effd4695d62fb232242c46920aeb574cb7f8f
Opcode Fuzzy Hash: 72fc88ef0db309e0067a5fa02e697931aa1a80368ef9b10675c17a9f87c256c2
Instruction Fuzzy Hash: CE415A31941319DFDB04AFA0D56C7EE7BF2EB4931AF504829D1066A2D0CBB81A84CF91

Function 022D3908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d619847886a63529ee2e982acdd4d19db64281fd066dbb3ca9175a673bf493b7
Instruction ID: 1d15b0f994135432681e14f3de14b54a52cdf1d5cf5df0018da0dd3622bae962
Opcode Fuzzy Hash: d619847886a63529ee2e982acdd4d19db64281fd066dbb3ca9175a673bf493b7
Instruction Fuzzy Hash: 3E518274E11208CFCB48DFB9D59499DBBF2BF89304B209469E809AB364DB75A941CF40

Function 022D9A63 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497ff2a4fa0d9c2f1481f95a8cf00d4c3a2a2466b3ef273a19832b66487e90b7
Instruction ID: b5ed469028a651dfeeb3a837aa93905efe119a18368d1bd214c1d7176039b007
Opcode Fuzzy Hash: 497ff2a4fa0d9c2f1481f95a8cf00d4c3a2a2466b3ef273a19832b66487e90b7
Instruction Fuzzy Hash: 4141DD31A14249DFCF11CFE8C844A9EBFB2EF49314F048556F801AB299D339E995CB90

Function 06108808 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc314e5a716aec65faa2cad805ed477ace102e65df84ad8224074f8dc91760b8
Instruction ID: cc293959d870ca0fe862b7b346e5f87bad41ab421c8b7602d44b08661d237501
Opcode Fuzzy Hash: dc314e5a716aec65faa2cad805ed477ace102e65df84ad8224074f8dc91760b8
Instruction Fuzzy Hash: 0F411131E002199BEF54DFA5C890BDEFBF5EF88710F248529E415B7280EB70A946CB91

Function 022DE134 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 047382cae825917668238e5461cdf5c782769a2dbb2252aaeb3a6f0bfdaff128
Instruction ID: ef66f6361aefbb9a0c20527e1b4cb1acb5b0d0030e441c09c9aad1b1927d9aa7
Opcode Fuzzy Hash: 047382cae825917668238e5461cdf5c782769a2dbb2252aaeb3a6f0bfdaff128
Instruction Fuzzy Hash: CD414670E25208CBCB14DFE8D4846EDBBB2FF49305FA29029D815BB259CB75A842CF50

Function 022DD7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23ada11607075ab0f44dbe6bdc33a99698316b6667f74dfdeab66ad26f2a2d7
Instruction ID: 2733eec5b0813bbd904424b35037767299aeaf45da7050844554208ae23ef39f
Opcode Fuzzy Hash: b23ada11607075ab0f44dbe6bdc33a99698316b6667f74dfdeab66ad26f2a2d7
Instruction Fuzzy Hash: 96418976E65A08CFDB10CFE8D4846ECBBB2FF49305FA09169E409A7248D7759842CF54

Function 022DE0D4 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ff1c6bb73b185066c011fb8aa377f63ae400785aa3800abe4dc3419966013d
Instruction ID: 7de30bca13571834eb3079a188772aaa22150f10877c4177746464a7dfad6150
Opcode Fuzzy Hash: a6ff1c6bb73b185066c011fb8aa377f63ae400785aa3800abe4dc3419966013d
Instruction Fuzzy Hash: 52413670E25208CFCB04DFE8D4846EDBBB2BF49305FA29529E814BB259C7759881CF50

Function 022DD76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d39c93e6e678d4c9f75456c23306b74ce00577149ae9787e36d97b022dc1a104
Instruction ID: e270906ff96eb88485c0f78aa413257a9b146b291c38954ec2b2735e7595fe84
Opcode Fuzzy Hash: d39c93e6e678d4c9f75456c23306b74ce00577149ae9787e36d97b022dc1a104
Instruction Fuzzy Hash: 5D415375E61A08CFDB10CFE8E4846EDBBB2FB49305F60A169E409A7288C7759842CF54

Function 022DD620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a5fb99c96b015a05c8725332262a131da37a26da159da8fc9750a9b4442605
Instruction ID: ce46844518e2b2fafdb1ea7021d8a6cbac5813a75a553761e067518c60296996
Opcode Fuzzy Hash: d5a5fb99c96b015a05c8725332262a131da37a26da159da8fc9750a9b4442605
Instruction Fuzzy Hash: A6412171E116088BDB04DFE9D444AEEBBB2AB89305F54D129D804BB298DB75A841CF94

Function 022DDF88 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710ef5642dca164f7b0b5ec3e15ab70e6e6f1b5f94e273913406d819d7ec26cd
Instruction ID: 48241b489f7b034d812802e2ee1fe33826b59120199b51de2264eeb9b42d7544
Opcode Fuzzy Hash: 710ef5642dca164f7b0b5ec3e15ab70e6e6f1b5f94e273913406d819d7ec26cd
Instruction Fuzzy Hash: 1D314771E112088BCB08EFE9C4446EEBBF2BF89305FA5D129D814BB258DB719841CF54

Function 022D4DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef1324a8db4be43d77f03eafac85169b3ec3573a285dfca4cff54a4e1d4a2a9
Instruction ID: 0f55f694b06dd31cf0e25336e7ed387bb8a52ca596d63ded6ca74ed00b77844c
Opcode Fuzzy Hash: 3ef1324a8db4be43d77f03eafac85169b3ec3573a285dfca4cff54a4e1d4a2a9
Instruction Fuzzy Hash: 0231823170425AEFDB15AFA4D554AAF3FA3EB88304F004464F9159B258CB39EC61DFA1

Function 022D76D0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3832fc162c7ab969c35f67d7c691f1474220da5331cbeaab26816fa5fdf0db
Instruction ID: 3463bf348f06db560a5c9f40a58f3cd7553b750971c56db68bb1048c97f683d7
Opcode Fuzzy Hash: cc3832fc162c7ab969c35f67d7c691f1474220da5331cbeaab26816fa5fdf0db
Instruction Fuzzy Hash: 6F21C1343282128FFB251A698D94ABDB797AFC8608B144879D506CB799EF2DCC43D781

