Edit tour

Windows Analysis Report
ZpYFG94D4C.exe

Overview

General Information

Sample name:	ZpYFG94D4C.exe renamed because original name is a hash value
Original sample name:	da2fcae0d75bf3aba109c8d4010ae5db5add095496db883c257deaf78e9bfd0e.exe
Analysis ID:	1589044
MD5:	68ea88ab97c52f5c4ce75ce445f9aead
SHA1:	02735913dab48e3702ac3b3fd0072ae2e7cb5c63
SHA256:	da2fcae0d75bf3aba109c8d4010ae5db5add095496db883c257deaf78e9bfd0e
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

ZpYFG94D4C.exe (PID: 1776 cmdline: "C:\Users\user\Desktop\ZpYFG94D4C.exe" MD5: 68EA88AB97C52F5C4CE75CE445F9AEAD)

powershell.exe (PID: 1476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZpYFG94D4C.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 4288 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

RegSvcs.exe (PID: 1220 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7979504653:AAFm_-f-R46w_TvBkt1kfgnnTRSttNIPYiY/sendMessage?chat_id=5600682828", "Token": "7979504653:AAFm_-f-R46w_TvBkt1kfgnnTRSttNIPYiY", "Chat_id": "5600682828", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.4532016234.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.4532016234.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x143a0:$a1: get_encryptedPassword 0x14684:$a2: get_encryptedUsername 0x141ac:$a3: get_timePasswordChanged 0x142a7:$a4: get_passwordField 0x143b6:$a5: set_encryptedPassword 0x15a0d:$a7: get_logins 0x15970:$a10: KeyLoggerEventArgs 0x155db:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.4532016234.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1939c:$x1: $%SMTPDV$ 0x17d80:$x2: $#TheHashHere%& 0x19344:$x3: %FTPDV$ 0x17d20:$x4: $%TelegramDv$ 0x155db:$x5: KeyLoggerEventArgs 0x15970:$x5: KeyLoggerEventArgs 0x19368:$m2: Clipboard Logs ID 0x195a6:$m2: Screenshot Logs ID 0x196b6:$m2: keystroke Logs ID 0x19990:$m3: SnakePW 0x1957e:$m4: \SnakeKeylogger\
00000005.00000002.4533694105.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.4533694105.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2124982227.0000000003439000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2124982227.0000000003439000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d100:$a1: get_encryptedPassword 0xba158:$a1: get_encryptedPassword 0xda378:$a1: get_encryptedPassword 0x2d3e4:$a2: get_encryptedUsername 0xba43c:$a2: get_encryptedUsername 0xda65c:$a2: get_encryptedUsername 0x2cf0c:$a3: get_timePasswordChanged 0xb9f64:$a3: get_timePasswordChanged 0xda184:$a3: get_timePasswordChanged 0x2d007:$a4: get_passwordField 0xba05f:$a4: get_passwordField 0xda27f:$a4: get_passwordField 0x2d116:$a5: set_encryptedPassword 0xba16e:$a5: set_encryptedPassword 0xda38e:$a5: set_encryptedPassword 0x2e76d:$a7: get_logins 0xbb7c5:$a7: get_logins 0xdb9e5:$a7: get_logins 0x2e6d0:$a10: KeyLoggerEventArgs 0xbb728:$a10: KeyLoggerEventArgs 0xdb948:$a10: KeyLoggerEventArgs
00000000.00000002.2124982227.0000000003439000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x320fc:$x1: $%SMTPDV$ 0xbf154:$x1: $%SMTPDV$ 0xdf374:$x1: $%SMTPDV$ 0x30ae0:$x2: $#TheHashHere%& 0xbdb38:$x2: $#TheHashHere%& 0xddd58:$x2: $#TheHashHere%& 0x320a4:$x3: %FTPDV$ 0xbf0fc:$x3: %FTPDV$ 0xdf31c:$x3: %FTPDV$ 0x30a80:$x4: $%TelegramDv$ 0xbdad8:$x4: $%TelegramDv$ 0xddcf8:$x4: $%TelegramDv$ 0x2e33b:$x5: KeyLoggerEventArgs 0x2e6d0:$x5: KeyLoggerEventArgs 0xbb393:$x5: KeyLoggerEventArgs 0xbb728:$x5: KeyLoggerEventArgs 0xdb5b3:$x5: KeyLoggerEventArgs 0xdb948:$x5: KeyLoggerEventArgs 0x320c8:$m2: Clipboard Logs ID 0x32306:$m2: Screenshot Logs ID 0x32416:$m2: keystroke Logs ID
Process Memory Space: ZpYFG94D4C.exe PID: 1776	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ZpYFG94D4C.exe PID: 1776	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: ZpYFG94D4C.exe PID: 1776	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6711e:$a1: get_encryptedPassword 0x673f8:$a2: get_encryptedUsername 0x66f34:$a3: get_timePasswordChanged 0x6702f:$a4: get_passwordField 0x67134:$a5: set_encryptedPassword 0x695e2:$a7: get_logins 0x69545:$a10: KeyLoggerEventArgs 0x691b0:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: ZpYFG94D4C.exe PID: 1776	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x691b0:$x5: KeyLoggerEventArgs 0x69545:$x5: KeyLoggerEventArgs 0x69e4c:$x5: KeyLoggerEventArgs 0x6a1ad:$x5: KeyLoggerEventArgs 0x6b770:$m2: Clipboard Logs ID 0x6b876:$m2: Screenshot Logs ID 0x6b8cc:$m2: keystroke Logs ID 0x6ba01:$m3: SnakePW 0x6b862:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 1220	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 1220	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x37e2c:$a1: get_encryptedPassword 0x38106:$a2: get_encryptedUsername 0x37c42:$a3: get_timePasswordChanged 0x37d3d:$a4: get_passwordField 0x37e42:$a5: set_encryptedPassword 0x3a2f0:$a7: get_logins 0x3a253:$a10: KeyLoggerEventArgs 0x39ebe:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 1220	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x39ebe:$x5: KeyLoggerEventArgs 0x3a253:$x5: KeyLoggerEventArgs 0x3ab5a:$x5: KeyLoggerEventArgs 0x3aebb:$x5: KeyLoggerEventArgs 0x3c47e:$m2: Clipboard Logs ID 0x3c584:$m2: Screenshot Logs ID 0x3c5da:$m2: keystroke Logs ID 0x3c70f:$m3: SnakePW 0x3c570:$m4: \SnakeKeylogger\
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ZpYFG94D4C.exe.34debb8.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.ZpYFG94D4C.exe.34debb8.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x127a0:$a1: get_encryptedPassword 0x12a84:$a2: get_encryptedUsername 0x125ac:$a3: get_timePasswordChanged 0x126a7:$a4: get_passwordField 0x127b6:$a5: set_encryptedPassword 0x13e0d:$a7: get_logins 0x13d70:$a10: KeyLoggerEventArgs 0x139db:$a11: KeyLoggerEventArgsEventHandler
0.2.ZpYFG94D4C.exe.34debb8.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a162:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19394:$a3: \Google\Chrome\User Data\Default\Login Data 0x197c7:$a4: \Orbitum\User Data\Default\Login Data 0x1a806:$a5: \Kometa\User Data\Default\Login Data
0.2.ZpYFG94D4C.exe.34debb8.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1336d:$s1: UnHook 0x13374:$s2: SetHook 0x1337c:$s3: CallNextHook 0x13389:$s4: _hook
0.2.ZpYFG94D4C.exe.34debb8.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1779c:$x1: $%SMTPDV$ 0x16180:$x2: $#TheHashHere%& 0x17744:$x3: %FTPDV$ 0x16120:$x4: $%TelegramDv$ 0x139db:$x5: KeyLoggerEventArgs 0x13d70:$x5: KeyLoggerEventArgs 0x17768:$m2: Clipboard Logs ID 0x179a6:$m2: Screenshot Logs ID 0x17ab6:$m2: keystroke Logs ID 0x17d90:$m3: SnakePW 0x1797e:$m4: \SnakeKeylogger\
5.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x145a0:$a1: get_encryptedPassword 0x14884:$a2: get_encryptedUsername 0x143ac:$a3: get_timePasswordChanged 0x144a7:$a4: get_passwordField 0x145b6:$a5: set_encryptedPassword 0x15c0d:$a7: get_logins 0x15b70:$a10: KeyLoggerEventArgs 0x157db:$a11: KeyLoggerEventArgsEventHandler
5.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bf62:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b194:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b5c7:$a4: \Orbitum\User Data\Default\Login Data 0x1c606:$a5: \Kometa\User Data\Default\Login Data
5.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1516d:$s1: UnHook 0x15174:$s2: SetHook 0x1517c:$s3: CallNextHook 0x15189:$s4: _hook
5.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1959c:$x1: $%SMTPDV$ 0x17f80:$x2: $#TheHashHere%& 0x19544:$x3: %FTPDV$ 0x17f20:$x4: $%TelegramDv$ 0x157db:$x5: KeyLoggerEventArgs 0x15b70:$x5: KeyLoggerEventArgs 0x19568:$m2: Clipboard Logs ID 0x197a6:$m2: Screenshot Logs ID 0x198b6:$m2: keystroke Logs ID 0x19b90:$m3: SnakePW 0x1977e:$m4: \SnakeKeylogger\
0.2.ZpYFG94D4C.exe.34fedd8.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.ZpYFG94D4C.exe.34fedd8.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x127a0:$a1: get_encryptedPassword 0x12a84:$a2: get_encryptedUsername 0x125ac:$a3: get_timePasswordChanged 0x126a7:$a4: get_passwordField 0x127b6:$a5: set_encryptedPassword 0x13e0d:$a7: get_logins 0x13d70:$a10: KeyLoggerEventArgs 0x139db:$a11: KeyLoggerEventArgsEventHandler
0.2.ZpYFG94D4C.exe.34fedd8.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a162:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19394:$a3: \Google\Chrome\User Data\Default\Login Data 0x197c7:$a4: \Orbitum\User Data\Default\Login Data 0x1a806:$a5: \Kometa\User Data\Default\Login Data
0.2.ZpYFG94D4C.exe.34fedd8.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1336d:$s1: UnHook 0x13374:$s2: SetHook 0x1337c:$s3: CallNextHook 0x13389:$s4: _hook
0.2.ZpYFG94D4C.exe.34fedd8.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1779c:$x1: $%SMTPDV$ 0x16180:$x2: $#TheHashHere%& 0x17744:$x3: %FTPDV$ 0x16120:$x4: $%TelegramDv$ 0x139db:$x5: KeyLoggerEventArgs 0x13d70:$x5: KeyLoggerEventArgs 0x17768:$m2: Clipboard Logs ID 0x179a6:$m2: Screenshot Logs ID 0x17ab6:$m2: keystroke Logs ID 0x17d90:$m3: SnakePW 0x1797e:$m4: \SnakeKeylogger\
0.2.ZpYFG94D4C.exe.34fedd8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.ZpYFG94D4C.exe.34fedd8.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.ZpYFG94D4C.exe.34fedd8.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x145a0:$a1: get_encryptedPassword 0x14884:$a2: get_encryptedUsername 0x143ac:$a3: get_timePasswordChanged 0x144a7:$a4: get_passwordField 0x145b6:$a5: set_encryptedPassword 0x15c0d:$a7: get_logins 0x15b70:$a10: KeyLoggerEventArgs 0x157db:$a11: KeyLoggerEventArgsEventHandler
0.2.ZpYFG94D4C.exe.34fedd8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1516d:$s1: UnHook 0x15174:$s2: SetHook 0x1517c:$s3: CallNextHook 0x15189:$s4: _hook
0.2.ZpYFG94D4C.exe.34fedd8.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1959c:$x1: $%SMTPDV$ 0x17f80:$x2: $#TheHashHere%& 0x19544:$x3: %FTPDV$ 0x17f20:$x4: $%TelegramDv$ 0x157db:$x5: KeyLoggerEventArgs 0x15b70:$x5: KeyLoggerEventArgs 0x19568:$m2: Clipboard Logs ID 0x197a6:$m2: Screenshot Logs ID 0x198b6:$m2: keystroke Logs ID 0x19b90:$m3: SnakePW 0x1977e:$m4: \SnakeKeylogger\
0.2.ZpYFG94D4C.exe.34debb8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.ZpYFG94D4C.exe.34debb8.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.ZpYFG94D4C.exe.34debb8.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x145a0:$a1: get_encryptedPassword 0x347c0:$a1: get_encryptedPassword 0x14884:$a2: get_encryptedUsername 0x34aa4:$a2: get_encryptedUsername 0x143ac:$a3: get_timePasswordChanged 0x345cc:$a3: get_timePasswordChanged 0x144a7:$a4: get_passwordField 0x346c7:$a4: get_passwordField 0x145b6:$a5: set_encryptedPassword 0x347d6:$a5: set_encryptedPassword 0x15c0d:$a7: get_logins 0x35e2d:$a7: get_logins 0x15b70:$a10: KeyLoggerEventArgs 0x35d90:$a10: KeyLoggerEventArgs 0x157db:$a11: KeyLoggerEventArgsEventHandler 0x359fb:$a11: KeyLoggerEventArgsEventHandler
0.2.ZpYFG94D4C.exe.34debb8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1516d:$s1: UnHook 0x3538d:$s1: UnHook 0x15174:$s2: SetHook 0x35394:$s2: SetHook 0x1517c:$s3: CallNextHook 0x3539c:$s3: CallNextHook 0x15189:$s4: _hook 0x353a9:$s4: _hook
0.2.ZpYFG94D4C.exe.34debb8.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1959c:$x1: $%SMTPDV$ 0x397bc:$x1: $%SMTPDV$ 0x17f80:$x2: $#TheHashHere%& 0x381a0:$x2: $#TheHashHere%& 0x19544:$x3: %FTPDV$ 0x39764:$x3: %FTPDV$ 0x17f20:$x4: $%TelegramDv$ 0x38140:$x4: $%TelegramDv$ 0x157db:$x5: KeyLoggerEventArgs 0x15b70:$x5: KeyLoggerEventArgs 0x359fb:$x5: KeyLoggerEventArgs 0x35d90:$x5: KeyLoggerEventArgs 0x19568:$m2: Clipboard Logs ID 0x197a6:$m2: Screenshot Logs ID 0x198b6:$m2: keystroke Logs ID 0x39788:$m2: Clipboard Logs ID 0x399c6:$m2: Screenshot Logs ID 0x39ad6:$m2: keystroke Logs ID 0x19b90:$m3: SnakePW 0x39db0:$m3: SnakePW 0x1977e:$m4: \SnakeKeylogger\
Click to see the 21 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZpYFG94D4C.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZpYFG94D4C.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ZpYFG94D4C.exe", ParentImage: C:\Users\user\Desktop\ZpYFG94D4C.exe, ParentProcessId: 1776, ParentProcessName: ZpYFG94D4C.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZpYFG94D4C.exe", ProcessId: 1476, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZpYFG94D4C.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZpYFG94D4C.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ZpYFG94D4C.exe", ParentImage: C:\Users\user\Desktop\ZpYFG94D4C.exe, ParentProcessId: 1776, ParentProcessName: ZpYFG94D4C.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZpYFG94D4C.exe", ProcessId: 1476, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:49:23.227704+0100	2803305	3	Unknown Traffic	192.168.2.5	49710	104.21.48.1	443	TCP
2025-01-11T08:49:24.484340+0100	2803305	3	Unknown Traffic	192.168.2.5	49712	104.21.48.1	443	TCP
2025-01-11T08:49:28.308503+0100	2803305	3	Unknown Traffic	192.168.2.5	49720	104.21.48.1	443	TCP
2025-01-11T08:49:30.945954+0100	2803305	3	Unknown Traffic	192.168.2.5	49731	104.21.48.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:49:21.568884+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49707	193.122.6.168	80	TCP
2025-01-11T08:49:22.662615+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49707	193.122.6.168	80	TCP
2025-01-11T08:49:23.928248+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49711	193.122.6.168	80	TCP
2025-01-11T08:49:25.193880+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49714	193.122.6.168	80	TCP
2025-01-11T08:49:26.475233+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49717	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ZpYFG94D4C.exe

Avira: detected

Found malware configuration

Source: 00000005.00000002.4532016234.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7979504653:AAFm_-f-R46w_TvBkt1kfgnnTRSttNIPYiY/sendMessage?chat_id=5600682828", "Token": "7979504653:AAFm_-f-R46w_TvBkt1kfgnnTRSttNIPYiY", "Chat_id": "5600682828", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: ZpYFG94D4C.exe	Virustotal: Detection: 70%			Perma Link
Source: ZpYFG94D4C.exe	ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: ZpYFG94D4C.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: ZpYFG94D4C.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49708 version: TLS 1.0

Source: ZpYFG94D4C.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: kKRg.pdbSHA256 source: ZpYFG94D4C.exe
Source:	Binary string: kKRg.pdb source: ZpYFG94D4C.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 010DF1F6h	5_2_010DF00F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 010DFB80h	5_2_010DF00F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_010DE528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_010DEB5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_010DED3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05241A38h	5_2_05241620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05241471h	5_2_052411C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052402F1h	5_2_05240040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05241011h	5_2_05240D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0524F009h	5_2_0524ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0524C041h	5_2_0524BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0524DEA9h	5_2_0524DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05240751h	5_2_052404A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0524E759h	5_2_0524E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0524B791h	5_2_0524B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0524DA51h	5_2_0524D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05241A38h	5_2_05241617
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0524F8B9h	5_2_0524F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0524C8F1h	5_2_0524C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0524D1A1h	5_2_0524CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05240BB1h	5_2_05240900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0524EBB1h	5_2_0524E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05241A38h	5_2_05241966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0524BBE9h	5_2_0524B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0524F461h	5_2_0524F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0524C499h	5_2_0524C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0524E301h	5_2_0524E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0524D5F9h	5_2_0524D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0524FD11h	5_2_0524FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0524CD49h	5_2_0524CAA0

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZpYFG94D4C.exe.34fedd8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZpYFG94D4C.exe.34debb8.1.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49711 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49717 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49714 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49731 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49712 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49720 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49710 -> 104.21.48.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49708 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000005.00000002.4533694105.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000005.00000002.4533694105.0000000002D47000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002CF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000005.00000002.4533694105.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: ZpYFG94D4C.exe, 00000000.00000002.2124982227.0000000003439000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4532016234.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000005.00000002.4533694105.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D1C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: ZpYFG94D4C.exe, 00000000.00000002.2123242490.0000000002431000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000005.00000002.4533694105.0000000002D47000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: ZpYFG94D4C.exe, 00000000.00000002.2124982227.0000000003439000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4532016234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000005.00000002.4533694105.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000005.00000002.4533694105.0000000002D47000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.ZpYFG94D4C.exe.34debb8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.ZpYFG94D4C.exe.34debb8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ZpYFG94D4C.exe.34debb8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.ZpYFG94D4C.exe.34debb8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.ZpYFG94D4C.exe.34fedd8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.ZpYFG94D4C.exe.34fedd8.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ZpYFG94D4C.exe.34fedd8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.ZpYFG94D4C.exe.34fedd8.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.ZpYFG94D4C.exe.34fedd8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.ZpYFG94D4C.exe.34fedd8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.ZpYFG94D4C.exe.34fedd8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.ZpYFG94D4C.exe.34debb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.ZpYFG94D4C.exe.34debb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.ZpYFG94D4C.exe.34debb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.4532016234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.4532016234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2124982227.0000000003439000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2124982227.0000000003439000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: ZpYFG94D4C.exe PID: 1776, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: ZpYFG94D4C.exe PID: 1776, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 1220, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 1220, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Code function: 0_2_0228D3A4	0_2_0228D3A4
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Code function: 0_2_04AE6698	0_2_04AE6698
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Code function: 0_2_04AE6688	0_2_04AE6688
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Code function: 0_2_04AE0040	0_2_04AE0040
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Code function: 0_2_04AEEF28	0_2_04AEEF28
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Code function: 0_2_04AEEF38	0_2_04AEEF38
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Code function: 0_2_04AE1090	0_2_04AE1090
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Code function: 0_2_076BF160	0_2_076BF160
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Code function: 0_2_076B5900	0_2_076B5900
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Code function: 0_2_076BA618	0_2_076BA618
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Code function: 0_2_076B9368	0_2_076B9368
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Code function: 0_2_076B8F40	0_2_076B8F40
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Code function: 0_2_076BAFC8	0_2_076BAFC8
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Code function: 0_2_076B8B08	0_2_076B8B08
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Code function: 0_2_076B58F0	0_2_076B58F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010D6108	5_2_010D6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010DC190	5_2_010DC190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010DF00F	5_2_010DF00F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010DC479	5_2_010DC479
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010DB4F7	5_2_010DB4F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010DC759	5_2_010DC759
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010D6880	5_2_010D6880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010DBBD3	5_2_010DBBD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010DCA31	5_2_010DCA31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010D4ADD	5_2_010D4ADD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010DBEB3	5_2_010DBEB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010DE51F	5_2_010DE51F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010DE528	5_2_010DE528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05247D90	5_2_05247D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05248460	5_2_05248460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_052411C0	5_2_052411C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05243870	5_2_05243870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05240040	5_2_05240040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05240D60	5_2_05240D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524ED60	5_2_0524ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524ED50	5_2_0524ED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05240D59	5_2_05240D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524BD88	5_2_0524BD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05247D8B	5_2_05247D8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524BD98	5_2_0524BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524DC00	5_2_0524DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_052404A0	5_2_052404A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524E4A0	5_2_0524E4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524E4B0	5_2_0524E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05240491	5_2_05240491
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524B4E8	5_2_0524B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524B4D7	5_2_0524B4D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524D7A8	5_2_0524D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524D798	5_2_0524D798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524C638	5_2_0524C638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524F600	5_2_0524F600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524F610	5_2_0524F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524C648	5_2_0524C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524CEEA	5_2_0524CEEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524CEF8	5_2_0524CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524B930	5_2_0524B930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05240900	5_2_05240900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524E908	5_2_0524E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524B940	5_2_0524B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524F1A9	5_2_0524F1A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524F1B8	5_2_0524F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_052411B8	5_2_052411B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524C1E0	5_2_0524C1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524C1F0	5_2_0524C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05240033	5_2_05240033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05243867	5_2_05243867
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524E049	5_2_0524E049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524E058	5_2_0524E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_052408F0	5_2_052408F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524E8F8	5_2_0524E8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524D340	5_2_0524D340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524D350	5_2_0524D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_052473E3	5_2_052473E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_052473E8	5_2_052473E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524DBF1	5_2_0524DBF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524FA68	5_2_0524FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524FA59	5_2_0524FA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524CAA0	5_2_0524CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0524CA90	5_2_0524CA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0582C3A8	5_2_0582C3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_058292DC	5_2_058292DC

Source: ZpYFG94D4C.exe, 00000000.00000002.2120733638.000000000055E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ZpYFG94D4C.exe
Source: ZpYFG94D4C.exe, 00000000.00000000.2056010769.0000000000144000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamekKRg.exe6 vs ZpYFG94D4C.exe
Source: ZpYFG94D4C.exe, 00000000.00000002.2135830080.0000000006A60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs ZpYFG94D4C.exe
Source: ZpYFG94D4C.exe, 00000000.00000002.2133369782.0000000005680000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs ZpYFG94D4C.exe
Source: ZpYFG94D4C.exe, 00000000.00000002.2133518187.0000000005722000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE vs ZpYFG94D4C.exe
Source: ZpYFG94D4C.exe, 00000000.00000002.2123242490.0000000002441000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs ZpYFG94D4C.exe
Source: ZpYFG94D4C.exe, 00000000.00000002.2124982227.0000000003439000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs ZpYFG94D4C.exe
Source: ZpYFG94D4C.exe, 00000000.00000002.2124982227.0000000003439000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs ZpYFG94D4C.exe
Source: ZpYFG94D4C.exe, 00000000.00000002.2123242490.0000000002431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs ZpYFG94D4C.exe
Source: ZpYFG94D4C.exe	Binary or memory string: OriginalFilenamekKRg.exe6 vs ZpYFG94D4C.exe

Source: ZpYFG94D4C.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.ZpYFG94D4C.exe.34debb8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.ZpYFG94D4C.exe.34debb8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ZpYFG94D4C.exe.34debb8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.ZpYFG94D4C.exe.34debb8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.ZpYFG94D4C.exe.34fedd8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.ZpYFG94D4C.exe.34fedd8.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ZpYFG94D4C.exe.34fedd8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.ZpYFG94D4C.exe.34fedd8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.ZpYFG94D4C.exe.34fedd8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.ZpYFG94D4C.exe.34fedd8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.ZpYFG94D4C.exe.34fedd8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.ZpYFG94D4C.exe.34debb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.ZpYFG94D4C.exe.34debb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.ZpYFG94D4C.exe.34debb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.4532016234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.4532016234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2124982227.0000000003439000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2124982227.0000000003439000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: ZpYFG94D4C.exe PID: 1776, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: ZpYFG94D4C.exe PID: 1776, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 1220, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 1220, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: ZpYFG94D4C.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@2/2

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZpYFG94D4C.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02byoap2.4nc.ps1

Jump to behavior

Source: ZpYFG94D4C.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ZpYFG94D4C.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000005.00000002.4533694105.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4535341505.0000000003CCB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ZpYFG94D4C.exe	Virustotal: Detection: 70%
Source: ZpYFG94D4C.exe	ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\ZpYFG94D4C.exe "C:\Users\user\Desktop\ZpYFG94D4C.exe"
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZpYFG94D4C.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZpYFG94D4C.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: ZpYFG94D4C.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ZpYFG94D4C.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: ZpYFG94D4C.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: kKRg.pdbSHA256 source: ZpYFG94D4C.exe
Source:	Binary string: kKRg.pdb source: ZpYFG94D4C.exe

Source: ZpYFG94D4C.exe

Static PE information: 0xE3E8BFA0 [Fri Mar 2 13:44:00 2091 UTC]

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Code function: 0_2_056A8548 push eax; iretd	0_2_056A8549
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Code function: 0_2_056A7E58 pushad ; retf	0_2_056A7E59
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Code function: 0_2_076BD3C8 push E8FFFFFEh; iretd	0_2_076BD3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010D87F3 push eax; retn 0002h	5_2_010D8BBA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010D9904 pushad ; retn 0002h	5_2_010D9B3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010D9170 push edi; retn 0002h	5_2_010D9172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010D9050 push ebp; retn 0002h	5_2_010D9052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010D9070 push esi; retn 0002h	5_2_010D9072
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010D8BC8 push ecx; retn 0002h	5_2_010D8D72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010D9A63 pushad ; retn 0002h	5_2_010D9B3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05242E6B push esp; iretd	5_2_05242E79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05242AC8 push esp; retf	5_2_05242AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0582B801 push CC066047h; retf	5_2_0582B80D

Source: ZpYFG94D4C.exe

Static PE information: section name: .text entropy: 7.6859437604573095

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: ZpYFG94D4C.exe PID: 1776, type: MEMORYSTR

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Memory allocated: 970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Memory allocated: 2430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Memory allocated: 4430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Memory allocated: 76C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Memory allocated: 6C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Memory allocated: 86C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Memory allocated: 96C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599324	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596231	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595139	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595029	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594794	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594611	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594484	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6162	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3548	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7545	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2310	Jump to behavior

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe TID: 6188	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1084	Thread sleep time: -5534023222112862s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599324	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596231	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595139	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595029	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594794	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594611	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594484	Jump to behavior

Source: ZpYFG94D4C.exe, 00000000.00000002.2120733638.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$<
Source: RegSvcs.exe, 00000005.00000002.4532179532.0000000000C98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_05247D90 LdrInitializeThunk,

5_2_05247D90

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZpYFG94D4C.exe"
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZpYFG94D4C.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: BD1008	Jump to behavior

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZpYFG94D4C.exe"			Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"			Jump to behavior

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Queries volume information: C:\Users\user\Desktop\ZpYFG94D4C.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZpYFG94D4C.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ZpYFG94D4C.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.ZpYFG94D4C.exe.34debb8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZpYFG94D4C.exe.34fedd8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZpYFG94D4C.exe.34fedd8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZpYFG94D4C.exe.34debb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4532016234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4533694105.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4533694105.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2124982227.0000000003439000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZpYFG94D4C.exe PID: 1776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1220, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.ZpYFG94D4C.exe.34debb8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZpYFG94D4C.exe.34fedd8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZpYFG94D4C.exe.34fedd8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZpYFG94D4C.exe.34debb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4532016234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4533694105.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4533694105.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2124982227.0000000003439000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZpYFG94D4C.exe PID: 1776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1220, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ZpYFG94D4C.exe	71%	Virustotal		Browse
ZpYFG94D4C.exe	50%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos
ZpYFG94D4C.exe	100%	Avira	HEUR/AGEN.1309499
ZpYFG94D4C.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.48.1	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000005.00000002.4533694105.0000000002D47000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000005.00000002.4533694105.0000000002D47000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002CF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000005.00000002.4533694105.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ZpYFG94D4C.exe, 00000000.00000002.2123242490.0000000002431000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	ZpYFG94D4C.exe, 00000000.00000002.2124982227.0000000003439000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4532016234.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000005.00000002.4533694105.0000000002D47000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000005.00000002.4533694105.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D1C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	ZpYFG94D4C.exe, 00000000.00000002.2124982227.0000000003439000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4532016234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4533694105.0000000002D04000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589044
Start date and time:	2025-01-11 08:48:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ZpYFG94D4C.exe renamed because original name is a hash value
Original Sample Name:	da2fcae0d75bf3aba109c8d4010ae5db5add095496db883c257deaf78e9bfd0e.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 209 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:49:17	API Interceptor	1x Sleep call for process: ZpYFG94D4C.exe modified
02:49:20	API Interceptor	13x Sleep call for process: powershell.exe modified
02:49:21	API Interceptor	10437835x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	ydJaT4b5N8.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/vq3j/
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/j2vs/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
193.122.6.168	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
reallyfreegeoip.org	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	3qr7JBuNuX.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
CLOUDFLARENETUS	Exodus.txt.lnk	Get hash	malicious	StormKitty	Browse	104.16.185.241
	dhPWt112uC.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	z6tNjJC614.exe	Get hash	malicious	FormBook	Browse	104.21.42.77
	b0cQukXPAl.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	lrw6UNGsUC.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	Q7QR4k52HL.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	rACq8Eaix6.exe	Get hash	malicious	FormBook	Browse	104.21.88.139
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1