Function 022DA809 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89efbef0c9aea248c273125e29fb2522689c7f42b02728be797ef42f47457426
Instruction ID: 8c4f7d807bbae62afe7aae80bbf807356f8e7a5bdd5dcd4d07ff723dc32fdc88
Opcode Fuzzy Hash: 89efbef0c9aea248c273125e29fb2522689c7f42b02728be797ef42f47457426
Instruction Fuzzy Hash: D931A170A5050A8FCB14CFA9C8889EEBBB2FF88754B158159E415DB3A9CB34DD06CB90

Function 0610CA93 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf7ed9aba1e64ae586f64812fdb01d0171bbc4106b31150902974ee57d5adfa
Instruction ID: d53fad7b3b7726f907e978398f0d3a7a2d26ce76cf6d9dbf55a0a1a446e23497
Opcode Fuzzy Hash: aaf7ed9aba1e64ae586f64812fdb01d0171bbc4106b31150902974ee57d5adfa
Instruction Fuzzy Hash: C9318E31D41219DFEB10AFA0D46C7EE7BF1EB4931AF408859D1066A2D0CBB90A95CF91

Function 022D76E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b79e09135a46978365402350a39f96bdf38a7b2354b953c30d9135be13fb6ecf
Instruction ID: a84c1c46773e08849fbccd0d8d018ab17516524dd25664c5558d8a582f94f705
Opcode Fuzzy Hash: b79e09135a46978365402350a39f96bdf38a7b2354b953c30d9135be13fb6ecf
Instruction Fuzzy Hash: 8421D0343242028BFB241A69C994BBEB68BAFC4718F144879D506CB79CEF6DCC42D381

Function 022DE2D8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45cc540b3749d401e05d02507b4297491c5d91409f010be03801a3428e50690e
Instruction ID: 49e14d6357781e6510147f94a83a245e359bb1fecc71f9aac6f040f25d589400
Opcode Fuzzy Hash: 45cc540b3749d401e05d02507b4297491c5d91409f010be03801a3428e50690e
Instruction Fuzzy Hash: 3431F270D12319DFEB14DFA1D4486EEBBB2AF49304F508429D815BB284DB78668ACF51

Function 022D2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51adddf12a4684d2a58a369144dd8d62079c9cbe6da474ce78f9b64967a86f82
Instruction ID: 4e5842d73eeb7c7aed488d3da6dd8c5146f574fc37f2157fc383e6ced2b8bce8
Opcode Fuzzy Hash: 51adddf12a4684d2a58a369144dd8d62079c9cbe6da474ce78f9b64967a86f82
Instruction Fuzzy Hash: AC21F131A10106DFCF14DFB4C850AAE37A5EB98264B60C519DC0A9B388DB35EA46CBD2

Function 021ED006 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484248100.00000000021ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 021ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21ed000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e820b128a4389cc5cca9afca06ee81e37a450a232a3b3a98c6887a32998b66
Instruction ID: 13e401be8bcdaa7752845ac73eed94c5668368c6732da2c99ec71e34baa7ab7d
Opcode Fuzzy Hash: e2e820b128a4389cc5cca9afca06ee81e37a450a232a3b3a98c6887a32998b66
Instruction Fuzzy Hash: 8B312F7554E7C08FDB038B20D9A4755BF71AB47214F1985DBD8898F2A3C32A984ACB62

Function 022D5A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581bc49687f1c767617c49aa505bb356c386ba207e325d742a9e9f0f77d6fabc
Instruction ID: 523df66d243c383f7b95fa78caa8958a9141942bb9ed0b4f12f78d7a0bee3cef
Opcode Fuzzy Hash: 581bc49687f1c767617c49aa505bb356c386ba207e325d742a9e9f0f77d6fabc
Instruction Fuzzy Hash: E421F0317146228FD3259AA5C49892FB7A2EBC8764B448178E806DB358CF78EC02CBD0

Function 021ED044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484248100.00000000021ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 021ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21ed000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8eafeb6ec3d3b450a5c060d49b91f7d6ef123e82e7d0af805d0683ecbc20fc
Instruction ID: e3ac61e3a63bdb72e730fe16fd681064e6cfb15f1adb3c74a254430fd5851185
Opcode Fuzzy Hash: 3b8eafeb6ec3d3b450a5c060d49b91f7d6ef123e82e7d0af805d0683ecbc20fc
Instruction Fuzzy Hash: D92125715446049FDF14CF24EDC0B26BBA9FB88314F28C5A9E84A0B252C73AD446CA62

Function 022DA650 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb2eaa12b73f4f805d13350d215b435e413b755454e5374334c3e5b523dbc761
Instruction ID: 6bac6b8734b1448ae264064f8c53781a053258452769f2b9863d0d23a0c24ce7
Opcode Fuzzy Hash: bb2eaa12b73f4f805d13350d215b435e413b755454e5374334c3e5b523dbc761
Instruction Fuzzy Hash: 3C2172757102099FDB148F65DD98AEEBBB6FB8C611F108039E911A7390CB75EC16CB90

Function 022D215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6fbba403757139f27c62153b26bbb22eea7471255c762603ff987bad15498e3
Instruction ID: 52e82802ff91f29ef9b85002ce0a78086e62d12d6817c77bc5f678fc6121eef1
Opcode Fuzzy Hash: a6fbba403757139f27c62153b26bbb22eea7471255c762603ff987bad15498e3
Instruction Fuzzy Hash: ED112632E1825D9BCF02DBF8AC105DEFB71FF89210F248756DA25B7191EA31690AC791

Function 022D4DB9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4676b56ea9f61acc74f53388eb5b0d7e4b741930834740f222e8edb2ec773cd8
Instruction ID: 2ca1849bf0b050df3a096ab94061cb89757783c826739dbb4bd68037770bdfc2
Opcode Fuzzy Hash: 4676b56ea9f61acc74f53388eb5b0d7e4b741930834740f222e8edb2ec773cd8
Instruction Fuzzy Hash: 9921F631744255DFDB11AFA4D54476B3BA2EB84314F104079F8059B299CB38EC56CBE1

Function 061089FA Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ecf815912797474b739f5dfb3f2c1e11d5d116aa316276c41d22f0cc6f9691
Instruction ID: 9bfd0e5539a3e97ad4d6a50167f9b4db6d20eb9f6bd3286a2365c5a7b55ce6d3
Opcode Fuzzy Hash: 92ecf815912797474b739f5dfb3f2c1e11d5d116aa316276c41d22f0cc6f9691
Instruction Fuzzy Hash: 4011E6317082945FDB466F7858241AE3FA3EFC5214B0144ADD515D73D2DE388D06C7A2

Function 022DD60F Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5516f4ea35e0dc646d334d29779fafcb6043db6ba6366e3d4e4b702cfb17f3d
Instruction ID: ece6f179751f8503b539244f3bd38c59dee4e477972edfc06a6270f2e8e1bbfa
Opcode Fuzzy Hash: a5516f4ea35e0dc646d334d29779fafcb6043db6ba6366e3d4e4b702cfb17f3d
Instruction Fuzzy Hash: 2F117CB1E505098FDB09CFAAD8446EEBBB2EBC8300F04C035D404BB299DB34894BCE94

Function 022D5A60 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12127ba90529dc40f70c313133f5a29542dc6eb6f489d4708d23073ee3883b6d
Instruction ID: 632eef456676a15af8a87cb752dff58a8cedfd5c5b4c2e00d01366f0c6ffc7d9
Opcode Fuzzy Hash: 12127ba90529dc40f70c313133f5a29542dc6eb6f489d4708d23073ee3883b6d
Instruction Fuzzy Hash: D4112731315A228FD3269A65C89452EBBA6EFC526470541B9E806DB355CF78DC07C7C0

Function 022DE1F8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a350d17355f6f6748662ac981d5dbef0869cf8977657649d539e1b08adecd4a6
Instruction ID: 0d0a0de8e6812ec2d7dbb6cf926648ffca7fe1b92668d6fda5b7de3803a01a09
Opcode Fuzzy Hash: a350d17355f6f6748662ac981d5dbef0869cf8977657649d539e1b08adecd4a6
Instruction Fuzzy Hash: 41214170E4010ACFDB45EFB9DA44A9EBFF1EB45304F0085A9C014AB265D7709A49CB81

Function 022D9B48 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abca61f5209500a477d0c51527a14025c922ce2f885171393b1eeb60cafa9141
Instruction ID: 9b7da36b65b7f65e76551e3cc3f66ce3f373d638c6d09ddaaaa6564fdfdec9ed
Opcode Fuzzy Hash: abca61f5209500a477d0c51527a14025c922ce2f885171393b1eeb60cafa9141
Instruction Fuzzy Hash: 1511D332600205DFDB10CFA9C844B9ABBE3EF89318F058A55E4189B299D371E890CBA5

Function 0610CE98 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef5dc397cabe1573e93654205c15d7f952a8cc2a66536b7131e2b40cc1d3114
Instruction ID: 85adfe712f660da335fe31bbda66cac0bf6235ddbff49f00a8fbfd0eb4609c2e
Opcode Fuzzy Hash: 7ef5dc397cabe1573e93654205c15d7f952a8cc2a66536b7131e2b40cc1d3114
Instruction Fuzzy Hash: 110126313082449FD7151A7A58585ABBFAEEFCA220B044A77E506C72D6CE798C0683B2

Function 06108658 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 132b8708249cea616f66ac7c32af8e96a474d3ff8157c379f0a16f13fc8400f7
Instruction ID: 745dc51d61664224fed0bc03836bb8eb843d6e55fc27565a27a23fff9f82b654
Opcode Fuzzy Hash: 132b8708249cea616f66ac7c32af8e96a474d3ff8157c379f0a16f13fc8400f7
Instruction Fuzzy Hash: FC1144B28042499FDF10DF99C944BEEBBF5EB48320F108419E918A7250C379A950CFA0

Function 0610CEA8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eda0baddb665f09be1113bf08663af7cec1011fbcfdfced07b9dc4475f06172
Instruction ID: 65b51b26a62186a12ca6c3dfb9ab296629f24326105829ea877ef3fe6bce2068
Opcode Fuzzy Hash: 6eda0baddb665f09be1113bf08663af7cec1011fbcfdfced07b9dc4475f06172
Instruction Fuzzy Hash: FF01D8307082549FE7185A7A58185BBBEDFEFCA250B148976E906C33D6CE798C0586B1

Function 022D1F08 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc17c15192a7fccefb93828f96f51b3b8a3d1cf63dc39d02623b337655fc313
Instruction ID: 14cb744ac9b1f6de647d50ba95fbaf5629575baba6b7e1958cfc97e84b6beade
Opcode Fuzzy Hash: 6cc17c15192a7fccefb93828f96f51b3b8a3d1cf63dc39d02623b337655fc313
Instruction Fuzzy Hash: 1F212474C1460A8FCB10EFA8D5444EEBFF1FF49314F10426AD845BB264EB355A45CB91

Function 022D1F61 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41f7283522f0e932485a8045521dad21d8ab0bc4475ad9d843e4a288cc37d16
Instruction ID: 8e874f81e6b19a00d8fca20cf298d172b8536bb7509adbfd7ed3b2881111bfd5
Opcode Fuzzy Hash: a41f7283522f0e932485a8045521dad21d8ab0bc4475ad9d843e4a288cc37d16
Instruction Fuzzy Hash: D821E3B4C1420A8FCB00EFA8D9954EDBFF0FB09300F10426AD805B7255EB355A59CBA1

Function 06108CA0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3725df7b641cadae7446ddc9c608c10c1b2c8474033aa93b136238535b368d79
Instruction ID: 6dd02b3d499c1c12a330c8f60641981f1d228685eeb90c51acf0fdbead37c33e
Opcode Fuzzy Hash: 3725df7b641cadae7446ddc9c608c10c1b2c8474033aa93b136238535b368d79
Instruction Fuzzy Hash: F81156B68002499FDF10DF99D944BDEBFF5EF48320F108519E528A7290C3799550DFA1

Function 061081C9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada1eaabdb3621fca13bd75c0b75411da073afb0a31410016d0070647663850a
Instruction ID: 952422c6b65f357b0b72d05524c921fc0442c9ee0ab20696e5c9f246c39ac343
Opcode Fuzzy Hash: ada1eaabdb3621fca13bd75c0b75411da073afb0a31410016d0070647663850a
Instruction Fuzzy Hash: 24111834E041488FEF40DFF8D850BEEBBB1AF48321F419461E808A7385E77099428B51

Function 022DE208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cef56c6f77bf65ca92da29856adf299b57300b69b51046473bc18f50d637fa5
Instruction ID: 3321fb3018038561cb360e36c27f1d72b4abbb1f5ca81b9c8f87dc67d30e5228
Opcode Fuzzy Hash: 0cef56c6f77bf65ca92da29856adf299b57300b69b51046473bc18f50d637fa5
Instruction Fuzzy Hash: 53113D70E0010ADFDB45EFB9DA45B9EBFF6FB44304F4089A5C014AB269EB749A45CB81