Process:	C:\Users\user\Desktop\ZpYFG94D4C.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379633281639906
Encrypted:	false
SSDEEP:	48:BWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//ZUUyus:BLHxvCsIfA2KRHmOugms
MD5:	F963BF860AC549B35B83A9A4160F2928
SHA1:	4FB6DB1E141DFA0BE1D5895BFD644CAF177E7B07
SHA-256:	EBDC85F6CA03C3CB48B3425BB59E875BE7B981980A84C38467D695B8FA5076AC
SHA-512:	B20468971BCCE8A62C8CCDE8A3F561837969015DA660DCCAD09940D2B79C7D6B50B21876635725D105FA628F55246EB2036BFCA2EE1D5076450D9DA26F48E9E8
Malicious:	false
Reputation:	low
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02byoap2.4nc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2sxpngya.am3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3d3p5osn.xjt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tn0qsffc.210.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.6766693419918415
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	ZpYFG94D4C.exe
File size:	594'432 bytes
MD5:	68ea88ab97c52f5c4ce75ce445f9aead
SHA1:	02735913dab48e3702ac3b3fd0072ae2e7cb5c63
SHA256:	da2fcae0d75bf3aba109c8d4010ae5db5add095496db883c257deaf78e9bfd0e
SHA512:	f809c2b1a6cc926c8f45d1f43a60a016f3818aefd5446ae538c025b0cfb2f3125da9cb34aec3a1be2c15c906f8a1d12e7ee0023c3ce69b9a6047a87be07dee5d
SSDEEP:	12288:+Dtt6a4K/a/G4rgdwKVOT2dB2mPTVJSyPzu5usx+XtYYI:+BAaBaG4HKr76yPzux
TLSH:	A5C401A86756EA02C68693B91F31F27417BC1EDEBA01D3065FD9ADEBB832F054C44253
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............F&... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x492646
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE3E8BFA0 [Fri Mar 2 13:44:00 2091 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x925f2	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x94000	0x5a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x96000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9098c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9064c	0x90800	1a453be5615a1b742b8121e4261b2a8a	False	0.898199272815744	data	7.6859437604573095	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x94000	0x5a4	0x600	c235d534be92c8b90e764bae20546246	False	0.419921875	data	4.070296370693007	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x96000	0xc	0x200	4343f37f646438b2d9e50b2977a73d62	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x94090	0x314	data			0.4352791878172589
RT_MANIFEST	0x943b4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T08:49:21.568884+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49707	193.122.6.168	80	TCP
2025-01-11T08:49:22.662615+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49707	193.122.6.168	80	TCP
2025-01-11T08:49:23.227704+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49710	104.21.48.1	443	TCP
2025-01-11T08:49:23.928248+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49711	193.122.6.168	80	TCP
2025-01-11T08:49:24.484340+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49712	104.21.48.1	443	TCP
2025-01-11T08:49:25.193880+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49714	193.122.6.168	80	TCP
2025-01-11T08:49:26.475233+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49717	193.122.6.168	80	TCP
2025-01-11T08:49:28.308503+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49720	104.21.48.1	443	TCP
2025-01-11T08:49:30.945954+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49731	104.21.48.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:49:20.629398108 CET	49707	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:20.634385109 CET	80	49707	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:20.634464979 CET	49707	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:20.634785891 CET	49707	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:20.639653921 CET	80	49707	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:21.314513922 CET	80	49707	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:21.323427916 CET	49707	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:21.328324080 CET	80	49707	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:21.513994932 CET	80	49707	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:21.568883896 CET	49707	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:21.651002884 CET	49708	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:21.651056051 CET	443	49708	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:21.651114941 CET	49708	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:21.661489010 CET	49708	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:21.661510944 CET	443	49708	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:22.147712946 CET	443	49708	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:22.147806883 CET	49708	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:22.152260065 CET	49708	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:22.152277946 CET	443	49708	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:22.152733088 CET	443	49708	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:22.193883896 CET	49708	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:22.248409986 CET	49708	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:22.295331955 CET	443	49708	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:22.359493971 CET	443	49708	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:22.359555006 CET	443	49708	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:22.359606028 CET	49708	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:22.392215967 CET	49708	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:22.399987936 CET	49707	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:22.404968023 CET	80	49707	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:22.607388973 CET	80	49707	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:22.611233950 CET	49710	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:22.611265898 CET	443	49710	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:22.611342907 CET	49710	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:22.611675978 CET	49710	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:22.611694098 CET	443	49710	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:22.662615061 CET	49707	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:23.074688911 CET	443	49710	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:23.076914072 CET	49710	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:23.076958895 CET	443	49710	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:23.227788925 CET	443	49710	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:23.227953911 CET	443	49710	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:23.228055000 CET	49710	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:23.229037046 CET	49710	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:23.234431982 CET	49707	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:23.236040115 CET	49711	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:23.239440918 CET	80	49707	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:23.239501953 CET	49707	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:23.240828037 CET	80	49711	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:23.241003036 CET	49711	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:23.241260052 CET	49711	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:23.246023893 CET	80	49711	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:23.886759043 CET	80	49711	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:23.888044119 CET	49712	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:23.888081074 CET	443	49712	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:23.888242006 CET	49712	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:23.888526917 CET	49712	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:23.888540030 CET	443	49712	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:23.928247929 CET	49711	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:24.346013069 CET	443	49712	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:24.348221064 CET	49712	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:24.348244905 CET	443	49712	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:24.484380960 CET	443	49712	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:24.484469891 CET	443	49712	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:24.484527111 CET	49712	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:24.485110044 CET	49712	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:24.493560076 CET	49711	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:24.495446920 CET	49714	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:24.498622894 CET	80	49711	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:24.498842955 CET	49711	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:24.500354052 CET	80	49714	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:24.500422001 CET	49714	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:24.500507116 CET	49714	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:24.505341053 CET	80	49714	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:25.148161888 CET	80	49714	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:25.149585962 CET	49715	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:25.149636030 CET	443	49715	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:25.149696112 CET	49715	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:25.149945021 CET	49715	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:25.149961948 CET	443	49715	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:25.193880081 CET	49714	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:25.628279924 CET	443	49715	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:25.630059958 CET	49715	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:25.630101919 CET	443	49715	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:25.781809092 CET	443	49715	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:25.781908035 CET	443	49715	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:25.781954050 CET	49715	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:25.782390118 CET	49715	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:25.785592079 CET	49714	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:25.786675930 CET	49717	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:25.790895939 CET	80	49714	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:25.790982962 CET	49714	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:25.791589022 CET	80	49717	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:25.791671991 CET	49717	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:25.791798115 CET	49717	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:25.796813011 CET	80	49717	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:26.431736946 CET	80	49717	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:26.433442116 CET	49718	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:26.433489084 CET	443	49718	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:26.433640957 CET	49718	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:26.433883905 CET	49718	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:26.433901072 CET	443	49718	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:26.475233078 CET	49717	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:26.909276009 CET	443	49718	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:26.911178112 CET	49718	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:26.911199093 CET	443	49718	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:27.064568996 CET	443	49718	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:27.064651012 CET	443	49718	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:27.064748049 CET	49718	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:27.067558050 CET	49718	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:27.072460890 CET	49719	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:27.077354908 CET	80	49719	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:27.077426910 CET	49719	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:27.077512026 CET	49719	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:27.082318068 CET	80	49719	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:27.712371111 CET	80	49719	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:27.715693951 CET	49720	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:27.715724945 CET	443	49720	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:27.715904951 CET	49720	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:27.716316938 CET	49720	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:27.716330051 CET	443	49720	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:27.756417036 CET	49719	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:28.182997942 CET	443	49720	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:28.185533047 CET	49720	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:28.185575962 CET	443	49720	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:28.308579922 CET	443	49720	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:28.308728933 CET	443	49720	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:28.308803082 CET	49720	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:28.309298038 CET	49720	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:28.313571930 CET	49719	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:28.315115929 CET	49721	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:28.318619967 CET	80	49719	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:28.318691015 CET	49719	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:28.320023060 CET	80	49721	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:28.320255041 CET	49721	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:28.320411921 CET	49721	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:28.325294018 CET	80	49721	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:28.956618071 CET	80	49721	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:28.958451033 CET	49723	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:28.958498001 CET	443	49723	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:28.958587885 CET	49723	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:28.958996058 CET	49723	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:28.959009886 CET	443	49723	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:29.006407976 CET	49721	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:29.431433916 CET	443	49723	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:29.433082104 CET	49723	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:29.433109999 CET	443	49723	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:29.576677084 CET	443	49723	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:29.576761961 CET	443	49723	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:29.576847076 CET	49723	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:29.577394962 CET	49723	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:29.580955029 CET	49721	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:29.582046986 CET	49724	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:29.586951017 CET	80	49721	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:29.587449074 CET	49721	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:29.587541103 CET	80	49724	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:29.592693090 CET	49724	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:29.592822075 CET	49724	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:29.597666025 CET	80	49724	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:30.233913898 CET	80	49724	193.122.6.168	192.168.2.5
Jan 11, 2025 08:49:30.235639095 CET	49731	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:30.235697985 CET	443	49731	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:30.235905886 CET	49731	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:30.236191988 CET	49731	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:30.236205101 CET	443	49731	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:30.287642956 CET	49724	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:49:30.821158886 CET	443	49731	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:30.823798895 CET	49731	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:30.823822021 CET	443	49731	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:30.945982933 CET	443	49731	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:30.946070910 CET	443	49731	104.21.48.1	192.168.2.5
Jan 11, 2025 08:49:30.946115971 CET	49731	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:49:30.946515083 CET	49731	443	192.168.2.5	104.21.48.1
Jan 11, 2025 08:50:31.431560993 CET	80	49717	193.122.6.168	192.168.2.5
Jan 11, 2025 08:50:31.431710005 CET	49717	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:50:35.228612900 CET	80	49724	193.122.6.168	192.168.2.5
Jan 11, 2025 08:50:35.228713036 CET	49724	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:51:10.240952969 CET	49724	80	192.168.2.5	193.122.6.168
Jan 11, 2025 08:51:10.246238947 CET	80	49724	193.122.6.168	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:49:20.533179045 CET	63073	53	192.168.2.5	1.1.1.1
Jan 11, 2025 08:49:20.540158987 CET	53	63073	1.1.1.1	192.168.2.5
Jan 11, 2025 08:49:21.642287016 CET	55813	53	192.168.2.5	1.1.1.1
Jan 11, 2025 08:49:21.649770021 CET	53	55813	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 08:49:20.533179045 CET	192.168.2.5	1.1.1.1	0x771e	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:49:21.642287016 CET	192.168.2.5	1.1.1.1	0x2421	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 08:49:20.540158987 CET	1.1.1.1	192.168.2.5	0x771e	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 08:49:20.540158987 CET	1.1.1.1	192.168.2.5	0x771e	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:49:20.540158987 CET	1.1.1.1	192.168.2.5	0x771e	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:49:20.540158987 CET	1.1.1.1	192.168.2.5	0x771e	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:49:20.540158987 CET	1.1.1.1	192.168.2.5	0x771e	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:49:20.540158987 CET	1.1.1.1	192.168.2.5	0x771e	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:49:21.649770021 CET	1.1.1.1	192.168.2.5	0x2421	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:49:21.649770021 CET	1.1.1.1	192.168.2.5	0x2421	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:49:21.649770021 CET	1.1.1.1	192.168.2.5	0x2421	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:49:21.649770021 CET	1.1.1.1	192.168.2.5	0x2421	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:49:21.649770021 CET	1.1.1.1	192.168.2.5	0x2421	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:49:21.649770021 CET	1.1.1.1	192.168.2.5	0x2421	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:49:21.649770021 CET	1.1.1.1	192.168.2.5	0x2421	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	193.122.6.168	80	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:49:20.634785891 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 08:49:21.314513922 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:49:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 08:49:21.323427916 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 08:49:21.513994932 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:49:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 08:49:22.399987936 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 08:49:22.607388973 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:49:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	193.122.6.168	80	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:49:23.241260052 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 08:49:23.886759043 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:49:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49714	193.122.6.168	80	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:49:24.500507116 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 08:49:25.148161888 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:49:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49717	193.122.6.168	80	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:49:25.791798115 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 08:49:26.431736946 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:49:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49719	193.122.6.168	80	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:49:27.077512026 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 08:49:27.712371111 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:49:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49721	193.122.6.168	80	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:49:28.320411921 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 08:49:28.956618071 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:49:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49724	193.122.6.168	80	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:49:29.592822075 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 08:49:30.233913898 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:49:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	104.21.48.1	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:49:22 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 07:49:22 UTC	867	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:49:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1896551 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mTcNv%2B1W9%2BxfMoM4FLSpoqactmYsL4%2FG%2Bs%2BdNTOxd5X4qGrrbD6bNMaURx%2BGKWiQ0hpYwnzagr4GbCuGt%2FJvrLKB%2FlucxO4GGuPurCdZlov8cM2ogbEsCoQADTfrBH7ZG6VRGVJ%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90034f4e6b8043be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1533&min_rtt=1524&rtt_var=590&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1825000&cwnd=226&unsent_bytes=0&cid=16b1e040b6feda0e&ts=227&x=0"
2025-01-11 07:49:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	104.21.48.1	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:49:23 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 07:49:23 UTC	863	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:49:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1896552 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dFwz%2FKyB0%2FT5AGx1NhnZV7dklbIMLl1%2FB6gV5gvL0VYGd%2FZYqioV5%2FUdvTvz20%2BuhHUme8NxtuIf0YQKFD7yVqpOg7OrO1itYzSvEaVv7D7TWgg1hZehN9kUbx0Ybta%2FE9XArZ96"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90034f53cae742e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1653&min_rtt=1646&rtt_var=633&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1708601&cwnd=240&unsent_bytes=0&cid=19da7d754f86b0e1&ts=157&x=0"
2025-01-11 07:49:23 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49712	104.21.48.1	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:49:24 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 07:49:24 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:49:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1896553 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7LNHK%2BfABkOSKCc3dM0FR5cRS%2BwPTBBHURaDEVxPZ7WT7xBymF11QgkvZ86JwBc%2FK82hJqxCBEff2QwKFIA7ezZ3zBHioAKxuhCvcxGkQjvfb6xCpOT34tFq8y7HQHMzzBjU%2BHQW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90034f5bade043be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1536&min_rtt=1532&rtt_var=584&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1858688&cwnd=226&unsent_bytes=0&cid=a61ee693cbc40913&ts=146&x=0"
2025-01-11 07:49:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49715	104.21.48.1	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:49:25 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 07:49:25 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:49:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1896554 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2EjSekksELR6vJkG5NES5rSicEGmwemHQwUUIhwIx%2BNNmpmGtGjYYUHbuhM2x8nuXd8XTxPaWfzXRfTBoAtNTPUa5tEUFEnvB2g5qWKo%2FOKCt3qNpJaPER0zuvxe8M4S6Bsyl%2BhK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90034f63cb0c8c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1840&min_rtt=1812&rtt_var=699&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1611479&cwnd=238&unsent_bytes=0&cid=5df6aa36090002af&ts=162&x=0"
2025-01-11 07:49:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49718	104.21.48.1	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:49:26 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 07:49:27 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:49:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1896556 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bveUIXN7piFTEVJeY51q1CraBdhuoAJP0XVjyLOuYOixqOVHKfaQLYP%2FuR4ph%2Fevov0a4pN3fPTyyQjjIbbrp8wGEk%2BVqJok2GhN6z6YGkXsdyClmRRwotnNd0sQouN1nLrYdXs1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90034f6bcac48cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1968&min_rtt=1966&rtt_var=741&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1472516&cwnd=243&unsent_bytes=0&cid=c3895de89cf0dd4f&ts=160&x=0"
2025-01-11 07:49:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49720	104.21.48.1	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:49:28 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 07:49:28 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:49:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1896557 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u%2Fj9LzX4zNUDJddodxT44vL83aJB6aVA5s1SmAENK%2BkF6COWfW9tJJLhkVN20ykIpVHpK6vrSL2NK1sW4mkIQa39dLLjnweHYX5Rn6IHeCE2yXHUBDluZY5%2BnYq%2BFc8nF3uzRWhM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90034f739fae42e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1654&min_rtt=1653&rtt_var=623&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1751649&cwnd=240&unsent_bytes=0&cid=029cf1a7a5b87512&ts=133&x=0"
2025-01-11 07:49:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49723	104.21.48.1	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:49:29 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 07:49:29 UTC	853	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:49:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1896558 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YddVcwAyNPlAgqhgANymRuRWITvyxFNTI5PyvDQNfJHJCfUsC1vh0cU%2Bu6ejiWnzSon5yBGR7Eyinl8eFnqXQkmseQEziNOSni%2FN7jPzZPyo9TyeHJGqnNOqY27lSUMM2ob8OTby"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90034f7b7c3cc323-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1492&min_rtt=1483&rtt_var=574&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1877813&cwnd=214&unsent_bytes=0&cid=5fadc6e1a1f267d4&ts=151&x=0"
2025-01-11 07:49:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49731	104.21.48.1	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:49:30 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 07:49:30 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:49:30 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1896560 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rUJZNZge6NsFqzTzg%2FCZDUAyTsMjfz0HrCpaau1yUi3q%2BYXO%2FsayOvyjFwjvuIj7twh1CtmNtrfqF%2F5jkwAoaszaU0i81zE8TXFcLKdXaNAKiJiVgmeK6hRvxLWWQS0zxpcAzZvD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90034f8418868c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1757&min_rtt=1753&rtt_var=666&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1631284&cwnd=238&unsent_bytes=0&cid=bd4363915e6e6c35&ts=246&x=0"
2025-01-11 07:49:30 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	02:49:12
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\ZpYFG94D4C.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZpYFG94D4C.exe"
Imagebase:	0xb0000
File size:	594'432 bytes
MD5 hash:	68EA88AB97C52F5C4CE75CE445F9AEAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2124982227.0000000003439000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2124982227.0000000003439000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2124982227.0000000003439000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:49:18
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZpYFG94D4C.exe"
Imagebase:	0x4a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:49:18
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:49:18
Start date:	11/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x860000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.4532016234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.4532016234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000002.4532016234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.4533694105.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.4533694105.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	02:49:21
Start date:	11/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	202
Total number of Limit Nodes:	14

Executed Functions

Function 04AE6698 Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132764573.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ae0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18375d3bf5ea5c97066e7d990d9adaeabeaaf31a2db740d65472ee1c6d671e00
Instruction ID: 1082e419b08be7850d1959760909a0cc3710606c143a667fc3df0e779f098fe0
Opcode Fuzzy Hash: 18375d3bf5ea5c97066e7d990d9adaeabeaaf31a2db740d65472ee1c6d671e00
Instruction Fuzzy Hash: D832E834E10219CFDB14DFA9C884AADB7B2FF99304F5085A9D419AB365DB30AD85CF50

Function 04AE6688 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132764573.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ae0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c828dcda6db65715814f94beb43f2dd1a29addd6099012e0f6c6233024f0a2c
Instruction ID: fd8f08dbd502dbb11c91cf77e5eabfbffaf79bcf46de0b62eac349930e0effd1
Opcode Fuzzy Hash: 5c828dcda6db65715814f94beb43f2dd1a29addd6099012e0f6c6233024f0a2c
Instruction Fuzzy Hash: C022E834E10219CFDB14DFA5C884AADB7B2FF9A304F5085AAD419AB365DB30AD85CF50

Function 076BF160 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c69569e72074862671fbfdc3de78ced5ce9e4fda25a005c025d82bf03a013d
Instruction ID: 2cc792da8ce02283a5e368010bcad3bd5aa44908d7ef5ab6261485cd85604c0b
Opcode Fuzzy Hash: c3c69569e72074862671fbfdc3de78ced5ce9e4fda25a005c025d82bf03a013d
Instruction Fuzzy Hash: 4D02D0B1A013058FDB29EB75C850BEEBBF6AF8A300F14446AD046DB3A1CB35D985CB51

Function 076B58F0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c7eb964ebba28298232ba085bfcaf829ad3cf8c86aab18d396a3de3ebf4529
Instruction ID: 2526999dd91a77a92b46014bc768a852df44197ca616c1990c5f0270dcb0cfff
Opcode Fuzzy Hash: 15c7eb964ebba28298232ba085bfcaf829ad3cf8c86aab18d396a3de3ebf4529
Instruction Fuzzy Hash: 572107B0D016188BEB18CFABC8453DEBBF7AFC9310F14C06AD40AA6254DB7509868F91

Function 076B5900 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169581302b25ce366e912d5ae60c97f9fd452f683db761bf9653fa837f39cc28
Instruction ID: 74e1e1f8faafea9d380b9f79d82013fbb64cedc4cf9cb9164f47631772b5190d
Opcode Fuzzy Hash: 169581302b25ce366e912d5ae60c97f9fd452f683db761bf9653fa837f39cc28
Instruction Fuzzy Hash: 7621B7B0D016188BEB28CFABC9453DEFAF7AFC9300F14C56AD51A66254DB7409868F90

Function 056A0940 Relevance: 7.8, Strings: 6, Instructions: 325
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 056A0D01
,aq, xrefs: 056A0A64
(o]q, xrefs: 056A0A86
,aq, xrefs: 056A0A58
(o]q, xrefs: 056A0A92
d8bq, xrefs: 056A0DF0

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$,aq$,aq$Haq$d8bq
API String ID: 0-380147655
Opcode ID: a23871d092ed47986e8f6a7dff2c8be17b15c79b1fbc9039c5f9f304d22d82a6
Instruction ID: 00d5736f8a535cf63e9a72267d06ee4a987f7d316c7cd034103ea0533c77c7c5
Opcode Fuzzy Hash: a23871d092ed47986e8f6a7dff2c8be17b15c79b1fbc9039c5f9f304d22d82a6
Instruction Fuzzy Hash: 57C16B35B001199FDB14AFA8D858AAE7BF6FF88320F148469E906973A5DB34DC41CF91

Function 056AEC60 Relevance: 7.6, Strings: 6, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 056AEF20
8aq, xrefs: 056AECC8
8aq, xrefs: 056AED5D
$]q, xrefs: 056AF44E
$]q, xrefs: 056AEF10
$]q, xrefs: 056AF45A

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID: 8aq$8aq$$]q$$]q$$]q$$]q
API String ID: 0-424724130
Opcode ID: 7840567aab685f03bf60b81f099d2b26783f85d1d7a8b02ddf88cd525b8a14d3
Instruction ID: 1a5851b857e80a13d2ae0ece239734c9c6a50908cf3d301ee8c149f37bfb9fa0
Opcode Fuzzy Hash: 7840567aab685f03bf60b81f099d2b26783f85d1d7a8b02ddf88cd525b8a14d3
Instruction Fuzzy Hash: 5341C531B04245CFDB14EB68C805A7E7BB6FB89304F14446AE116EB381D7769D42CF91

Function 056A4248 Relevance: 6.6, Strings: 5, Instructions: 328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 056A4669
Haq, xrefs: 056A469C
Haq, xrefs: 056A43A2
Haq, xrefs: 056A4318
Haq, xrefs: 056A435D

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID: Haq$Haq$Haq$Haq$Haq
API String ID: 0-1792267638
Opcode ID: 253e18ec67c558bd7d27dc6576363d414396762b0629ad0c9e47eda90b044960
Instruction ID: 10e42a376c222b401088c0d1a96beed682f11ad605e404c19380f703d0d2b5e3
Opcode Fuzzy Hash: 253e18ec67c558bd7d27dc6576363d414396762b0629ad0c9e47eda90b044960
Instruction Fuzzy Hash: F7C15835B002048FDB14EBB9C9549AEBBF6BF89301B1448A8D402AB794DF75ED41CF61

Function 056AE108 Relevance: 6.4, Strings: 5, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 056AE1F0
$]q, xrefs: 056AE1E4
$]q, xrefs: 056AE2AB
LR]q, xrefs: 056AE231
LR]q, xrefs: 056AE161

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q$$]q
API String ID: 0-527398971
Opcode ID: 0e70f3fd51fddae1e2d591dcb3086423dcc7e9374de1c4e73de98dc5f87cac85
Instruction ID: 241d44ee0e7ad6435d7fa85380b8e87906c0229a3d2d39d62724908f4187a145
Opcode Fuzzy Hash: 0e70f3fd51fddae1e2d591dcb3086423dcc7e9374de1c4e73de98dc5f87cac85
Instruction Fuzzy Hash: D941D331B14219DBEB248EA9CC41B7EB6FABB45700F10446AE506EB281E6B59C42CF51

Function 056AE0F8 Relevance: 3.9, Strings: 3, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 056AE1E4
$]q, xrefs: 056AE2AB
LR]q, xrefs: 056AE161

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID: LR]q$$]q$$]q
API String ID: 0-4258901230
Opcode ID: 91642b348966b6a62c87554d6c4a968ef6a0bb3df84c59519eb7c9f75fa0d876
Instruction ID: cf5e1512a99ba96024bd13f557326bb0985cda944c10818c64a8a84b1e887d64
Opcode Fuzzy Hash: 91642b348966b6a62c87554d6c4a968ef6a0bb3df84c59519eb7c9f75fa0d876
Instruction Fuzzy Hash: 2241E431B04215DBEB208EA9DC41BBEB7BAFB45700F00447AE516EB2C1E6B69D42CF41

Function 056A0F90 Relevance: 2.8, Strings: 2, Instructions: 292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4|bq, xrefs: 056A1260
4|bq, xrefs: 056A127B

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID: 4|bq$4|bq
API String ID: 0-3562454414
Opcode ID: e59378a8b21b5cd339dd40e212aed2aaafa52ad139a1f8b1aaa7b5e592300294
Instruction ID: f6b59b9acbdb02e3b737819566a4daf31fb60eef31e112fb1b3037cd201a5bda
Opcode Fuzzy Hash: e59378a8b21b5cd339dd40e212aed2aaafa52ad139a1f8b1aaa7b5e592300294
Instruction Fuzzy Hash: B1B14C76A041159FCB14DF68C894AAEBBB2FF49710F158469E806DB361DB35EC42CF90

Function 056A5EAC Relevance: 2.7, Strings: 2, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 056A5FEE
Haq, xrefs: 056A5F88

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: cc0825c2c927e72d225ed3508f60ee080c7f31614aeb71a0fddbcd9aaf0deaa7
Instruction ID: 7cb3d4581e880cccd2fd9d3f457f0696db3080bc20e7f8e315444ea7e87d7e26
Opcode Fuzzy Hash: cc0825c2c927e72d225ed3508f60ee080c7f31614aeb71a0fddbcd9aaf0deaa7
Instruction Fuzzy Hash: 5E814A71E003199FDB14DFA9C8946AEBBB2BF89300F14856AE409AB355DB349D06CB91

Function 056A0910 Relevance: 2.6, Strings: 2, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 056A0A86
,aq, xrefs: 056A0A58

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID: (o]q$,aq
API String ID: 0-2797082531
Opcode ID: af0cc4ac3e0c65ae525927e19a375d929008ce9865763709fc2f6e4fbed2e6f5
Instruction ID: 970e01c114494a9060f1abf9d3ff3722dc9b4380cbb5f7dd01e16cb2d5f37f2e
Opcode Fuzzy Hash: af0cc4ac3e0c65ae525927e19a375d929008ce9865763709fc2f6e4fbed2e6f5
Instruction Fuzzy Hash: 7B514D35A01219DFDB24DF68D888AAEBBF1FF48324F148069E806A7761D7349D45CF50

Function 076BBB44 Relevance: 1.8, APIs: 1, Instructions: 272
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 076BBD86

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c4ebd877e6c4a7d1dcb3d38b0be15f79c7419d630cb180263003949129d8cc4d
Instruction ID: 4848cf4c37dda00be9259457fd6c0284f40e57e6d46e68cbee3f780af99772bb
Opcode Fuzzy Hash: c4ebd877e6c4a7d1dcb3d38b0be15f79c7419d630cb180263003949129d8cc4d
Instruction Fuzzy Hash: 85A16BB1D0021ACFDB24DFA9C8417EEBBF2BF49314F148569D80AA7250DB749985CF92

Function 076BBB50 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 076BBD86

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e451d16f92d0cec54d3588560df7660181a790579b8eeeb543c3ba1c221c4ec7
Instruction ID: e494076a27070be0e505d8eaa935cd105c8df75dee9c5c6afcb2189dccbca06f
Opcode Fuzzy Hash: e451d16f92d0cec54d3588560df7660181a790579b8eeeb543c3ba1c221c4ec7
Instruction Fuzzy Hash: 44914CB1D0021ACFDB24DFA9C8817EDBBB2BF49314F148569D80AA7250DB749985CF92

Function 0228ADE8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0228B03E

Memory Dump Source

Source File: 00000000.00000002.2122866054.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_ZpYFG94D4C.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0d12cc47255ac1239865a02a66aa007da34fc517e0a1c9e65df85a3eaa9b08e6
Instruction ID: 9d91e4f8adae718f0ade9527e0b0065b20763b5800d18702c24f20d9f9e4b80d
Opcode Fuzzy Hash: 0d12cc47255ac1239865a02a66aa007da34fc517e0a1c9e65df85a3eaa9b08e6
Instruction Fuzzy Hash: 45714670A11B068FD724EFA9D04475ABBF1FF88304F00892EE48AD7A94DB75E955CB90

Function 022844B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 022859C9

Memory Dump Source

Source File: 00000000.00000002.2122866054.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_ZpYFG94D4C.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4923b4bd6bdaf3cb0c615378612f2ff574643d756a57e56cbb01e988665d71fb
Instruction ID: 18d3a5579ef5b65f4045a4f4100a5cf4d691a3de32798a75b01f141b97acfbad
Opcode Fuzzy Hash: 4923b4bd6bdaf3cb0c615378612f2ff574643d756a57e56cbb01e988665d71fb
Instruction Fuzzy Hash: CB41E2B0C1061DCBDB24DFA9C884ADEBBF5BF48304F60805AD408AB255DBB5A949CF91

Function 0228590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 022859C9

Memory Dump Source

Source File: 00000000.00000002.2122866054.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_ZpYFG94D4C.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d2bd1c8b58f58d7b048fc2d7c21c5be3fe7a82afe89ba3bf87ec2ce86f08b2b7
Instruction ID: 89d17b67eeb56b6a92cc394b1c0b9d597061d021f977a7b9a88419aee241cadf
Opcode Fuzzy Hash: d2bd1c8b58f58d7b048fc2d7c21c5be3fe7a82afe89ba3bf87ec2ce86f08b2b7
Instruction Fuzzy Hash: 7C4101B1C10719CFDB24DFA9C884ACEBBF5BF49304F60805AD408AB255DB75694ACF91

Function 04AE4050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04AE4111

Memory Dump Source

Source File: 00000000.00000002.2132764573.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ae0000_ZpYFG94D4C.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 76ca5988c5589bfc4bb1b6920b2a4d7be6d87e9fa5faa1bcfb35d1c2534935f8
Instruction ID: 9afaf8c4247445d77316613429e981ed8190b6b109ed85d21945342491d7bcca
Opcode Fuzzy Hash: 76ca5988c5589bfc4bb1b6920b2a4d7be6d87e9fa5faa1bcfb35d1c2534935f8
Instruction Fuzzy Hash: A3411AB4900305DFDB14DF9AC848AAABBF9FB8C314F25C459D529A7321D375A841CFA1

Function 02285A84 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122866054.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f79c9a63acdcea2335d53c1447c98996743ac31542f121e7e10f792d69f6c4
Instruction ID: f4e8a91179dff97857240d0a22c3372385eb00e9c03ed24efd40c2d5c41595e3
Opcode Fuzzy Hash: b7f79c9a63acdcea2335d53c1447c98996743ac31542f121e7e10f792d69f6c4
Instruction Fuzzy Hash: 9F31E3B1805649CFDB11DFE8C8847EDBBF1EF06304F954149C405AB299C779A94ACB41

Function 076BB8C1 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076BB958

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 297094b33e5cc4fd14d57a10122248e5ef8e474d6605604c7b8b41a8b3855841
Instruction ID: 53778e8ec70705b7ea9592727b0c99f7b2dc70f8b597c9ac90d8f7d614d7037e
Opcode Fuzzy Hash: 297094b33e5cc4fd14d57a10122248e5ef8e474d6605604c7b8b41a8b3855841
Instruction Fuzzy Hash: 5D2148B5D003099FCB10DFA9C885BDEBBF5FF49314F108429E919A7240C7789945CBA1

Function 076BAD88 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9416fe6d87e5f161aa486b08bf6807134d62da9549ce02d16c8a1f8eb6843986
Instruction ID: ba51ce2955ace02abaad3d5750a0e3f5b922a00ab605d8544c362455ffce9101
Opcode Fuzzy Hash: 9416fe6d87e5f161aa486b08bf6807134d62da9549ce02d16c8a1f8eb6843986
Instruction Fuzzy Hash: CA21AFB1C003498FCB20DFA9C8496DFBFF9EF4A314F14841AD456A7251C7359885CBA2

Function 076BB8C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076BB958

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4e09fed4b6460603ddc9c292524867d92a2ff06b003b5b32a17abe5912971181
Instruction ID: 3b3cc9baaaa3e607c78e8b769374f3cb75153e11fdb32863fd80ec3404d68145
Opcode Fuzzy Hash: 4e09fed4b6460603ddc9c292524867d92a2ff06b003b5b32a17abe5912971181
Instruction Fuzzy Hash: F22139B5D003099FCB10DFA9C885BEEBBF5FF49310F10842AE919A7240C7789945CBA5

Function 076BAEE9 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 076BAF6E

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: fb277287dfc8ce607585ef7c67bf78244ce6df4b75fef42aaf2e1793fd03de08
Instruction ID: ac3fc0103fc91134f84459bb6c52701701ab2e9733910a4808072b963c9fe4e9
Opcode Fuzzy Hash: fb277287dfc8ce607585ef7c67bf78244ce6df4b75fef42aaf2e1793fd03de08
Instruction Fuzzy Hash: BB213CB1D003099FDB10DFAAC4457EEBBF4EF49314F14842AD419A7241C778A545CFA1

Function 0228B7D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0228D686,?,?,?,?,?), ref: 0228D747

Memory Dump Source

Source File: 00000000.00000002.2122866054.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_ZpYFG94D4C.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d2be5546437cf51042f8e9423fb63b71f129040880c20393fd2f9a4c29b39dc6
Instruction ID: 0d9838b7482e6b975ca43e31a983964eb24c2ec0297ff08c2a73ce1d3410c4b8
Opcode Fuzzy Hash: d2be5546437cf51042f8e9423fb63b71f129040880c20393fd2f9a4c29b39dc6
Instruction Fuzzy Hash: 482103B5D112099FDB10DFAAD584AEEBBF8EB48310F14841AE918A3350C374A944CFA5

Function 076BB9B2 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 076BBA38

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b4067d42febf064da54a2e7aa91d1117db8027d08d133edd75ef0e6018abb5b8
Instruction ID: d9bcc6fe544112da44e70b07d697b6a162d58d4b6a094f9057322d4298e26e45
Opcode Fuzzy Hash: b4067d42febf064da54a2e7aa91d1117db8027d08d133edd75ef0e6018abb5b8
Instruction Fuzzy Hash: 112116B1D002599FCB10DFA9C845AEEBFF5FF88314F14882EE519A7240C7399545DBA1

Function 0228D6B9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0228D686,?,?,?,?,?), ref: 0228D747

Memory Dump Source

Source File: 00000000.00000002.2122866054.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_ZpYFG94D4C.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 631bbb4f09dddaa133f3ab4f81a8da7d5231c74ca9ba07a3dbdf9db905d765dd
Instruction ID: f50b6c8d3faf34cc60c077b49ed386f7fbe55a94154329ba6688f186b48c50f1
Opcode Fuzzy Hash: 631bbb4f09dddaa133f3ab4f81a8da7d5231c74ca9ba07a3dbdf9db905d765dd
Instruction Fuzzy Hash: A221E4B5D013499FDB10CFAAD584ADEBBF8EB48324F14842AE918B3350C374A954CF61

Function 076BAEF0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 076BAF6E

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9422667fb01c2aa59dca749a5d96b96ca898f5b3e0477ebf89cd8eb2890288b7
Instruction ID: 3a0922aa313751749f12bfe7ec994cb33ed9c8a7e0d8866e45cee8513427f86d
Opcode Fuzzy Hash: 9422667fb01c2aa59dca749a5d96b96ca898f5b3e0477ebf89cd8eb2890288b7
Instruction Fuzzy Hash: 492118B1D003099FDB10DFAAC4857EEBBF4EF89314F14842AD419A7240CB78A945CFA1

Function 076BB9B8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 076BBA38

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f15af5e5892b079a76eb70bd41790aa36c9a0de3df6d3e5f2cd1b913850b537a
Instruction ID: d00e3e22e6f83a36b614108b5a998c44b4fafecc976adee49c8c58bf53c4dfd1
Opcode Fuzzy Hash: f15af5e5892b079a76eb70bd41790aa36c9a0de3df6d3e5f2cd1b913850b537a
Instruction Fuzzy Hash: EC213AB1C003599FCB10DFAAC845AEEFBF5FF48310F508429E519A7240C7749541DBA1

Function 076BB800 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076BB876

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cd9832ab2137d9f911bfe7f6659d2aed809957f59a041ecf3f83488077e8a084
Instruction ID: 319d10998b33c061ccd1c2537b4b16c45b5b293f88aa19b7f0aabe9dc0e93cde
Opcode Fuzzy Hash: cd9832ab2137d9f911bfe7f6659d2aed809957f59a041ecf3f83488077e8a084
Instruction Fuzzy Hash: AF1167B2C002099FCB20DFAAD845ADFBFF5EF89314F208819E419A7250C775A581CBA1

Function 076BB808 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076BB876

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f71318a85b7060f67b724a0479aa5393595379e94943ae4021f7ca61f3c17264
Instruction ID: d57744672a8fad2e57d2521fe9cffc3d09412033a03cafb29d73a3eb0b64f8f9
Opcode Fuzzy Hash: f71318a85b7060f67b724a0479aa5393595379e94943ae4021f7ca61f3c17264
Instruction Fuzzy Hash: 5D1167B1D002099FCB20DFAAC844ADFBFF5EF88324F208819E519A7250C775A541CFA1

Function 076BE300 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 076BE365

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b1eb1049c53594449a43468f20137f82f91ace000b34e7d34ecf31566c2bef94
Instruction ID: 45960da8d2769ffdec5926dd3d0a6b694f37ce1befcf3bf534d6c2ca47794d01
Opcode Fuzzy Hash: b1eb1049c53594449a43468f20137f82f91ace000b34e7d34ecf31566c2bef94
Instruction Fuzzy Hash: 4B11E3B5800349AFDB10DF9AD849BDEBBF8EB49714F108819E515A7210C375A584CFA1

Function 076BAE40 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 076BAEA2

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f7375f3a84a44bba1abd8c5030386b161af6d647eda82bb5a7045f5f64274a47
Instruction ID: 3fef776aefd848ae48d88486ff31552d6c649a7369060d6ef1fa13ba5bfbad1c
Opcode Fuzzy Hash: f7375f3a84a44bba1abd8c5030386b161af6d647eda82bb5a7045f5f64274a47
Instruction Fuzzy Hash: 9F1116B1D003498BCB20DFAAC4456DEFBF5EB89324F248819D419A7240C7756945CBA1

Function 0228AFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0228B03E

Memory Dump Source

Source File: 00000000.00000002.2122866054.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_ZpYFG94D4C.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 97884ae77b74cf6541eeb4ee838293bd5e799853edb6ccab162a8bf5f8bbcea0
Instruction ID: ada086bda91f546a908217d357ecda6597408d72fda03620f481f52fc1456973
Opcode Fuzzy Hash: 97884ae77b74cf6541eeb4ee838293bd5e799853edb6ccab162a8bf5f8bbcea0
Instruction Fuzzy Hash: 17110FB5C0034A8FCB10DF9AD444ADEFBF8EB88318F10841AD429A7250D379A545CFA1

Function 076BB4A8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 076BE365

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 543cdba21d6aac2552d670b4ab30f5e7af2d3fbfa880bfe16d8719b56891f4bc
Instruction ID: 92f42964077df85454984346cae6b28ebd70f8dd6d7c4f6ddf0c4fffb17da0f3
Opcode Fuzzy Hash: 543cdba21d6aac2552d670b4ab30f5e7af2d3fbfa880bfe16d8719b56891f4bc
Instruction Fuzzy Hash: EF1103B5804349DFDB20DF9AC588BDEFBF8EB49714F108819E919A7210C375A984CFA1

Function 056A2AB0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

Haq, xrefs: 056A2BE0

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: db470182b036557eceba0de53681fd4c787bf7024ff98f653c850737b5028aff
Instruction ID: b3096cf806823a269a8e6b0ec9113cd161116b3b6d697ca515b5f85ced554ee3
Opcode Fuzzy Hash: db470182b036557eceba0de53681fd4c787bf7024ff98f653c850737b5028aff
Instruction Fuzzy Hash: A861D335A002058FDB11DF64C8A49AEBBF2FF89304F1484A9D816AB761DB35ED41CF91

Function 056ADAC8 Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

%*&/)(#$^@!~-_, xrefs: 056ADB11

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID: %*&/)(#$^@!~-_
API String ID: 0-3325533558
Opcode ID: 8138c23b7687829288ceb45eb8d79cceea228299bdcdf8a4a384818e56f5adda
Instruction ID: dcc3520962369fa432c7c31d86c4debf075c28c2c130c036bd3e93a4f4d8866a
Opcode Fuzzy Hash: 8138c23b7687829288ceb45eb8d79cceea228299bdcdf8a4a384818e56f5adda
Instruction Fuzzy Hash: A851F1317102059BE7007F78A456B9E3F72EF89700F5485B8EE8A8F29ACE751D4AC791