Function 022D5618 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5879babfbc16a1266a41d1a7caebd703932f8fa3e68962210cc7983dbf91d3a7
Instruction ID: 32bc4e836b5aeaa2c7abdf486b567cfdea805f9b326ec91503464eef7adc1284
Opcode Fuzzy Hash: 5879babfbc16a1266a41d1a7caebd703932f8fa3e68962210cc7983dbf91d3a7
Instruction Fuzzy Hash: CF012672B001156F9B019E949800AAF3BDBDBC8750B548039F505D7248CEB1DC218BE0

Function 06102680 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83cab8efcc7b77d46876011e4cf2d34c5f76e13189807cfe52250f45811fe093
Instruction ID: 87ba66e74c24bbde1ff0afb1dc1f74c113b9aaa093578c7baa5fae668fbc8845
Opcode Fuzzy Hash: 83cab8efcc7b77d46876011e4cf2d34c5f76e13189807cfe52250f45811fe093
Instruction Fuzzy Hash: 2901BC75B00210CFCBA0EF78D50895A3BF4EF48210B0100B9E80ADB310EB36DD00CB91

Function 022D5607 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761173d1baf990f97561083af679ba8c26cc39997282b47b52ec1abb890fec67
Instruction ID: 569defd155628bf9409eaf495cc36e4ec3dbe0ab180879b5b40866dc246b28b8
Opcode Fuzzy Hash: 761173d1baf990f97561083af679ba8c26cc39997282b47b52ec1abb890fec67
Instruction Fuzzy Hash: AA01D672A04115AFDB11CE959800BEF7FA6DBC8351F14807AF914C7154C676C8118B90

Function 061025E8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05233aa620de75eb4c49f56359e07c8821186b04f4369a884ce4355d0f8fd7d3
Instruction ID: e9858dbb04cb33ff39bf2f69f90401e2e1209e75b2ab4c136282903ef7ae828e
Opcode Fuzzy Hash: 05233aa620de75eb4c49f56359e07c8821186b04f4369a884ce4355d0f8fd7d3
Instruction Fuzzy Hash: 2301E870E002199FDF58EFB9C9046EEBBF5BF48200F10856AD819E7250E7785902CF90

Function 061025E3 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3f3094d45e10105ff3abf7219668108ad1f078e26981a21c50a50fb3140282
Instruction ID: 9c5b6d0ab709f0210adaea17ee504ccc3fbd27db5d11460006613157bc20b0f0
Opcode Fuzzy Hash: cb3f3094d45e10105ff3abf7219668108ad1f078e26981a21c50a50fb3140282
Instruction Fuzzy Hash: 7F01EC71E00215CFDF54EFB9890459EB7B1AF48200F10856AD419F7250E7745901CF90

Function 022DD449 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314713f000869f22eb15aa48206d1b3c08b690074e433f1d71f92e41f9808307
Instruction ID: 10b633d70dbb69d5cf857e60f0f55128bcd750b0e7a450a8abf83e8d35702157
Opcode Fuzzy Hash: 314713f000869f22eb15aa48206d1b3c08b690074e433f1d71f92e41f9808307
Instruction Fuzzy Hash: CBF0E531E9401B9FDB07EAA8AC195FE7771DB85300F406439C400EB186CBA1E62BDA80

Function 022DDF08 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f7247e4f816a3941e07eb5f07f0e66532045dfc2890258e150bbeaace295bd
Instruction ID: c51d4a0197828dfb558dd88a1f0d1e727d092bcb528663c46d122e90c3b4dc44
Opcode Fuzzy Hash: 89f7247e4f816a3941e07eb5f07f0e66532045dfc2890258e150bbeaace295bd
Instruction Fuzzy Hash: 69F0E531EA401A9FDB02AEACAC196FEB771E785300F405838D400EB0D2CB61D62FD984

Function 06108A68 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7eae82340c83d6a6bbd689dd720c9f84c2ae0000c3f98c1e214bb74cce6fc8b
Instruction ID: 5f636f995c2c7783539b68c30e1a015001e9376613bb83f7c5fffe759b76e733
Opcode Fuzzy Hash: d7eae82340c83d6a6bbd689dd720c9f84c2ae0000c3f98c1e214bb74cce6fc8b
Instruction Fuzzy Hash: 66F082367002587F9F05AE98AC149AF7BABEFC8264B00442DFA19D7350DF329C1197A5

Function 022DDEB0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89381948066e56221af0d8f14604c0bb70a9ff775b6c96ce92f9132336e2ce3c
Instruction ID: 167b0596ffdc83c6fc4a1320757d09e0141bbb7bbed89db71b0b6fed5ca0204e
Opcode Fuzzy Hash: 89381948066e56221af0d8f14604c0bb70a9ff775b6c96ce92f9132336e2ce3c
Instruction Fuzzy Hash: 17F03A75A21525CFCB94EFBCC44465E7BF4AF08210B2144A9D409DB360EB70D901CBD0

Function 022DD4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5333cf3e7e521163cbe564014b3e0b304f2d8c829e92437d1da163b6ebbe2cbc
Instruction ID: 87a5afe6e5b9e6e4eeba6cc02571bf1e108f349691e6ced6df3509f4092d1d13
Opcode Fuzzy Hash: 5333cf3e7e521163cbe564014b3e0b304f2d8c829e92437d1da163b6ebbe2cbc
Instruction Fuzzy Hash: 63E06FB3C29540DBE3248BE668120BABF70CCE330A78460C3C0888B029D218F212DB00

Function 022D2010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a1604718a3f9e5785ff0dc656e79d23772a59aefc9ba3266ed030e34328874
Instruction ID: 74fa290152b423df7f8313e14526a821ebda2cd7540e5ce27c72bc2fbdb230bc
Opcode Fuzzy Hash: e2a1604718a3f9e5785ff0dc656e79d23772a59aefc9ba3266ed030e34328874
Instruction Fuzzy Hash: ECE0D836D642A79ACB12DB649C444DEB730ED9222470181BAE4246B042EB74254FC7A2

Function 0610267B Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e75b6c7ed037da6c8cab8c7e105eef6861f64a754fa080a442d418e421857f
Instruction ID: 594b33bd7ed8378e9bea409656e3bcaba62b2355939d7c711cf1f8ab9fa112b9
Opcode Fuzzy Hash: 69e75b6c7ed037da6c8cab8c7e105eef6861f64a754fa080a442d418e421857f
Instruction Fuzzy Hash: FEE04F70E00215CF9B90EFB995042DE7BF4EE44211B00443AD51DE6240E7318601CBD1

Function 022D2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594830fb208fe851713f74867a13357f435ff5ee1c159c8b152142d2c646f12f
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 594830fb208fe851713f74867a13357f435ff5ee1c159c8b152142d2c646f12f
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 022D8258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 5fb4e910134fb619ab784e1cfc055fea6889eb80797f84b8a25ccb87948bac50
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 0AC0123321C1282AA624108E7C45BA3AB8CC2C12B4A250177F91CA7200A8829C8241AA

Function 022DA70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9251ee861fd21e981fca79d1ba41f2a4ffd57ecd074c81f55cc1a444f571651a
Instruction ID: a56aa8a8ad2eada0b9d2648273c7a7e0e08e820fa8e83571a9446b77cd88260d
Opcode Fuzzy Hash: 9251ee861fd21e981fca79d1ba41f2a4ffd57ecd074c81f55cc1a444f571651a
Instruction Fuzzy Hash: 39D0677BB410589FCB149F98E8408DDBBB6FB9C221B048126E915A3261C6359921DB50

Function 022D5EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e1cd03fa3438832ea30b1750626adf2308b22e6bdf818f5c0ff9a2265d9b3c
Instruction ID: e39acb0116f036e5767e314ef2cb504df252295430ea50192cb972d1e6d39ae6
Opcode Fuzzy Hash: d5e1cd03fa3438832ea30b1750626adf2308b22e6bdf818f5c0ff9a2265d9b3c
Instruction Fuzzy Hash: A0D02B3024C3830FC31AF734FB504083F2AAAC0208F50C1B5E4050E55AEB7D4C0A8792

Function 022D5EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e211b84d7cb034f56f172351f495040361d1198be710e01c9e5ca15ff09fdc42
Instruction ID: 777ce672a161daf9662802099528a033feb1926def08e45480ef0f74c6ad8fa5
Opcode Fuzzy Hash: e211b84d7cb034f56f172351f495040361d1198be710e01c9e5ca15ff09fdc42
Instruction Fuzzy Hash: C8C0123024430A4FC549FB75FB459153B5EEAC0308F508574A00A0A16DEF7C6C488A92

Non-executed Functions

Function 022DE528 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5uq, xrefs: 022DE643

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: .5uq
API String ID: 0-910421107
Opcode ID: 0c6ae3ff74e8d87bfd78620d83f6b01773d13d5288a82718a35eddf38441d1c4
Instruction ID: 653d882dfd6d69e3a9301103956ff18240ff82335bc30760449a198d88a695b0
Opcode Fuzzy Hash: 0c6ae3ff74e8d87bfd78620d83f6b01773d13d5288a82718a35eddf38441d1c4
Instruction Fuzzy Hash: BE52AA74E01229CFDB64DFA9C980B9DBBB2BF89300F1085E9D409AB254DB359E85CF50

Function 022DE517 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

.5uq, xrefs: 022DE643

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: .5uq
API String ID: 0-910421107
Opcode ID: 3da147b9b6eb80e445b5a36c2dce72c553e7042aad79ddbd4cf46218cc72c901
Instruction ID: 8c2c5501640043555ba04ebb3df398c2eb3f9cf59752b350bafc64ed2facf07d
Opcode Fuzzy Hash: 3da147b9b6eb80e445b5a36c2dce72c553e7042aad79ddbd4cf46218cc72c901
Instruction Fuzzy Hash: 5A61D574E4021ACFDB68DF66D940BADBBB6BF88300F10C4A9D8086B769DB305985DF50

Function 06103600 Relevance: .7, Instructions: 693COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a779923711bcd21a5fc1a8d8129cbb7d54486e08b89dd298ba5846b74e16ee4
Instruction ID: ce8c47b1f7c8964aeff801128277b443eabbc62757e49b88380f098c8912339f
Opcode Fuzzy Hash: 9a779923711bcd21a5fc1a8d8129cbb7d54486e08b89dd298ba5846b74e16ee4
Instruction Fuzzy Hash: C9827A74E012298FEB64DF69CD94BD9BBB2AF88300F1481E9D40DA7264DB359E85CF41

Function 06102900 Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241555e79cca2d7bfc42e8541639bda207bf09aaa4fafa1ab090cd8f41a99f4d
Instruction ID: 523eb720f47483b63b087314e93ed0b6ea72925744dfebeeed6bbf411b1ce844
Opcode Fuzzy Hash: 241555e79cca2d7bfc42e8541639bda207bf09aaa4fafa1ab090cd8f41a99f4d
Instruction Fuzzy Hash: E9727C74E012298FEB65DF69CD84BD9BBB2BF89300F1481E9944CA7264DB359E81CF41

Function 061067B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff93ba92910a6ebf9f92cb5dc9d2e60fa22587ce2c661d24e874adc67d41331
Instruction ID: 164643088d4e23c53aa70d370ae695a81a34eb1c99c468ea981500d67ca6feac
Opcode Fuzzy Hash: 6ff93ba92910a6ebf9f92cb5dc9d2e60fa22587ce2c661d24e874adc67d41331
Instruction Fuzzy Hash: 80C1C174E01218CFEB54DFA5D944B9DBBB2BF88304F2080A9D409AB3A5DB359E85CF50

Function 061047E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813bd96f02de7301bd561467ad86653cc518ce04a0a7220c6b845df8351effd7
Instruction ID: 9ab13c5fc7a08c9d67ea1f1d77910d64165cec371bb28babc3acdad3718b5f72
Opcode Fuzzy Hash: 813bd96f02de7301bd561467ad86653cc518ce04a0a7220c6b845df8351effd7
Instruction Fuzzy Hash: 60C1B074E00218CFEB54DFA5D984B9DBBF2AF88304F2084A9D409AB3A5DB359D85CF51

Function 06106C08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4afb4688ecb16bd4623b0b1a991fb2520bb1df3037b23625b63f478002d77bee
Instruction ID: 0b23228aa3904fadd4565196a71ff6324306ddc62b978d900d84d7b8c3d2cb4a
Opcode Fuzzy Hash: 4afb4688ecb16bd4623b0b1a991fb2520bb1df3037b23625b63f478002d77bee
Instruction Fuzzy Hash: 15C1B174E01218CFEB54DFA5D954B9DBBB2BF88304F2080A9D409AB395DB359D85CF50

Function 06104C40 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b56fc870110a4ba981624aaeca0ab55909cf96c9e056fae0b8477c74b72e12c
Instruction ID: 5cb16ab068c1b24bdc2b3381f24f7faae31e2fef4b16309ae3e784ee4bf782c1
Opcode Fuzzy Hash: 3b56fc870110a4ba981624aaeca0ab55909cf96c9e056fae0b8477c74b72e12c
Instruction Fuzzy Hash: D5C1A074E01218CFEB54DFA5D994B9DBBB2BF88304F2080A9D409AB399DB359D85CF50