Function 056ADAD8 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

%*&/)(#$^@!~-_, xrefs: 056ADB11

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID: %*&/)(#$^@!~-_
API String ID: 0-3325533558
Opcode ID: 89a4f32e12a042c369d00fd79bcb01d5b5cf474cbcd6943e2b566c4476c023fc
Instruction ID: 4292229a2b67372763bb821a95396b77072a59610fd498ad923a000cc7e5394c
Opcode Fuzzy Hash: 89a4f32e12a042c369d00fd79bcb01d5b5cf474cbcd6943e2b566c4476c023fc
Instruction Fuzzy Hash: D641F1307102059BE7007F78948AB9E3E76AF88700F508578EE8A9F28ADE755D49C7D1

Function 056A5168 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

Haq, xrefs: 056A5179

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 396a19da75bad7835393b09cde433e9757c362f4da6e1d7ffed2b1c0464318d5
Instruction ID: ed80110a7dcced85a578169cfb4ce08225a9dce98e77f9f1ee5fe1ce2c657e71
Opcode Fuzzy Hash: 396a19da75bad7835393b09cde433e9757c362f4da6e1d7ffed2b1c0464318d5
Instruction Fuzzy Hash: 8931C235A0020AAFDB05DFA4D854ADEBBB2FFD8300F548569E102AB255DF349D46CB91

Function 056AEC50 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

8aq, xrefs: 056AECC8

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: 596374b0b2b9974a11af03c51a4d702f1d69eb2047aa2f24ce1dd637056ad8ae
Instruction ID: 0bd399b7ff46d0db387c92aefcb26d8e431e8e176b755fc289ea642e6023dd5b
Opcode Fuzzy Hash: 596374b0b2b9974a11af03c51a4d702f1d69eb2047aa2f24ce1dd637056ad8ae
Instruction Fuzzy Hash: BC310331F04244CBD714EFA4C841ABE7BBAFB89301F14846AE516AB381D7769D42CF92

Function 056ADF68 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

$]q, xrefs: 056AE0EA

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 6588de6c47e7da64f8b12588443a5c313bcb15f87009df3b73ad301f49e3b81c
Instruction ID: a06cdb6570e809f7459e59d76cef8c1e0e84dcb23d58961f864f8927ff614f9a
Opcode Fuzzy Hash: 6588de6c47e7da64f8b12588443a5c313bcb15f87009df3b73ad301f49e3b81c
Instruction Fuzzy Hash: C231C033A04615CBC7108B29CC4167BB7B6FB81301F048163E9A68B795D735EC92CE66

Function 056A0448 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

Haq, xrefs: 056A04DC

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: b5195650c9dda4e83ba7ad26ec71c88363a1bf01cea04aec4bfe16a4754942b1
Instruction ID: f1704ff760acda598994edf3659d0fc233fe069e4b9e0cf5fe6f436ee7d2e7d2
Opcode Fuzzy Hash: b5195650c9dda4e83ba7ad26ec71c88363a1bf01cea04aec4bfe16a4754942b1
Instruction Fuzzy Hash: 2F219231B04208EFE744ABB88C45BAE7BB6EB85310F10C465E545DB281EE389E46CB90

Function 056A0441 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

Haq, xrefs: 056A04DC

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: dcb5c899a04d91205d9744caffefd804677f6a88d9975875ade0ae6af37fe20a
Instruction ID: 6c4a110a1798d78e648931eadeb1ab13738a6b9bdbd32fe7f1bf0bd4da35a83a
Opcode Fuzzy Hash: dcb5c899a04d91205d9744caffefd804677f6a88d9975875ade0ae6af37fe20a
Instruction Fuzzy Hash: 74219231704208EFE744AEB48C45BAE7BB6EB85310F10C465E545EB181EE389E46CB90

Function 056AAAA0 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7727d96203ae28af5c2436d1c5f7c066d5544f58e54c4ab0a9ab15eeb7332b
Instruction ID: 5bf8cd4975ee53709ff5e5ba42b8d356c7be31994874905e2a0e1a05bb648ebf
Opcode Fuzzy Hash: 0d7727d96203ae28af5c2436d1c5f7c066d5544f58e54c4ab0a9ab15eeb7332b
Instruction Fuzzy Hash: C742F231D0065DCFDB15EFA8C8486ECBBB1BF49300F51829AD5497B265EB309A99CF81

Function 056AAAB0 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34047b4a241045acaea8a00660eb7106d49eaea53df0cfee18d96d844f7a1d1
Instruction ID: 02fe48fe2d8ae4aa99eac0ab06c6adc1ba90eb5e9eec525d83e5e4b9ac49cbe6
Opcode Fuzzy Hash: f34047b4a241045acaea8a00660eb7106d49eaea53df0cfee18d96d844f7a1d1
Instruction Fuzzy Hash: 9942F231D0061DCFDB15EFA8C8446ECBBB1BF49300F51869AD5497B265EB30AA99CF81

Function 056A4930 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d612ebdb7ac7387614b310f29d7ded5484e4771b51906d9757d5cecd4b68c6c5
Instruction ID: 2023fa104a1bfd96d36e096b159450310b3dc367307288a66945a4d7634c129e
Opcode Fuzzy Hash: d612ebdb7ac7387614b310f29d7ded5484e4771b51906d9757d5cecd4b68c6c5
Instruction Fuzzy Hash: BC81D4357106008FCB04EB28D998A697BF6BF89A05B1541A9E902CB375DF71EC41CF80

Function 056A39E0 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38af17be2eb82917cb244058e8e516befb51d6c7b5b3dfabaab50d630b179bc8
Instruction ID: 2b996af8d886472d253f50cf467e0af9ef176607c3f5470e7c93a6ebbf231181
Opcode Fuzzy Hash: 38af17be2eb82917cb244058e8e516befb51d6c7b5b3dfabaab50d630b179bc8
Instruction Fuzzy Hash: 7691C375A0060A9FDB15CFA8C984AAEB7F2FF48310F148969E929E7354D730E951CF50

Function 056AA508 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7baacf2ef72c97827596061413e1f01f173a74d0bc8eaec5480c7d2e012b2f64
Instruction ID: 2a61d97aae852d5f90400522126f00d5e80832e145b3ced2606922c089f2fd8b
Opcode Fuzzy Hash: 7baacf2ef72c97827596061413e1f01f173a74d0bc8eaec5480c7d2e012b2f64
Instruction Fuzzy Hash: FC81A331A14609DFCB15EFA8D9486ADBBB2FF45310F11446AE042A72A4EB30DD95CF40

Function 056A7498 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9110b3a0c567632adfb40106e273fc263dd6a816f791e1e4e320769b565f16d1
Instruction ID: 1f7b58f4f2e00dcb7419c4e874c795e0aad410f7d549e437e7a934e7d4cd7559
Opcode Fuzzy Hash: 9110b3a0c567632adfb40106e273fc263dd6a816f791e1e4e320769b565f16d1
Instruction Fuzzy Hash: B6513371A05208DFDF259FA5C9985ADFFB2FF88300F218169D4427B296CB7189A1CF85

Function 056A8C74 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c084fc0152c5daaeea14cc3be049b4bfde398d1f59a01fdb3b6e7b4c63f57aee
Instruction ID: 5dd0d58697e2ce918e9b17b3bac06ff1016c72893bfdde1c7f389543e5e83232
Opcode Fuzzy Hash: c084fc0152c5daaeea14cc3be049b4bfde398d1f59a01fdb3b6e7b4c63f57aee
Instruction Fuzzy Hash: CF515872A012198FDB24EBA9C4506AEB7F6FF88300F64467AC50A97681DB35DD11CF61

Function 056A61B8 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543b3e57d52a9ea2ccfa1fe3d1c5f13300be4efc6e2ff944bc73c45b5650c171
Instruction ID: 1e20739b969e3680cd34cd251a7893b00f87cdd809d596ec7dd2c676f0e4c355
Opcode Fuzzy Hash: 543b3e57d52a9ea2ccfa1fe3d1c5f13300be4efc6e2ff944bc73c45b5650c171
Instruction Fuzzy Hash: 5C513B71E002499FCB14DFA9C818AAFBBFAEF98310F14846AD415E7351EB749901CFA1

Function 056AF714 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524906853b6fdc9dcbc97dd392b0c3ab97e15d73563ffa9f964a086c52d5c7d3
Instruction ID: d0084b9b6bda6c9a517ab8428b363041540a729d2b5ed05756f8c7a9efb210a9
Opcode Fuzzy Hash: 524906853b6fdc9dcbc97dd392b0c3ab97e15d73563ffa9f964a086c52d5c7d3
Instruction Fuzzy Hash: 38516F3AB04119DBEB41CB68D851ABEF7B2FF44300F108126E546AB295DB74DC85CFA6

Function 056AA780 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da03990900ebc470ea33ebfc38fdb20234785e984c3d7d9e6379a1430fb7eb3b
Instruction ID: 65311f2e29e231f3499cd88abf525c2fe07682dc3512cc41e422ae5c6d3d3f35
Opcode Fuzzy Hash: da03990900ebc470ea33ebfc38fdb20234785e984c3d7d9e6379a1430fb7eb3b
Instruction Fuzzy Hash: E441C272E082169FCB92EFE4C9986FA7BB3AB45340F514467D402A72A5E634CD13CF91

Function 056A6AA8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0f7a692d32266edcc68bb1dc59a262ac26d2c86636dd6f5b98021c6d966af8
Instruction ID: b16b8b9e3352a0832ee6937757935ceddfeec3f4e702bd84a4c6a5307962d3db
Opcode Fuzzy Hash: 1b0f7a692d32266edcc68bb1dc59a262ac26d2c86636dd6f5b98021c6d966af8
Instruction Fuzzy Hash: 41316A31E02218EFCB14EFA0E5945ADBBB2FF85301F25846AE49267761CB35AC65CF50

Function 056A7F30 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056d70641a228d6cfeefd5ac52a85d2a916d98ff5abbc440d0743e0e258804cf
Instruction ID: bca2495f6e4225b1f710578503122bcac5c2482cb0a9cd022281475a97af1f8d
Opcode Fuzzy Hash: 056d70641a228d6cfeefd5ac52a85d2a916d98ff5abbc440d0743e0e258804cf
Instruction Fuzzy Hash: C1412535B142588FDB14EBA9C894EADBBF6FF89604F1440A9E501EB7A1DA35DC01CF50

Function 056A4D08 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b017a6b2d4514c2f4217349729991336475fbaae8098c28e9ec8b2b937ec3e77
Instruction ID: 9ee9b036b4d0d449f02b1cf024875c6e538824c5c3b53e653fc86f0583a0b051
Opcode Fuzzy Hash: b017a6b2d4514c2f4217349729991336475fbaae8098c28e9ec8b2b937ec3e77
Instruction Fuzzy Hash: F8414E76A002588FDF14EB78C494BEDBAB2FF88215F645829D402AB344DFB54D81CF96

Function 056A9954 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc60dfd3ee524a93a65cd5e72c323eb11159fb2a1d813605e8d1836f1da6a5a7
Instruction ID: 2be444682cb0ca6cfd92dc4b535eb5d080e6ec538ab276dd18b3b6b2a0f7e4be
Opcode Fuzzy Hash: dc60dfd3ee524a93a65cd5e72c323eb11159fb2a1d813605e8d1836f1da6a5a7
Instruction Fuzzy Hash: 53416D72E182169BDB92EFE4C949ABA7BB3BB45340F114427D406A7298F635CD13CE90

Function 056AF702 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606671dee5f5645d94cdc6570820cf305a157b45de5514c3164de70a5fd94f00
Instruction ID: b79f5de98babf57e17c24a68ad0fba42ef1fd8acedb02c9de0d92496e5669b62
Opcode Fuzzy Hash: 606671dee5f5645d94cdc6570820cf305a157b45de5514c3164de70a5fd94f00
Instruction Fuzzy Hash: 84416C3AA44205DFEB42CB98E841ABDF7B2FF44301F108126E546AB261D774DC86DF66

Function 056A7264 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95044f1fd0c87f5be88f24cb3148868cd779c4c34da2ee5c239717ec1b5513a5
Instruction ID: 3c476b2f5bd75761912eb5295ed2c2d551ce52978edb5d6b3fb59313aae55151
Opcode Fuzzy Hash: 95044f1fd0c87f5be88f24cb3148868cd779c4c34da2ee5c239717ec1b5513a5
Instruction Fuzzy Hash: 18412B31A112089FDB14DFA8D854AADBBB6FF89310F148569E401BB3A0DB71ED81CF54

Function 056A8592 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b5282e69f1a2ddca96e77c2ce2167e01df7ad2cb8af7b44f7a7d463f3ba6f8
Instruction ID: 5a4788813ac23dd6bf648bf029cdeb6b49f480eb43c4e5795590de3a1637dcdd
Opcode Fuzzy Hash: 51b5282e69f1a2ddca96e77c2ce2167e01df7ad2cb8af7b44f7a7d463f3ba6f8
Instruction Fuzzy Hash: FD413C31A012489FDB14EFA8D454AADBBB2FF89310F158569E441BB3A0DB71ED85CF50

Function 056A9178 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c441992a789160600fcc2de98e220597d8fb32248e3dbba1ca6348216966c04
Instruction ID: 86c121e7f142d4dc474e08379cb9666a1bc5876bd8796893c20515a0bba4008d
Opcode Fuzzy Hash: 2c441992a789160600fcc2de98e220597d8fb32248e3dbba1ca6348216966c04
Instruction Fuzzy Hash: A4411372E05218DFEB219BA5C9885EDFFB2FF84300F218159D4427B256DB3188A5CF84

Function 056A10A8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8e2e4847586a7d4dbc8218e9aa8bc983beb293937c9c0fb54ff918b520947f
Instruction ID: f406460c774ec6b3d1d2ddf08e2337f922a292eb5c047fb8b4d8c3836d551582
Opcode Fuzzy Hash: df8e2e4847586a7d4dbc8218e9aa8bc983beb293937c9c0fb54ff918b520947f
Instruction Fuzzy Hash: 3D41F776B042099FCB14CF69D884AAABBB2FF89710F158069E8159B3A1CB34EC41CF50

Function 056ADD16 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fd4dc87ccfb0a7f250567c2dd658bf64ef5ca099b792d50f64c50dec406428
Instruction ID: 28a8e90e53add8abf229eef3e7e44708296294c47fa40311ea05b6cd06191d04
Opcode Fuzzy Hash: a4fd4dc87ccfb0a7f250567c2dd658bf64ef5ca099b792d50f64c50dec406428
Instruction Fuzzy Hash: EE31AE76B04214CFC714ABA8D45856C3BF2FF59615B1985AAE40ACBB86CB39EC43CF41

Function 056A4CF9 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf97eeaf89f212ff7adf5c12e6938adc178518a1a3fa2d2e0402c1467eb87a5
Instruction ID: 64305c433ba861e46bbdc7611e4dcc5bd01d469615a54abf7c07bb7190e0eeaa
Opcode Fuzzy Hash: acf97eeaf89f212ff7adf5c12e6938adc178518a1a3fa2d2e0402c1467eb87a5
Instruction Fuzzy Hash: 80319076A002558FDF24EB74C454BADBAB2FF88205F204839D402AB381DFB58D85CF96

Function 056A6038 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d51de6c0fab440518d45a7dc43c381d61a3e9ae33c23ea1bdf6178aeb1497a
Instruction ID: 3f67dd93d5bca001f5ec4be42b76273d03f17e4d4dd367a087c6736ffe92b5ef
Opcode Fuzzy Hash: 47d51de6c0fab440518d45a7dc43c381d61a3e9ae33c23ea1bdf6178aeb1497a
Instruction Fuzzy Hash: 7941AFB1D10359DFDB14CF9AC888A9EFBB5FF88314F24812AE418AB250D7756846CF91

Function 056ACC20 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76c52bf49f477dcc1763ff5e36ebd69106ae47320a2fbe19fa21b40501b4253
Instruction ID: 20eeced92137f872b6e60e0f076b96cbeb3e11d08110ee74d919ce04f4c90566
Opcode Fuzzy Hash: e76c52bf49f477dcc1763ff5e36ebd69106ae47320a2fbe19fa21b40501b4253
Instruction Fuzzy Hash: DF31B775E012199FDB09DFA9D4556EEBBF2BF88300F10802AE415A7364DB359942CF91

Function 056AFF38 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f54634cf343bd5934de2a47b60cd0cf07357e36ef69935658659d21432906a4
Instruction ID: ae659887af85976e16e58da3debe17959d6cce7c054932ab1525f9a47dd4e006
Opcode Fuzzy Hash: 7f54634cf343bd5934de2a47b60cd0cf07357e36ef69935658659d21432906a4
Instruction Fuzzy Hash: C5F03A36704209AFCF08DBA8D85999EBFFAEB49250B1084AAE405D7365EA31AD118B54

Function 056ADF57 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b2fc6cbb22a4301988ff13583cc5a6a83cfd625d698f89a961372e8fad9192
Instruction ID: a9543e8c613aabd6b6be7c8df06515d9d458ed08204cc182bba90c372bc1c208
Opcode Fuzzy Hash: 60b2fc6cbb22a4301988ff13583cc5a6a83cfd625d698f89a961372e8fad9192
Instruction Fuzzy Hash: AB31E433A08611CBC7118B29DC416BFB7B6FF81211F048167E9968B795C336ED52CE56

Function 056A61A8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bdf7888c9be0871456ffeffc72f9169ebeb8d6a2bd27810b917b1f7573f2b7f
Instruction ID: 9940bcbb5cf4dd9cbae4305a1d78a44cc44d2b7a7c143193a34c02f14f86511d
Opcode Fuzzy Hash: 6bdf7888c9be0871456ffeffc72f9169ebeb8d6a2bd27810b917b1f7573f2b7f
Instruction Fuzzy Hash: C4217172F001455BCB15DAA9C814ABFBBFAAFD8200F14855AE915E7251EA709E01CB91