Function 06100498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8a3503681784d3891e44d0636e42fb7b34d37ba92ba9cee2fc27ede0613ebc
Instruction ID: 1df7b5c0f77fc10679afc592d5ca505e1f7cd89fd7cf3548a0cd3965f6695878
Opcode Fuzzy Hash: 1a8a3503681784d3891e44d0636e42fb7b34d37ba92ba9cee2fc27ede0613ebc
Instruction Fuzzy Hash: 04C1B174E01218CFEB54DFA5D944B9DBBB2BF88304F2080A9D409AB395DB359E85CF51

Function 061074B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0baf6182a3873b55e4f1d4ef7f7b672e236f51f0620e527bc5e8263c201ac72
Instruction ID: c2eb7e8f19d15406a3bf34cb2219ae976108778d6cfdbc43f7a65bf5597a7832
Opcode Fuzzy Hash: d0baf6182a3873b55e4f1d4ef7f7b672e236f51f0620e527bc5e8263c201ac72
Instruction Fuzzy Hash: 75C1C174E01218CFEB54DFA5D944B9DBBB2BF88304F2080A9D409AB395DB35AE85CF50

Function 061054F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cfff543d6bc791e323712b144631d5007893ec0eab361972184e886764ebbe8
Instruction ID: 1a7714a75ec3876539f38e085b9f4f1cdd04ff19d7c64e0fe38df5c23bfc30d4
Opcode Fuzzy Hash: 0cfff543d6bc791e323712b144631d5007893ec0eab361972184e886764ebbe8
Instruction Fuzzy Hash: 93C1B174E01218CFEB54DFA5D944B9DBBB2BF88304F2080A9D809AB395DB359E85CF51

Function 06100D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde49dcb3143bcaf3e87e3d59f58618882f974104baeb0440da7b73bffd8a795
Instruction ID: 10ea59c3d9a17341a19048e176b26bd306436d04d55e674023579dac7389e36a
Opcode Fuzzy Hash: dde49dcb3143bcaf3e87e3d59f58618882f974104baeb0440da7b73bffd8a795
Instruction Fuzzy Hash: B8C1B074E00218CFEB54DFA5D944B9DBBB2BF88304F1084A9D409AB395DB359E85CF51

Function 06105DA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9588ef4c0b90feffb624637b1d09c30c739475600c02891d96797f0214a293ba
Instruction ID: a04e76789b1e68c89a1ec28c10d9c4f68486e09c4f908fd811043f427c339977
Opcode Fuzzy Hash: 9588ef4c0b90feffb624637b1d09c30c739475600c02891d96797f0214a293ba
Instruction Fuzzy Hash: 3FC1B174E01218CFEB54DFA5D944B9DBBB2BF88304F2080A9D809AB395DB359E85CF51

Function 06106220 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ac37a2a6751dcc279d72efcec0e5b734a2554fdbe05fe954ca9867944692bb
Instruction ID: 401d5ab3f3188547a21d5d7a7d94ab408c4b1fd1992d871172c86c65e1ead82a
Opcode Fuzzy Hash: 78ac37a2a6751dcc279d72efcec0e5b734a2554fdbe05fe954ca9867944692bb
Instruction Fuzzy Hash: CEC1B074E00218CFEB54DFA5D954B9DBBB2BF88304F2080A9D809AB395DB359E85CF50

Function 06104368 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38e097b2c7cac82c988df6e5c3accd82b508c639952424a39d9308f15dd68d81
Instruction ID: b9fe82f3ed0d74bae7dd61f36d4ada5f7b4ff3ff499c6fed08362481e098c529
Opcode Fuzzy Hash: 38e097b2c7cac82c988df6e5c3accd82b508c639952424a39d9308f15dd68d81
Instruction Fuzzy Hash: 10C1B074E00218CFEB54DFA5D984B9DBBF2AF89304F2080A9D409AB395DB359E85CF51

Function 06100040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771ee448ca23aa72fe530145520bdba2b3de17074484ddeea647ffa4bb8e81ec
Instruction ID: 6306bf157ade11fc5cedf828d4441d2ab21bac23b0474545f6001162661e8d46
Opcode Fuzzy Hash: 771ee448ca23aa72fe530145520bdba2b3de17074484ddeea647ffa4bb8e81ec
Instruction Fuzzy Hash: B9C1A174E01218CFEB54DFA5D944B9DBBB2BF88304F2080A9D409AB399DB359E85CF51

Function 06107060 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f550f872e754bc8919365dd55cec0c2a60263c57cad6d4a773c6876188faa984
Instruction ID: 37807866aa9162b2809c934cf6b3706ea74105f06e7c6ec7fca82a4b49c33be5
Opcode Fuzzy Hash: f550f872e754bc8919365dd55cec0c2a60263c57cad6d4a773c6876188faa984
Instruction Fuzzy Hash: B4C1C274E00218CFEB54DFA5D944B9DBBB2BF88304F2080A9D809AB395DB35AD85CF50

Function 06105098 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa2a39e006cfdb0893784c1d82032e9c6134836b0ecac766a03c5a678809860
Instruction ID: bd5bd618d26630483ef7860250a050e0adf46dc46e767efccea666bc343d9f5f
Opcode Fuzzy Hash: dfa2a39e006cfdb0893784c1d82032e9c6134836b0ecac766a03c5a678809860
Instruction Fuzzy Hash: 7EC1B074E01218CFEB54DFA5D984B9DBBB2BF88304F2080A9D409AB395DB359E85CF51

Function 061008F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621377465f862fbc9faa9cadb7604bf5fb8b6cf8e1e510e3bd6da2275fadce9e
Instruction ID: edcd68613b8e79f130c47f4c172b854b98c761d81c0561320af6fd1fd2901576
Opcode Fuzzy Hash: 621377465f862fbc9faa9cadb7604bf5fb8b6cf8e1e510e3bd6da2275fadce9e
Instruction Fuzzy Hash: B0C1B174E00218CFEB54DFA5D944B9DBBB2BF88304F2081A9D809AB395DB359E85CF51

Function 06105948 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e28bc95aee1f908412c8957d1fabe3e7f0944796ca5ae82cc78734b772553ae
Instruction ID: 86b4f2bb9a9336b8eda8499aa1dc10d36b32687bded4ef447fec8bb08ce886d4
Opcode Fuzzy Hash: 6e28bc95aee1f908412c8957d1fabe3e7f0944796ca5ae82cc78734b772553ae
Instruction Fuzzy Hash: DCC1B174E00218CFEB54DFA5D984B9DBBB2BF88304F2084A9D409AB395DB359E85CF51

Function 0610435C Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210a76f463b308f0e1492f955d17ed3efce95e904cb4e948f8613a513e956885
Instruction ID: 535acaeeb219e572036de81bb482182fc3b099b2abb46ce1c4e7bbd78c2ab28c
Opcode Fuzzy Hash: 210a76f463b308f0e1492f955d17ed3efce95e904cb4e948f8613a513e956885
Instruction Fuzzy Hash: E8410575E01209CBEF58DFAAD9846DEBBF2AF89300F20D12AC418BB254DB745946CF41

Function 06105938 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4038de24ce1e27612b6cb957778ade1e295826a054354f4956e8b810cad6dbf6
Instruction ID: af04ff0093cb75e6992f9f6d1336736a1ead66320b7e9c4e5bc8c9b4241a8d76
Opcode Fuzzy Hash: 4038de24ce1e27612b6cb957778ade1e295826a054354f4956e8b810cad6dbf6
Instruction Fuzzy Hash: 4D41E471E01208CBEF18DFA6D94469EBBF3AF88304F24C02AC419BB254DB745946CF51

Function 06104C37 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e4d166b88f89e2e386d4e8660e736031890b320f7e6d45a8139ca0071ddc1f
Instruction ID: da6ec288b0ef3441db040b076bbd2d69752e588fa48477c53c7965962e51aa0a
Opcode Fuzzy Hash: 34e4d166b88f89e2e386d4e8660e736031890b320f7e6d45a8139ca0071ddc1f
Instruction Fuzzy Hash: 9641F571E01208DBEF18DFE6D9446DEBBF2AF89304F24D52AC418AB254DB745946CF41

Function 0610508F Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c9d0af9ed7f40f3335c4f401309f0e2d20cb625925cfc2e1763e90b024b6b0
Instruction ID: 871fef6f52b4db3afafe2ab94c47823aac78c3a9ea44c3c07f57b2261e9197b8
Opcode Fuzzy Hash: 08c9d0af9ed7f40f3335c4f401309f0e2d20cb625925cfc2e1763e90b024b6b0
Instruction Fuzzy Hash: 2141F571E01208CBEF58DFA6D9446DEBBF2AF89304F24D42AC419AB258EB745946CF41

Function 061067A0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed483828f318269f74a2fdf5c426b38dc225c259dbd90a6fae376ca1c9bf8cb
Instruction ID: 972a133c2227dfceec21c9735badb514dfab29c48442cc7a9be242160b67cf57
Opcode Fuzzy Hash: 9ed483828f318269f74a2fdf5c426b38dc225c259dbd90a6fae376ca1c9bf8cb
Instruction Fuzzy Hash: 7E41D671E01208CBEF58DFAAD9446DEBBF2AF88300F24D12AC415BB254DB755946CF81

Function 06105D91 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8914a28f93431d6328e1262771e71ed6ee18b68d71e045b674bd61376dc4a5
Instruction ID: 2b1440bb22179ec8a1a7ff478fd846863635c3b2144f06a8106981982348d270
Opcode Fuzzy Hash: 3d8914a28f93431d6328e1262771e71ed6ee18b68d71e045b674bd61376dc4a5
Instruction Fuzzy Hash: AB41D270E01249CBEF58DFAAD9446DEBBF3AF88304F24C12AC418AB259DB745946CF50

Function 06106210 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3ef5658ebd8b1ac26e8cc7b95a5353b70f229fe5ab1e02ace70fbb60370b09
Instruction ID: f3709e7dd0f26edaae39b8f5d4ad6e2a4045284d54a68620a9713b3b48e00d39
Opcode Fuzzy Hash: dd3ef5658ebd8b1ac26e8cc7b95a5353b70f229fe5ab1e02ace70fbb60370b09
Instruction Fuzzy Hash: D441E470E01248CBEF58DFAAD9446DEBBF2AF88300F24D02AC414BB254DB345945CF81

Function 061054E1 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe0f2a096f71c3c29b37dd8c4019a5c5a048cafdd506b398cf485c2f14fd234d
Instruction ID: 4e8d303fe2380ffb24f3d157b1eff1a5c159e450d406915677b437597f2befa4
Opcode Fuzzy Hash: fe0f2a096f71c3c29b37dd8c4019a5c5a048cafdd506b398cf485c2f14fd234d
Instruction Fuzzy Hash: 2241D5B0D01248CBEF58DFAAD94469EBBF3AF88304F24D12AC414AB294DB755946CF45

Function 06100493 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681c02c44ca0538999295127689ee05da65cf37de0cd07268fa28348c1f9c5d5
Instruction ID: 3e704433abf9670809eecdffe88dc5a37a65f3c4a09c487390053284ea376c91
Opcode Fuzzy Hash: 681c02c44ca0538999295127689ee05da65cf37de0cd07268fa28348c1f9c5d5
Instruction Fuzzy Hash: EB41C270E01208CBEF58DFAAD9446DEBBF2AF88304F24C12AC418BB254DB745946CF41

Function 06100D40 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2d3b2ce9379776f5da8917245dda525649bde6ab0b405b312bb35ac3e1c3de
Instruction ID: 0c23de91d962bde7c887f29c7d2a9992801d9d3da345e050b9e286d38e2505ec
Opcode Fuzzy Hash: 1a2d3b2ce9379776f5da8917245dda525649bde6ab0b405b312bb35ac3e1c3de
Instruction Fuzzy Hash: 3041C370E01248DBEF58DFEAD94469EBBF2AF88304F24C129C418BB294DB755946CF51

Function 061008EB Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb37fbf21ec40c0847425e0d78564d2775618ac4067e7330017faed7e172c74
Instruction ID: 53db51686ea1781635093e4c0369d83bca400622c99c19bc92dd1fc8541dd7ee
Opcode Fuzzy Hash: 5bb37fbf21ec40c0847425e0d78564d2775618ac4067e7330017faed7e172c74
Instruction Fuzzy Hash: 9941C070E01248DBEF18DFAAD9447DEBBF2AF88304F24C12AC418AB294DB745946CF51