Function 056ACC30 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf4e7ac13210370e7162e300623fcaec547a9915762f16773b83ca5cb9f4a9f
Instruction ID: 028955e97524eccf8a5448eb62d65e9428aca7392b22e6ef966bbffb0c05be02
Opcode Fuzzy Hash: 7bf4e7ac13210370e7162e300623fcaec547a9915762f16773b83ca5cb9f4a9f
Instruction Fuzzy Hash: A8319675E012199FDB49DFA9D854AEEBBF2BF88300F10802AE415B7354DB349942CF91

Function 056A3098 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd1f40273c00c453ca292bc1d6114a4d5f2c449e19fc77ede0854e419c51925
Instruction ID: 06494c10ae50569c0f23a1638febe80a48d08722be2bb6932d8c379d01c0fea5
Opcode Fuzzy Hash: bdd1f40273c00c453ca292bc1d6114a4d5f2c449e19fc77ede0854e419c51925
Instruction Fuzzy Hash: 8B210337B106108FEB248B64C8919BE7BF7EF88314B18846AD147D7B95C638EC81CB61

Function 056A7294 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8e481a3f7649159c804795af058704b1f64e8f3c0de083c66897995b45de04
Instruction ID: 623f8aeba7b8a0cf1bbc1c2d4eea7e2cc28730c629413b53bee4172bf63eaacc
Opcode Fuzzy Hash: 8d8e481a3f7649159c804795af058704b1f64e8f3c0de083c66897995b45de04
Instruction Fuzzy Hash: C921E032E05205CBDB15BBA8C4841AABBB2FF41300F50496AC547B7354EB31DD61CFA1

Function 056A67F0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3253f94ac5330f19aba0a42059afea2ca8c1684724b05496b902fff65d8775d4
Instruction ID: 15abc3c3bb8f7e482f4e8e181f8854d942a616fa7345cc93bf006b0c275cd7d5
Opcode Fuzzy Hash: 3253f94ac5330f19aba0a42059afea2ca8c1684724b05496b902fff65d8775d4
Instruction Fuzzy Hash: B2317832A15218EFCB05CFA8D844E9DBFF5BF48310F0980AAE505AB261DB30D944CFA0

Function 056A30A8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d642e526f225bef2d5561f746f13afc7a43e4e7f4be0303d69694025077df0f
Instruction ID: 04c65713bee99a269635cd1b087dd08b9784c28ab1ea5fab5450ff79493aeb64
Opcode Fuzzy Hash: 9d642e526f225bef2d5561f746f13afc7a43e4e7f4be0303d69694025077df0f
Instruction Fuzzy Hash: 3D21D137B106108FEB249A65C88197EB7E7FBC8325B288429D107D3B94CA34ED81CB61

Function 056A9AB8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ecae6b618724dabeaca754800a46f845cbd38b5852f07663e5819efc4497b3
Instruction ID: 39edc43cb48d3f942e123896c4ffce6f4a9a430cd1dbfdb63066f7b4e25f58b3
Opcode Fuzzy Hash: a3ecae6b618724dabeaca754800a46f845cbd38b5852f07663e5819efc4497b3
Instruction Fuzzy Hash: 4721C532B001159FDB14EB64C8549AEBBF6EF89360F1584ADD406EB351CA319D05CF95

Function 056A4923 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89cd8a79845f321da3ab59c92f2ac9ab170945b59e3ce1a801e9e58988ff9c28
Instruction ID: 2c3d1dd5af4252ddc17b1f7e1ca26bb6d5a1f1641866dceb0492f62f29980df0
Opcode Fuzzy Hash: 89cd8a79845f321da3ab59c92f2ac9ab170945b59e3ce1a801e9e58988ff9c28
Instruction Fuzzy Hash: 272107357106148FCB05EB28D4988AD7BF6AF89A1171541AAE502DB3B2DB71DC05CF90

Function 0091D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122287065.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91d000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3a52cc10c245c7f9673f4572228e33245bde4361d01dde9df070d039f92afb
Instruction ID: 2c700a243584ab0c2d3783da4da656088ae739f4eb165217b423c4a83418ae5a
Opcode Fuzzy Hash: df3a52cc10c245c7f9673f4572228e33245bde4361d01dde9df070d039f92afb
Instruction Fuzzy Hash: 31212BB1604208DFDB05DF14D9C0B56BF69FB94314F24C569D9090B2E6C33AE896C7A1

Function 056A423B Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb660f53405716a6492c6dd56f4d3a68734145039b2b6d9fe5a61224c726fe8
Instruction ID: 24ee7c8abb2581045e924ec0d70a88f50d150631f9972c56a9c4c86ef1c47cc5
Opcode Fuzzy Hash: ceb660f53405716a6492c6dd56f4d3a68734145039b2b6d9fe5a61224c726fe8
Instruction Fuzzy Hash: 69216F717043018BEB34AB79995493AB7A7BFC520A7184C6CD9428B7A5EF71EC01CB61

Function 0092D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122412727.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_92d000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1007017ec728a61fe65978080574a335e68250ec9046f37d805c4d3545a4543
Instruction ID: c705d47bf3f433758e402f65b28dc2690ab16781fd4187ff5486dd01a4924b6b
Opcode Fuzzy Hash: f1007017ec728a61fe65978080574a335e68250ec9046f37d805c4d3545a4543
Instruction Fuzzy Hash: 6A213BB1505200EFDB05DF14E5C0B25BBA9FB84314F34C96DD8094B35AC33AD806CB61

Function 0092D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122412727.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_92d000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5b03123adf1b808b2af315717939688eac07acb135e0fd09ed0ebcaff8d688
Instruction ID: 5a05ffd2bbd12c62b64f3c9f2cfee7158a241a47ece6770062f15ddb79f14510
Opcode Fuzzy Hash: fc5b03123adf1b808b2af315717939688eac07acb135e0fd09ed0ebcaff8d688
Instruction Fuzzy Hash: BB210771544240DFDB14DF14E5C4B26BB65FB84314F34C96DD94A4B2AAC33AD807CA61

Function 056AA20B Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0183f71a90dad25e90fb350e04824c18a704a05c22870083de78c1e402c07bd2
Instruction ID: bf1918a9fa42ab04970dd84596a509bb0c2c1947d16f98cbd515f5fe9d35e453
Opcode Fuzzy Hash: 0183f71a90dad25e90fb350e04824c18a704a05c22870083de78c1e402c07bd2
Instruction Fuzzy Hash: E221F0B1D013099FDB10CF9AD984AAEFBF4FB48310F24842EE419A7300D375A944CBA5

Function 056AA919 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed3320191238b413ef31f35c0a24b09cd16e79de2ed68dccfd94ce8c2d03e2ba
Instruction ID: b44e95b377ff54ac3259187ae3d5a178f94250532e9926831f3e88c4ea6f37c2
Opcode Fuzzy Hash: ed3320191238b413ef31f35c0a24b09cd16e79de2ed68dccfd94ce8c2d03e2ba
Instruction Fuzzy Hash: 2721D572D0524A8FDB02DF64C8516AEBFB1EF49200F0945AAD511EB392D7744D46CF91

Function 056A7284 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a277510c57a38366dd60e249060a4d43b1558e6c6099e441af13d45c02f6ee
Instruction ID: e663ac5e7e3930e2a84dffaa97cb1483a8e4070e36bd48e84bf13f6def04caa3
Opcode Fuzzy Hash: 62a277510c57a38366dd60e249060a4d43b1558e6c6099e441af13d45c02f6ee
Instruction Fuzzy Hash: CE11BF72F0410AEBCB91AA95D5441EEBFB0EB40340F6048A5D08AB3284FA308D35CF94

Function 056AA210 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 679f9f3f7054c2f4e7a776e3bf6f07bc06f588cacd5c316b0e952ca7f8f98a5b
Instruction ID: dc76d611ca2397ebb013e0bf4b785256c4bfd5bc4364b989feec58a54920fcd3
Opcode Fuzzy Hash: 679f9f3f7054c2f4e7a776e3bf6f07bc06f588cacd5c316b0e952ca7f8f98a5b
Instruction Fuzzy Hash: 3521CEB5D053099FDB10CF9AD984AAEBBF8FB48310F14842AE419A7700D375A944CBA5

Function 0092D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122412727.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_92d000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599417e0f70b6d4e6e1e5ed62567b10edac599aa4c2493af03c52d5911247cae
Instruction ID: 9566e43ab066707cd363dc2f48ef4dd60f3948ee2aafede9d813fd86a7a55dca
Opcode Fuzzy Hash: 599417e0f70b6d4e6e1e5ed62567b10edac599aa4c2493af03c52d5911247cae
Instruction Fuzzy Hash: 55219F755493C08FCB12CF24D994715BF71EB46314F28C5EAD8898F6A7C33A980ACB62

Function 056A31E9 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff3f84937c0e31ae6a911aaacd9b58f6a724694a172dc188fcf0138589c70c4
Instruction ID: e0e89947edc8605ae304dfc1f06c98d8bd8bb1a604865466cbaad2931cc95163
Opcode Fuzzy Hash: aff3f84937c0e31ae6a911aaacd9b58f6a724694a172dc188fcf0138589c70c4
Instruction Fuzzy Hash: 8621C7B5E0061A9FCB45CFADC8808AEBBF1FF89310B10816AE919E7325D7319915CF91

Function 0091D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122287065.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91d000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: f0bd7f364a6303345bc076d565bcdc78f4abd492d78fc7736d3a020b4d083394
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: BA112672504244CFDB16CF00D5C4B56BF72FB94324F24C6A9D8090B6A6C33AE85ACBA1

Function 0092D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122412727.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_92d000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: 86af05e6fe976f8661ad737dd929bd7686c6df49369b43e90314159fcf97e7ae
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: 8E119D75904280DFDB16CF14E5C4B15FBB1FB84314F24C6ADD8494B69AC33AD85ACBA1

Function 056A31F8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98642c627945c5e9e81d2c34ced4df395d6cf67c10b5cd3834efd12da5629a38
Instruction ID: 91d15badd78ae6f3dab83cbd683a4f8fdb54797a840f4f84aa4d8fc37eedfe1f
Opcode Fuzzy Hash: 98642c627945c5e9e81d2c34ced4df395d6cf67c10b5cd3834efd12da5629a38
Instruction Fuzzy Hash: BA11B9B5E0021A9F8B44DFADC8409AEBBF5FF88310B10816AE918E7315E7309911CBA1

Function 056A64C8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6861df86ea97c4215a5fa92e63c55a128904f4cbb617f42ce13ad133bec5978d
Instruction ID: f2d7106a1d9073b9f5f9fdb6397f76a5c401a0e920826024b4444d94a0048aa3
Opcode Fuzzy Hash: 6861df86ea97c4215a5fa92e63c55a128904f4cbb617f42ce13ad133bec5978d
Instruction Fuzzy Hash: EC11F3B5C042499FCB10DF9AD448A9EFBF8EB48320F14841AD419A3710D378A945CFA1

Function 056A55B0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8600b740eaae672187e0693103aca6d42cb8020f15e46fe3756293e4fb5e492b
Instruction ID: af4aa7554a2fb94062787996b272aeabc778b9e35f35583b2c01fbcebb1071eb
Opcode Fuzzy Hash: 8600b740eaae672187e0693103aca6d42cb8020f15e46fe3756293e4fb5e492b
Instruction Fuzzy Hash: 5C1104B1C042498FDB10DF9AD448B9EFBF8EB48310F14C41AE419A7310D374A945CFA1

Function 056A5704 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cb54a626d7262ebee5dbfff392b599b7c4b8c2848af1fccf83951db1f0b48f
Instruction ID: fad8ad0b1c30742bcdb107fbd546a91765b00682f8e1d2d9d8d88c73c5bc7bcf
Opcode Fuzzy Hash: 63cb54a626d7262ebee5dbfff392b599b7c4b8c2848af1fccf83951db1f0b48f
Instruction Fuzzy Hash: 7411F3B1C042498FDB10DF9AD448A9EFBF8EB48310F14841AE419A7310D375A945CFA5

Function 056A87E0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a48cf64d2bb5e721938f7a5de4d5b442402bf08f0232b1f034511b66aa2030
Instruction ID: e1a30744e2a4d50a5e8df39cb1a810c8da2ec80ea4627f14e7fdbabf4934d9d1
Opcode Fuzzy Hash: d1a48cf64d2bb5e721938f7a5de4d5b442402bf08f0232b1f034511b66aa2030
Instruction Fuzzy Hash: 2A01F7B3F091159FC792A664D8444E97FB1EB85340F1448AAD08AE7295FA308D16CF80

Function 056A52C8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29cbe7bc7e8f128c31ff6494614aab2188ae1235b8b4701586e9cf3b631088eb
Instruction ID: a3535251c6edcd99c465d4c38bdff6d1feeb9ee6952fa51fd54454136f3ca028
Opcode Fuzzy Hash: 29cbe7bc7e8f128c31ff6494614aab2188ae1235b8b4701586e9cf3b631088eb
Instruction Fuzzy Hash: EC01287B7081456FEB036B7498618D97F72EE7A21034544E3D141CB263E5168A0BDB52

Function 056A4D92 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38823bdef8525cd1729a3796ae1ed363ba3dddc41dd7513caf14b275385404df
Instruction ID: cf654c3b10fee0bcdcd9163eeed90b03b44c7a2b3bb0ddc459ebefe5bd369758
Opcode Fuzzy Hash: 38823bdef8525cd1729a3796ae1ed363ba3dddc41dd7513caf14b275385404df
Instruction Fuzzy Hash: D0113072A00249CFDF14EF74C455BADBAB2BF88352F144429D002A7285DFB54D85DF95

Function 056A6A08 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebabdf41f21c7de71f3711c7515b82101af0eb879cec5a838721842c590ce782
Instruction ID: 9882e65400a32889eb7f528bfca1f0193a205fb78dc57ef3dffe9daf6167c4ea
Opcode Fuzzy Hash: ebabdf41f21c7de71f3711c7515b82101af0eb879cec5a838721842c590ce782
Instruction Fuzzy Hash: 3701D6B2B012549FCF16E7A898548BE7BB6EFD5210F01006DD506AB361CE300E51CBEA

Function 056AAA20 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65887905a86466e03e49e7acfefa406abf5f8ea7c9b0a4ee0efd4864da30b20
Instruction ID: e842dcb77953df8361a5f4d553c9e65cd8f38c65d2c0358c760851945906bdee
Opcode Fuzzy Hash: e65887905a86466e03e49e7acfefa406abf5f8ea7c9b0a4ee0efd4864da30b20
Instruction Fuzzy Hash: E801283291475ADFCF119FB4D8444D9FF72FF89304F01866AE0416B151DB719449CB50

Function 056AFF02 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e4ead6cc0325ea5f2c8a7ea40f705533143c0b25f48e877dfac3490858fb02
Instruction ID: 332c62ad66816f029e436260000196d517f2402f734fc2af3eae44e4471a6545
Opcode Fuzzy Hash: e0e4ead6cc0325ea5f2c8a7ea40f705533143c0b25f48e877dfac3490858fb02
Instruction Fuzzy Hash: 64F0C8776041446FCF05CB54D8518D9BFB5DF0615071440A7E408C7321E6319D13CB95

Function 056AA928 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563d42e779ce11aece1227d2708e0db5b1186f81e1c4fe1354edc2ad7463750a
Instruction ID: 46472a07c98424eee61eed6c209b6dce90a5c7129405e3457dc198d3957ab297
Opcode Fuzzy Hash: 563d42e779ce11aece1227d2708e0db5b1186f81e1c4fe1354edc2ad7463750a
Instruction Fuzzy Hash: 76018C31E002099FDB04EFA8D8126AEBBB1EF48314F04452AD616F7390EB749A41CFD0

Function 056A3180 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5a5d0f8f91ef49c95b55db3e860c86f90b2624301ab5982929af7839b8bd01
Instruction ID: 8b8a6147f2071169d4d96c162e1b52497248e97690c8fe95c455ba32796cd074
Opcode Fuzzy Hash: 5e5a5d0f8f91ef49c95b55db3e860c86f90b2624301ab5982929af7839b8bd01
Instruction Fuzzy Hash: FF01A431A10664DFCB21EF6DD884CEEBBB4EF8A300701459EE545DB221DB31994ACFA1

Function 056AA1D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98399a5213442454e62a5698d7974af24e8160eb114f716882cf79f2fb1cda
Instruction ID: f27d5c00efd44e12854ea560d185cce5d05e8a3578c88fc0ed52cd786a0c1386
Opcode Fuzzy Hash: fb98399a5213442454e62a5698d7974af24e8160eb114f716882cf79f2fb1cda
Instruction Fuzzy Hash: 1FF0F0739042047FCB119B98A800DEAFBA9EF45330B95C097E004E7202D231AE0ACFA0

Function 056ACD3C Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed7ac7eff320889b07a82977f84d6e0027944a640b95b28a9fa113c1b987f84
Instruction ID: 70a8d409b9421bb537e82fb095accb8632d89b11f5717f2af9c470d5330da0fa
Opcode Fuzzy Hash: 3ed7ac7eff320889b07a82977f84d6e0027944a640b95b28a9fa113c1b987f84
Instruction Fuzzy Hash: 39012879E0425ADFEF05DBA8E8515FEBB72FF89300F008059E515A7260DB346D52CB50

Function 056A6C30 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9840095baa68b77ad41c97898b751d6d41772f5c1a6c661be91941719fa00e
Instruction ID: c78627cf62f9bc8a21c8e5a25e8d20fa0213f486cf422c7ae7ed6f2e9c52dfc2
Opcode Fuzzy Hash: 1b9840095baa68b77ad41c97898b751d6d41772f5c1a6c661be91941719fa00e
Instruction Fuzzy Hash: AEF09072B04354AFDB05EBB8886446E7FFADB85100B0588BAD546D7261EE309D01C7A4

Function 056A56E4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd530be0c1578d2ea355b30c9d57ca8f920e88cd951d17256308ebab269bf1b
Instruction ID: 399a7918c4435abd44a97b1d5c687edf10f1ed78ee82f6014c302d6e6cf9cbfc
Opcode Fuzzy Hash: 1fd530be0c1578d2ea355b30c9d57ca8f920e88cd951d17256308ebab269bf1b
Instruction Fuzzy Hash: 77F0A736B043186FDB04DA7984988AE7FFBDB94250F14C8A5A409D3340E9349D028690

Function 056A7F2A Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2a3721e7bd1ba3469d3488fe5af4ac7350d70da477959c8ecc26982cd52cdc
Instruction ID: 6c74212c03f2391b8c6a2fe5c4779ccc7ae4bafafea2ced23621493f4959ea70
Opcode Fuzzy Hash: 4a2a3721e7bd1ba3469d3488fe5af4ac7350d70da477959c8ecc26982cd52cdc
Instruction Fuzzy Hash: 69017830A182599FCB14DFA9D894EEEBBF2FF49300F10406AE401E7361C6309901CF50

Function 056AFF28 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb29d7855715ae5e076ad60c4e96a2a3098f5b6a7d6e0f5cfdd8c9ad88d672e
Instruction ID: 9becae20775cb6b80a6c39a4676092122a20292e944ba888c94a96f805a6959c
Opcode Fuzzy Hash: 7bb29d7855715ae5e076ad60c4e96a2a3098f5b6a7d6e0f5cfdd8c9ad88d672e
Instruction Fuzzy Hash: B9F0B4726041056FDF08DFA4D855C9ABFF9EF04220B0580ABE408DB225E7709D11CB54

Function 056AD794 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3604d164e20b1e288889ae4e89d6094915c6cab8204bf924ac46e0d85ae3cc5
Instruction ID: 436903fd959ce910919136aeba481ef177ffc3cb8c1ec27a693c6742009f6802
Opcode Fuzzy Hash: a3604d164e20b1e288889ae4e89d6094915c6cab8204bf924ac46e0d85ae3cc5
Instruction Fuzzy Hash: C1E0928B50D3915BE303666C5CB02E17F30EF63744F58489BE6818A567E0488D1AD7B7

Function 056A4DED Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: add427197186879fc4f65f5985cf18ccbe32480c78280f1a9e0ff353b9e0e737
Instruction ID: 661d78b69c4255f9a6e2e960a4073d54deb69407f13948a90c336ffde3d364bc
Opcode Fuzzy Hash: add427197186879fc4f65f5985cf18ccbe32480c78280f1a9e0ff353b9e0e737
Instruction Fuzzy Hash: D2F03072B0024ACBDF14EF75C455BADBAB2BF84745F108838D0019B291DFB48981DF96

Function 056A8ED8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feaaaa6b1e519c595f2f47061c42dc50f3f2627f20bc072edec2acf46c3fcecf
Instruction ID: 5f5dda5c3296bd3f07d7cdd05384e48fc28650ca3eb7752a90e26e8df474c033
Opcode Fuzzy Hash: feaaaa6b1e519c595f2f47061c42dc50f3f2627f20bc072edec2acf46c3fcecf
Instruction Fuzzy Hash: 94F0E53120A341CFC319AB3C94948263BF6AF4630036488FFE0558B762CA35EC84CB49

Function 056A6F48 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df12667f86ec9b1cabfd090d37664f63298cfec87327c5e9151210acf4e580cf
Instruction ID: f6e388f8239c94d25969331d60a05ba3e8e3c2fcbe168c008bb770190b149c19
Opcode Fuzzy Hash: df12667f86ec9b1cabfd090d37664f63298cfec87327c5e9151210acf4e580cf
Instruction Fuzzy Hash: 55E09B36B04314AFD715CE56C844C9BBFFAEF85110B05C0EAD808DB212E6319D45CB55

Function 056A854B Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b0e8dd5899de7aead89cb916a6e2378274178824e1dccc6e1269af7c4389457
Instruction ID: 4be5b6cdd0a7c34d42051fcce1f93aac48d1727e9939152403f1521cc711bf35
Opcode Fuzzy Hash: 9b0e8dd5899de7aead89cb916a6e2378274178824e1dccc6e1269af7c4389457
Instruction Fuzzy Hash: 7FE0DF6690E3D14FEB628A30A8A158CBF61FF52200F1D88CBD0C0CB1A2C4154A4ACB91

Function 056A95F0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acaed5da995e81321e297366d033d84cf53eb1906f485bd9ea944be6409b3eb1
Instruction ID: fd7c206532749d7342356dda333b1a45bd38b743e7621018a96333004e7c290c
Opcode Fuzzy Hash: acaed5da995e81321e297366d033d84cf53eb1906f485bd9ea944be6409b3eb1
Instruction Fuzzy Hash: A3E09231605350CFC3259F25D06486177B5AF4331572594FED0559B762C635EC84CF54

Function 056A6BDE Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a228c2a6dc1720ead66907510027c0734b44e1d8c27fc49471e114e5819f17
Instruction ID: a66b407e998ff4b5a510659a99e787b6d8803ea70d22a5e83a569d73026fa106
Opcode Fuzzy Hash: d3a228c2a6dc1720ead66907510027c0734b44e1d8c27fc49471e114e5819f17
Instruction Fuzzy Hash: E9E09237E5010CDACF00AB81EA187FEBB71FB8431AF280422E122B1A80C73009A0CE90

Function 056A95A0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1a17b5fad0e25f6045a0de19271a6da79270c99d03088dcc44dfa8a9e2c97c
Instruction ID: 8d3147a576dd870d2b373566d29accc02a9df4297cfc58264b7b8fb4e8574c38
Opcode Fuzzy Hash: 7f1a17b5fad0e25f6045a0de19271a6da79270c99d03088dcc44dfa8a9e2c97c
Instruction Fuzzy Hash: 6EE0DF36A01755CFC722EB78E494AA93BE2EF82310B214869D0059F257CE348C05CF91

Function 056A7254 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f2a02f401f338dfdce7506230f05f82d22f97785fe55040764a7eea848ae07
Instruction ID: a246583196be6644d0b1cd942e346175d934741940d80d0fc9ecd609791130d9
Opcode Fuzzy Hash: 25f2a02f401f338dfdce7506230f05f82d22f97785fe55040764a7eea848ae07
Instruction Fuzzy Hash: AAD02E3729812002D5A4D518EC917EA3342FBC4300F2C8C5AF881D7288C42ACE86CA80

Function 056A67EE Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c0d7e977bf7e98263c273dfe4f2ffbb9b859ac23d888b02fd07e647a96505c
Instruction ID: f768ffdd80ea135573368c8742e85e8c4161b6b952fc43e51dd4ddba12b5a8d5
Opcode Fuzzy Hash: 90c0d7e977bf7e98263c273dfe4f2ffbb9b859ac23d888b02fd07e647a96505c
Instruction Fuzzy Hash: E6E01A36100109EFCB02DF50D844C857BB6FF05314715C0A5E9064B232C732E855DF50

Function 056A2A80 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5e7821906b1d59180f29f5a1144dfd080639e790902b0ed5f1859f34a28349
Instruction ID: fa76eaa9e017d33f6d93247aede7f1a72d3ddbd53d12b42563358fbef902af84
Opcode Fuzzy Hash: 5d5e7821906b1d59180f29f5a1144dfd080639e790902b0ed5f1859f34a28349
Instruction Fuzzy Hash: 97E04C36046504EFC7126F90E859C85BFB5EB46250B0684A5E9498B073D762852AEB51

Function 056A0E07 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b664919f85b544b5d29d0c2c032504d2e4a419adda930d7efa1ebcd4d726bf81
Instruction ID: acaabe87a7580b00847e6d809fb40b75ee771874f92b33778a48c03004f923e9
Opcode Fuzzy Hash: b664919f85b544b5d29d0c2c032504d2e4a419adda930d7efa1ebcd4d726bf81
Instruction Fuzzy Hash: B3E0867720D3818FD7915B31E91C655BFA1BF50310F0588AEE445C2962E3348850DF13

Function 056A4CC8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c780bab1cc7755436764584f7c24879fa1cd30e5185753e94ebfd4e0529bfc44
Instruction ID: 0a935407d4be36ae05d78f590144c2a9328e5f2f95353c2d1c0fd632283327e6
Opcode Fuzzy Hash: c780bab1cc7755436764584f7c24879fa1cd30e5185753e94ebfd4e0529bfc44
Instruction Fuzzy Hash: 07D05E3111A242CFEF039F14D89A9943FB1FF42341B0248A1D841CF257DA38584BCF61

Function 056AEB6D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288e5fc567276b7df4352e2d466b56948b8fa559ee21ad5cde22508426d3ab80
Instruction ID: c26a32e54d4426e0e09c2faa81307a4981064b365ab49d2491cc1362f1f268fd
Opcode Fuzzy Hash: 288e5fc567276b7df4352e2d466b56948b8fa559ee21ad5cde22508426d3ab80
Instruction Fuzzy Hash: 03D02213A0610A86BB25A0294808039324BE240000B88009ABE338FA09E612FE02CFB3

Function 056AF691 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c52d2c02f426f507079ea64b15c1cbc80099556a75286fa1c2fd225b876efd
Instruction ID: c176eb836443e044a29b134945f278754b963a7dba5fcf0ec558548c36fab90c
Opcode Fuzzy Hash: 00c52d2c02f426f507079ea64b15c1cbc80099556a75286fa1c2fd225b876efd
Instruction Fuzzy Hash: 70D0A7507096400BD3042BF4D0583597FA1D785721F1050B5D84D8F7C7DE3A9C03CB01

Function 056A3071 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d6e16d2318e36d104ffb50f14f7bdff7e5ea559266628f7c03f6fc060be51fd
Instruction ID: 19c69cfeec74199314280c22311af5c635981dcf8f93e4957abf475a2ddc806b
Opcode Fuzzy Hash: 2d6e16d2318e36d104ffb50f14f7bdff7e5ea559266628f7c03f6fc060be51fd
Instruction Fuzzy Hash: 63E0EC301446559FC7528B24D8858E87F71AB55210B05849AE889CB263C3329817CB50

Function 056A3048 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf62d83380822eac4676ca644baa55c3ca338f75a068d90d1c4499c6eddde1e
Instruction ID: 301cf233eb93adeebefbb130a551ccecbf6f7075b119a2fb52f4380618766856
Opcode Fuzzy Hash: 5bf62d83380822eac4676ca644baa55c3ca338f75a068d90d1c4499c6eddde1e
Instruction Fuzzy Hash: DBD0A722059F504FD3127A3058074EDBF30BA47201B81454EC0C64B052E624115BC7E6

Function 056A4E60 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad99083d4c811cd63888b836b4b98376116ff06b59e464ea93b97f89a4b43401
Instruction ID: e5a40b60814b888fba28011e29c129b54e98f3498128973504afe23cc8ed4323
Opcode Fuzzy Hash: ad99083d4c811cd63888b836b4b98376116ff06b59e464ea93b97f89a4b43401
Instruction Fuzzy Hash: 7CE04275A40109CFDB00DF64D5A9EADBBB1FB08315F208459E416A7261CB745844DF90

Function 056A0E18 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b29ea9ffe61ccefe00c11f542329a96a211a618357dae61dd356348fa1bca6
Instruction ID: 0eeaf9a5e8ee72b27f356587eea77efe1c84b84bd6a51ca3325b60dc1dcf61fa
Opcode Fuzzy Hash: 91b29ea9ffe61ccefe00c11f542329a96a211a618357dae61dd356348fa1bca6
Instruction Fuzzy Hash: 58D012362053489FDF505BB1D91CB25BEEAFF54261F008435E805C2661EB35CC50ED62

Function 056ADF31 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be950325300ff04a70f2411bcbec625f7b20b0ffde8ecbb574cb2c6a02631c4a
Instruction ID: caf7ab6c232022d5440cfdd8ec2c2554a48a56270ee2057f8061654cba6d5caf
Opcode Fuzzy Hash: be950325300ff04a70f2411bcbec625f7b20b0ffde8ecbb574cb2c6a02631c4a
Instruction Fuzzy Hash: CCD0C9705296414FDB179F28C499AA4BFB0FF53715B5481D2C8818B187C668A456CB51

Function 056AF6A0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d0147a1e7c2b466caf3cabd9ad22e11cd8cbf77c2231be1ac7be3a1502214d
Instruction ID: 8373e81fea1adb80d2e5f43aaf9f3ee31c2d9d50bb70e1cb162fb317f8765e61
Opcode Fuzzy Hash: 34d0147a1e7c2b466caf3cabd9ad22e11cd8cbf77c2231be1ac7be3a1502214d
Instruction Fuzzy Hash: 40C08C243002084BC7042AF5A01836A7BCAEB88B21F105424A80E8B385EE3BBC028611

Function 056A70A0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45b28cf6ea067431e40db8bd24e0e3f88137ac00cf30cd2a37c0ffc209e89bd
Instruction ID: 9ec19dbab7c45cee9a5029014ca08763451a93e3651b5216cd64d3f5dd34592d
Opcode Fuzzy Hash: c45b28cf6ea067431e40db8bd24e0e3f88137ac00cf30cd2a37c0ffc209e89bd
Instruction Fuzzy Hash: BEB09B3231413517DA09719D64106BD72CE4785564F40006B951D977419CC5DC8203DF

Function 056AEC21 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412df9ddaa76db588bca07a811dd80c9ef368654d3b5e6f9ca5bfef65ac34d96
Instruction ID: 7ac2e39c10950ae5f477fca0d82ebe18a643d779a2375c6a2342b044e24a1179
Opcode Fuzzy Hash: 412df9ddaa76db588bca07a811dd80c9ef368654d3b5e6f9ca5bfef65ac34d96
Instruction Fuzzy Hash: 42C09227916E0686BA2510218D0E96AB3AAF5005217CC4056ED378AA04E226EE02EE76

Function 056A2A90 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f0eb56845d3ed88eae2aba70b82e47bd71d03790a01e1c0fbd75b05a070780
Instruction ID: 50ba7e1d0db39129c8521189e7e2e30911fae08accdd08f5518fee85a90670e3
Opcode Fuzzy Hash: 07f0eb56845d3ed88eae2aba70b82e47bd71d03790a01e1c0fbd75b05a070780
Instruction Fuzzy Hash: B7C0023B040108EFCB426FC0E908C85BFAAEB48320709C4A1FA098A032D772D574EB51

Function 056AF640 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f23b91a7de96d1caa8976649afc07abb46c33fe1a5d08cb98d334186b2971ae
Instruction ID: 6a8f74afc55359eedcfef23467c5022bef1aaa823e56072f5de5807c2487c93d
Opcode Fuzzy Hash: 4f23b91a7de96d1caa8976649afc07abb46c33fe1a5d08cb98d334186b2971ae
Instruction Fuzzy Hash: 4CB0124676000947E51CADED18951B031C163C496573039F87D1EC5BE9DE13ED538606

Function 056A3080 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90

Function 056AD76C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c6ab9684edbf29f9745f089a2c19404afde628b97399e0ce548a04b508881ec
Instruction ID: babcca688db74e81e3833c628e5db3d1c150cbf601cac86a24817a50d4570495
Opcode Fuzzy Hash: 1c6ab9684edbf29f9745f089a2c19404afde628b97399e0ce548a04b508881ec
Instruction Fuzzy Hash: 17B012BF298241A27100B3644DA49ABF421FBA3B04F508C09B345100018465AC39E93F

Function 056A4CD8 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133422624.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6055b488815583e3273874246860d5f1135398d7feb6a4411cbf7a64daf319c0
Instruction ID: 4790ba7c9ed7f9a1888fd31218c670a90442af8f83e205a6d4ebe83ba2d33c87
Opcode Fuzzy Hash: 6055b488815583e3273874246860d5f1135398d7feb6a4411cbf7a64daf319c0
Instruction Fuzzy Hash: E1C00139412206CAEE00AE14E849B543BA2FB40306F225624A4016B6089BB82884CE81

Non-executed Functions

Function 076B9368 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2182a8641b80dfdb871c83f9c61ba12617f4c4052a9c0c48bac201464a43d41d
Instruction ID: b72d6260a0e2130f4f683304879163a5b746fff70999cc8d9cebc2a5aa555079
Opcode Fuzzy Hash: 2182a8641b80dfdb871c83f9c61ba12617f4c4052a9c0c48bac201464a43d41d
Instruction Fuzzy Hash: 36E10BB4E102198FCB14DFA8C5809AEBBF2FF89304F248169D555AB356D730A981CFA1

Function 04AE0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132764573.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ae0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4251b2fec2543332ab3d94ae071306cbfed5faf539219edbe7c94a928d40ad02
Instruction ID: a1798eecf489907641a678f6b8da4d1ad79c53358369270a86a4fe6068080586
Opcode Fuzzy Hash: 4251b2fec2543332ab3d94ae071306cbfed5faf539219edbe7c94a928d40ad02
Instruction Fuzzy Hash: E112A8B2C82B458BE790CFA5F84C1893BB1B745338BD14A29E3621B2E5D7B4117ACF44

Function 076BA618 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62585558850b6088bcb8aa8be517de363d84d8fd2f95ed9bf9a7754c38b231e0
Instruction ID: 1aecef4570159f37473d75d657332b10a93a6918fde30798dc689033c71f8f3f
Opcode Fuzzy Hash: 62585558850b6088bcb8aa8be517de363d84d8fd2f95ed9bf9a7754c38b231e0
Instruction Fuzzy Hash: ABE1E8B4E101198FCB24DFA9C5809AEBBF2FF89304F24C169D455AB355D730A982CFA1

Function 076B8F40 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbede9aa3a0b46dd90869980d062163fbc8cffdf44cdf956f75eba9df8f556e5
Instruction ID: c1978755cf82fe9da2c5332c900878b4eb7f35049f848de9e1a95333cca316dc
Opcode Fuzzy Hash: fbede9aa3a0b46dd90869980d062163fbc8cffdf44cdf956f75eba9df8f556e5
Instruction Fuzzy Hash: 19E108B4E10219CFCB24DFA9C5809AEBBF2FF89304F248169D555AB355D730A981CFA1