Function 0610003D Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357bd4d553f8f1d6c6b6fee922d8e39ebdffe12702d691b13b5a5645e947e6af
Instruction ID: 5ea4807679453e937e3d44f760befb457a820d9141da72eb48ead1760da23172
Opcode Fuzzy Hash: 357bd4d553f8f1d6c6b6fee922d8e39ebdffe12702d691b13b5a5645e947e6af
Instruction Fuzzy Hash: FC41E270E01208DBEF18DFAAD9446DEBBF2AF88304F24C12AC418BB258DB745946CF41

Function 06107054 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d73b82edf97d86b91df0e165705f58ba47ad025c2b9a5f8d27fc0d69bb2adcaf
Instruction ID: 8bc3e8cf30415adb8bc951ee79c7f9d30ba7dff590d255ab8332dd4aca7986d6
Opcode Fuzzy Hash: d73b82edf97d86b91df0e165705f58ba47ad025c2b9a5f8d27fc0d69bb2adcaf
Instruction Fuzzy Hash: 9B41F570E01248DBEF58DFAAD84469EFBF2AF88300F24C129C418BB299DB745945CF40

Function 061047E3 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa855cbdfa649f97518ef29bb2b0bad8488872c6ec99990b84ad8b3c27e1493a
Instruction ID: b6ff20292749c8d5bed100d621c85982181faf896ea85491fab539f86f232e46
Opcode Fuzzy Hash: fa855cbdfa649f97518ef29bb2b0bad8488872c6ec99990b84ad8b3c27e1493a
Instruction Fuzzy Hash: C141C270E01248CBEF58DFAAD9946DEBBF2AF88304F24C52AC419BB254DB745946CF41

Function 06106C03 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7196e32ea40e1c6921c2e601ddc505a9b5c02e278e278befc6632946c049e857
Instruction ID: 4b529b1b6591d1eb7c85fa96d0024db9a40c7ed445de789f1316208450d9c75e
Opcode Fuzzy Hash: 7196e32ea40e1c6921c2e601ddc505a9b5c02e278e278befc6632946c049e857
Instruction Fuzzy Hash: 0541E570E01249CBEF58DFAAD9546DEBBF2AF88300F24C12AC418BB294DB755946CF40

Function 061074B3 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c62016d28d87dd4c51bece7c0213fdce83df715b5b1b77350d5321fea55bda
Instruction ID: 9886588cce1bbacb4b5c3e73cc63d2500d5a0efb24ffc6990bd106d1b6492bfc
Opcode Fuzzy Hash: a7c62016d28d87dd4c51bece7c0213fdce83df715b5b1b77350d5321fea55bda
Instruction Fuzzy Hash: 0941C270E01248CBEF58DFAAD9446DEBBF2AF88304F24C12AC419BB294DB745946CF51

Function 06107F58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd9162ab77bd3e37bbadb8e33d909bb2e5daef71fca96fe29bd6baf9a79b89b
Instruction ID: 2712f4bcd84b87eee38e4f7e8c5d9ba6a60befe50b90386e1825ccd2e119716e
Opcode Fuzzy Hash: 2dd9162ab77bd3e37bbadb8e33d909bb2e5daef71fca96fe29bd6baf9a79b89b
Instruction Fuzzy Hash: A431A5B1E016188BEB58DFAAD9447DDBBF2BF88300F14C12AC418AB294DB745946CF51

Function 0610CF60 Relevance: 5.2, Strings: 4, Instructions: 158COMMON

Download Yara Rule

Strings

Xaq, xrefs: 0610D04B
Xaq, xrefs: 0610D093
Xaq, xrefs: 0610CF91
Xaq, xrefs: 0610CFC5

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: 71843285ef782fa6c6bfe6f2b3cf1063545a4fde3e1d48e9d6da9125cc05e6f4
Instruction ID: 1555e40c3bd0f23cb4fe1a3676b3f8350efa06f923b0b97d7b277546f52f743f
Opcode Fuzzy Hash: 71843285ef782fa6c6bfe6f2b3cf1063545a4fde3e1d48e9d6da9125cc05e6f4
Instruction Fuzzy Hash: 44514B30E4425A4BFF755AA8D8407BEBBA6AF81300F1505B6C45AA32C9E7708D81DFD1

Function 0610CF50 Relevance: 5.1, Strings: 4, Instructions: 95COMMON

Download Yara Rule

Strings

Xaq, xrefs: 0610D04B
Xaq, xrefs: 0610D093
Xaq, xrefs: 0610CF91
Xaq, xrefs: 0610CFC5

Memory Dump Source

Source File: 00000000.00000002.4489902176.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6100000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: 5f25decc1f758c14e946fb483d1327114acaf3774d87a0a06e4e4f921a0d518e
Instruction ID: 68ed6cbe54e037649310532cf1f66abac4263be337fe59298e8ab5f2c3fb6fd3
Opcode Fuzzy Hash: 5f25decc1f758c14e946fb483d1327114acaf3774d87a0a06e4e4f921a0d518e
Instruction Fuzzy Hash: 3831A731E4421B87FFB99AA8995077FB6A5AF84300F1141B9C819E76C8EBB0CD419FD1

Function 022D21E2 Relevance: 5.1, Strings: 4, Instructions: 90COMMON

Download Yara Rule

Strings

Xaq, xrefs: 022D22C7
Xaq, xrefs: 022D220E
Xaq, xrefs: 022D2248
Xaq, xrefs: 022D2314

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: 915ac7ea340c63beb49ed14b51168d5849aaa37c02b81b8702703c8721f034d6
Instruction ID: 1853963f05db072b78bcc521f23227f11bcaab6355cb609c219575d12d3b1080
Opcode Fuzzy Hash: 915ac7ea340c63beb49ed14b51168d5849aaa37c02b81b8702703c8721f034d6
Instruction Fuzzy Hash: 4D316330D1021ACBDF658EE88A4476FB6B6BF48300F144269D815A725ADB70CA85CB92

Function 022D6088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 022D609E
\;]q, xrefs: 022D60BA
\;]q, xrefs: 022D6094
\;]q, xrefs: 022D60C6

Memory Dump Source

Source File: 00000000.00000002.4484992042.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22d0000_wZ6VEnOkie.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: 2edf548c5f1879221e53672cbaf11da02f3f909d9025697d25c8c2df76abcd94
Instruction ID: 1b9721fc8e34e3e5f6df83d8c6a765a6191d7647ad566af58b5641ed787df6fa
Opcode Fuzzy Hash: 2edf548c5f1879221e53672cbaf11da02f3f909d9025697d25c8c2df76abcd94
Instruction Fuzzy Hash: 8801D4317300158FCB248EACE480A3577EEBF88662355417AE501CB3B8DBB2DC41C740

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wZ6VEnOkie.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
wZ6VEnOkie.exe