Function 076BAFC8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9baf14cb5c3ba5f3b2d8f74c201c87b866fb52fa69d2f9165daa91201784200a
Instruction ID: d3dd9eb6aae095997637486c304288dd959d621ee6b69e562582a6a518cc826b
Opcode Fuzzy Hash: 9baf14cb5c3ba5f3b2d8f74c201c87b866fb52fa69d2f9165daa91201784200a
Instruction Fuzzy Hash: D4E1FBB4E101198FDB24DFA9C5809AEFBF2FF89304F248169D459AB355D730A981CFA1

Function 076B8B08 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136709736.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76b0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ef9c9ddc3018400635508c4439feec6a3e4e3a02447287dbeb7f2233bbc003
Instruction ID: 09153f594d62e515a8299c7d8e74048b745a8c313547415856ab9e8775ea782d
Opcode Fuzzy Hash: e6ef9c9ddc3018400635508c4439feec6a3e4e3a02447287dbeb7f2233bbc003
Instruction Fuzzy Hash: 0FE1DCB4E1011A8FCB24DFA9C5809AEFBF6FF89304F248159E455AB355D730A981CFA1

Function 04AEEF28 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132764573.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ae0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3869a74f4b1156cc32b69622098cad993d7574bc7ba831848ee6a857c11793c0
Instruction ID: f459837cfa786523253fd720d481c7f557ff84bc075cbe6df37cf027fbde7923
Opcode Fuzzy Hash: 3869a74f4b1156cc32b69622098cad993d7574bc7ba831848ee6a857c11793c0
Instruction Fuzzy Hash: 5BE11935D2065A8ACB11EBA4D95069DB7B1FFD6300F20C79AE4097B251EB706EC9CF41

Function 0228D3A4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122866054.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f631ec08310f0dba81c73d00106eae89da9bcced7154695ed3b02302205b5eab
Instruction ID: 10495392a81d6af6bc47b1ce8b8f3ee3530c8e4483c95c6b46fac198af4df0b7
Opcode Fuzzy Hash: f631ec08310f0dba81c73d00106eae89da9bcced7154695ed3b02302205b5eab
Instruction Fuzzy Hash: 5CA17E32E212158FCF05EFB4C94459EB7B2FF84304B65856AE901AB6A9DB31E916CF40

Function 04AEEF38 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132764573.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ae0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dfcbb748e012eed46588dc89058fbd1584835fffc446c90f6d5567e6e396c1b
Instruction ID: 00ca6d6cfa1d8f8e0c74aef0abd29f9f77c55e04c564d5cc749be5010e3a33e3
Opcode Fuzzy Hash: 7dfcbb748e012eed46588dc89058fbd1584835fffc446c90f6d5567e6e396c1b
Instruction Fuzzy Hash: CED10835D2065A8ACB01EBB4D99069DB7B1FFD5300F20C79AE5097B254EB706EC9CB81

Function 04AE1090 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132764573.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ae0000_ZpYFG94D4C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07971a2bceb7390a5518ebf7ad45be49a13aad2e8a845a71ef8873edf758bd62
Instruction ID: 8aa74d700f4c60e21e749d2cd96de4dedb3c1813fca59fe722cf0d5f3e040ddb
Opcode Fuzzy Hash: 07971a2bceb7390a5518ebf7ad45be49a13aad2e8a845a71ef8873edf758bd62
Instruction Fuzzy Hash: C6915B70B007069FCB44EF79D89056ABBF2FF883107108939D81ACB755EB74E9528B94

Analysis Process: RegSvcs.exePID: 1220, Parent PID: 1776COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	29.2%
Total number of Nodes:	24
Total number of Limit Nodes:	0

Executed Functions

Function 010D6880 Relevance: 5.3, Strings: 4, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 010D697A
,aq, xrefs: 010D69F2
,aq, xrefs: 010D6A00
(o]q, xrefs: 010D6988

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$,aq$,aq
API String ID: 0-1947289240
Opcode ID: 2211a79ecd2464e71e442cab9235b3f54d699bb45a8badbc7be033b6717dfb81
Instruction ID: ec08d9b2d18dbd8fb806ea87c97bca24b2589ca81cccda980fc891dcd9706757
Opcode Fuzzy Hash: 2211a79ecd2464e71e442cab9235b3f54d699bb45a8badbc7be033b6717dfb81
Instruction Fuzzy Hash: FAD13B70A0020ADFDB55CFA9C984AADBBF6FF88310F1584A5E585AB261D732EC41CF51

Function 010D6108 Relevance: 3.0, Strings: 2, Instructions: 513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 010D650E
(o]q, xrefs: 010D6642

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (o]q$Haq
API String ID: 0-903699183
Opcode ID: 7ecf9c2c43113be18b4df967e66ac3b54f74109811cf8baa96d8ab8662ae2402
Instruction ID: 3cc5ca84f158c5178df600935acb14cf703d2520659ab06ffc0606437efba050
Opcode Fuzzy Hash: 7ecf9c2c43113be18b4df967e66ac3b54f74109811cf8baa96d8ab8662ae2402
Instruction Fuzzy Hash: EA128070A0021A8FDB14DF69C894AAEBBF6BF88300F148569E585DB395DF35DD42CB90

Function 010DC190 Relevance: 2.7, Strings: 2, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 010DC3F8
PH]q, xrefs: 010DC3E7

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 64be3d2de6083baa1cf0a906dd7ef6b593cc0af2341b8d968fa31debb979009d
Instruction ID: 0cd80553753269d575245763a37396a05e633a784138fd56c68747d8962099ce
Opcode Fuzzy Hash: 64be3d2de6083baa1cf0a906dd7ef6b593cc0af2341b8d968fa31debb979009d
Instruction Fuzzy Hash: 2791E474E00218CFEB54DFAAD984A9DBBF2BF89300F14C069E859AB365DB349945CF50

Function 010DBEB3 Relevance: 2.7, Strings: 2, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 010DC107
PH]q, xrefs: 010DC118

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: e9d7c94994ea83d65c1c5cfefc0a375bf2df121f215c2571ad941bd938a5979b
Instruction ID: 98ce5810a95ca95ccf0dbb85190f81b1d8b4cb482169f0383c4e3b2aead4a3f0
Opcode Fuzzy Hash: e9d7c94994ea83d65c1c5cfefc0a375bf2df121f215c2571ad941bd938a5979b
Instruction Fuzzy Hash: 9791F7B4E00258CFEB14DFA9D984A9DBBF2BF89300F14C069E449AB365DB319941CF51

Function 010DBBD3 Relevance: 2.7, Strings: 2, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 010DBE27
PH]q, xrefs: 010DBE38

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: c8fde60b4f6abca96c35c22c98c716646be2a24eb1b125f2da1c59bb26d5924a
Instruction ID: 276b3a86c1249cfada148ffb25a07358a3ec827cbd558d689debd4f3a4bfde9f
Opcode Fuzzy Hash: c8fde60b4f6abca96c35c22c98c716646be2a24eb1b125f2da1c59bb26d5924a
Instruction Fuzzy Hash: A881E474E00218CFDB58DFAAC884A9DBBF2FF89300F1580A9E559AB355EB349941CF11

Function 010D4ADD Relevance: 2.7, Strings: 2, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 010D4D30
PH]q, xrefs: 010D4D41

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: e97e39a99c06125604dfc14c6d0f1e2042c94d8f49b67b79993a154ab51609a6
Instruction ID: 9342c573ab1bb82dab80fad54d0998c665a561aa3a94704c61a66c962a3f3e82
Opcode Fuzzy Hash: e97e39a99c06125604dfc14c6d0f1e2042c94d8f49b67b79993a154ab51609a6
Instruction Fuzzy Hash: 7881C074E00218CFDB58DFAAD884A9DBBF2BF89300F149069E858EB365DB349945CF11

Function 010DCA31 Relevance: 2.7, Strings: 2, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 010DCC98
PH]q, xrefs: 010DCC87

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 53def9e692f5846346175b342321634dcf8c3d1cdd65e8ed4bcb8b5d79fcbe73
Instruction ID: 671e53938f574c61a45602d2887ab832bdabdc8d5d955c92ce6e7fbe29eeb514
Opcode Fuzzy Hash: 53def9e692f5846346175b342321634dcf8c3d1cdd65e8ed4bcb8b5d79fcbe73
Instruction Fuzzy Hash: E881B574E00218CFEB58DFA9D984A9DBBF2BF88310F14D069E549AB365DB349941CF50

Function 010DC759 Relevance: 2.7, Strings: 2, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 010DC9A7
PH]q, xrefs: 010DC9B8

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: c7457e97ade1ba75f992776c7525d75167c00d205658f48b5cc71bb755d0e6a7
Instruction ID: b78732a468caf20f8d3a073b1dd7055e44d3ea599fa801a4e35ab58524f3a13b
Opcode Fuzzy Hash: c7457e97ade1ba75f992776c7525d75167c00d205658f48b5cc71bb755d0e6a7
Instruction Fuzzy Hash: 7581B074E00218CFEB58DFAAD984A9DFBF2BF88310F148069E449AB365DB349941CF50

Function 010DB4F7 Relevance: 2.7, Strings: 2, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 010DB747
PH]q, xrefs: 010DB758

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 7ec59b95d0708ea21a71adc7d0709bd742076c3de281cb7d763f883cfdc228ca
Instruction ID: 7b488ba06983bb083cf77d71fe3ffb59f40435c192a12bb4f4206b771fac60ab
Opcode Fuzzy Hash: 7ec59b95d0708ea21a71adc7d0709bd742076c3de281cb7d763f883cfdc228ca
Instruction Fuzzy Hash: 7481B274E00218CFDB58DFAAD984A9DBBF2BF89300F15C069E849AB365DB349941CF51

Function 010DC479 Relevance: 2.7, Strings: 2, Instructions: 181COMMON

Download Yara Rule

Strings

PH]q, xrefs: 010DC6D8
PH]q, xrefs: 010DC6C7

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 4c8576f4d2edffce4ec3dbbf5f91de3401f55de549707b009bfd3bf469e62596
Instruction ID: fa57b855ef7eeda4fe35270c2046e0be3eb0df8ef6f2ee76657ef517e64c65be
Opcode Fuzzy Hash: 4c8576f4d2edffce4ec3dbbf5f91de3401f55de549707b009bfd3bf469e62596
Instruction Fuzzy Hash: 8B81B5B4E00218CFEB58DFA9D984A9DBBF2BF88300F14D069E459AB365DB349941CF51

Function 05247D90 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984d4576b7428fbd3031831ca620f8c86a8444dfd1327c15678cbcfe06480b57
Instruction ID: 1a21c83688ba8bc6c269b6807d9ec73960d39a6c4b95504e1dc6e1ad4ae81ff8
Opcode Fuzzy Hash: 984d4576b7428fbd3031831ca620f8c86a8444dfd1327c15678cbcfe06480b57
Instruction Fuzzy Hash: F1F1F574E11218CFDB18DFA9C884B9DBBB2BF48304F54C1A9E448AB355DB709986CF51

Function 010DF00F Relevance: .7, Instructions: 711COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564df5e654f79822a3d8037501dca4cdb83ac7c2138fa181ca3d302d840b3b7d
Instruction ID: 23d743721f29a770f2851e84eefd2d071367debd8e4c23d81063c02af592c898
Opcode Fuzzy Hash: 564df5e654f79822a3d8037501dca4cdb83ac7c2138fa181ca3d302d840b3b7d
Instruction Fuzzy Hash: DA72B074E012298FDB64DF69C880BDDBBB2BB49304F5481EAD449A7355DB309E82CF51

Function 052411C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c28d8435fc2a5afccc3ad8280cb9b65b013746a8404651bb7ddd65c4e5ec86
Instruction ID: 4150d4f1e43d596fbd0f5e9f052afb0ea86f781fe6cc0219670094d09084d2cb
Opcode Fuzzy Hash: e2c28d8435fc2a5afccc3ad8280cb9b65b013746a8404651bb7ddd65c4e5ec86
Instruction Fuzzy Hash: 15C1B278E00219CFDB14DFA5D994B9DBBB2BF89304F1080A9D809AB354DB359E95CF50

Function 05240040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d89dc83c85cb6e605073862142c9ec5e6d52a5ed608e0fce1e54771f0f07e06
Instruction ID: 97c51cdc21a8672ea040c491d443e589764a763d841e004402bb860a1e5fe439
Opcode Fuzzy Hash: 3d89dc83c85cb6e605073862142c9ec5e6d52a5ed608e0fce1e54771f0f07e06
Instruction Fuzzy Hash: A9C1C178E00219CFDB54DFA5D994B9DBBB2BF88304F2080A9D809AB354DB359E85CF11

Function 05241620 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b82b3269b4577a8bf34d881c3c917ca88fde1aa271779cde7a5c0872a9b569
Instruction ID: af517145b9bb0342c3c95c7db303c2b090db5b90699b7b7a757b0625bb92ae8a
Opcode Fuzzy Hash: 57b82b3269b4577a8bf34d881c3c917ca88fde1aa271779cde7a5c0872a9b569
Instruction Fuzzy Hash: 8EA10670D00209CFDB14DFA8C594BDDBBB1FF88304F20866AE449AB291DB749985CF55

Function 05241617 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af82e2106a3dac1796ba97899860c799bc504a6879d74fc6b16831ee9614440e
Instruction ID: 88cc7eae2494d33b9bd22191af0f95e8c4d955baec2c7cb20e4e87b14cd90a89
Opcode Fuzzy Hash: af82e2106a3dac1796ba97899860c799bc504a6879d74fc6b16831ee9614440e
Instruction Fuzzy Hash: C3A11570E00209CFEB14DFA8C594BDDBBB1FF88304F20866AE449AB291DB759985CF55

Function 05241966 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4781e9d840610f6ede5635dd13882ba4e51a1b707ad82011897ddc0ed69d36f
Instruction ID: e49d40a612b5e3279594d9794e75473f6d71a06aeebb52cae6fd3ebad1892c6b
Opcode Fuzzy Hash: d4781e9d840610f6ede5635dd13882ba4e51a1b707ad82011897ddc0ed69d36f
Instruction Fuzzy Hash: F5911370D10219CFEB14DFA8C588BEDBBB1FF48310F20966AE449AB291DB709995CF15

Function 010D7085 Relevance: 6.6, Strings: 5, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 010D7377
,aq, xrefs: 010D72F8
,aq, xrefs: 010D7308
(o]q, xrefs: 010D7367
(o]q, xrefs: 010D701A

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-615190528
Opcode ID: b2e51cd9013ef918a22611cfce9ec8e1ee2fc034080eed3a6434bdf418d67f2b
Instruction ID: 2257bf1cbec119c2947cec09bda1b3308329166dcd8179ef8c32f6aa23cdc9e5
Opcode Fuzzy Hash: b2e51cd9013ef918a22611cfce9ec8e1ee2fc034080eed3a6434bdf418d67f2b
Instruction Fuzzy Hash: 23D15E34A00349CFCB65DF68C484AAEBBF2FF49318F158599E9859B2A1DB30ED41CB50

Function 010D56A8 Relevance: 2.8, Strings: 2, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 010D5793
Haq, xrefs: 010D57C6

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: b0837c3ebe0e835efc67591ef3a36eb6971898d8be1b778968015540b36a7f26
Instruction ID: ec178fa59f8c6830570f23bf7b9458166ed390354f5e7d69c17b9e122bbaf9d0
Opcode Fuzzy Hash: b0837c3ebe0e835efc67591ef3a36eb6971898d8be1b778968015540b36a7f26
Instruction Fuzzy Hash: CBB1AC317043558FDB569F68D894B6E7BF2BF88310F1589A9E8868B291DF34C842CB91

Function 010D87F3 Relevance: 2.8, Strings: 2, Instructions: 319
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 010D8811
4']q, xrefs: 010D8837

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: 14681012c1fa0d1f6e518e96ac431cbddba8bc1cd2908864baf6a8da096e95b1
Instruction ID: 834150a168bfd26f1532c7df145d989794f7a99282782bfc7812f3e4c652ec08
Opcode Fuzzy Hash: 14681012c1fa0d1f6e518e96ac431cbddba8bc1cd2908864baf6a8da096e95b1
Instruction Fuzzy Hash: 19B14FB07103018FEB599B2DC959B3D76D6EF85714F1884ABE682CF3A1EA64CC42C752

Function 010D5C50 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

,aq, xrefs: 010D5CDE
,aq, xrefs: 010D5CE8

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: 8930035390317d7ef78ffdbcf6051fb0ee950bcfd498d07061d6d4ec6523b810
Instruction ID: 9f802fff2de93b1c32141cd09895aca3e21e5b5a0a2e4c98428d86824544002f
Opcode Fuzzy Hash: 8930035390317d7ef78ffdbcf6051fb0ee950bcfd498d07061d6d4ec6523b810
Instruction Fuzzy Hash: 98617135A0060ACFDB58EF6CC8889ADBBF2BF89301B1585A5D941AB361D731E841CF61

Function 010D341F Relevance: 2.6, Strings: 2, Instructions: 114COMMON

Download Yara Rule

Strings

Xaq, xrefs: 010D345E
Xaq, xrefs: 010D3435

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Xaq$Xaq
API String ID: 0-1488805882
Opcode ID: f2461a8f290e99968be900b1ff024e7e866c5631705586077b372d4ebac3d244
Instruction ID: dca999a56e6653e3170ab740916ef0056e05f4cf2932af78a31f7eb58b4b2b7c
Opcode Fuzzy Hash: f2461a8f290e99968be900b1ff024e7e866c5631705586077b372d4ebac3d244
Instruction Fuzzy Hash: D93126F9B003168BDB5D4A69459427EBAE6BFC4210F144479D986CB384DFB8DC418292

Function 010D8258 Relevance: 2.6, Strings: 2, Instructions: 98COMMON

Download Yara Rule

Strings

$]q, xrefs: 010D8337
$]q, xrefs: 010D8314

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: ad2ed3c02787da75fcef5cb65a3ead896ff1f88359dbd78d1b2e1bb0616cf743
Instruction ID: ea4377559d2e5b3579dad275099bbe11cea01736be006a17afd226781e7a9505
Opcode Fuzzy Hash: ad2ed3c02787da75fcef5cb65a3ead896ff1f88359dbd78d1b2e1bb0616cf743
Instruction Fuzzy Hash: F231B6303003028BDB2A9F6DD89563E7BA5BF84750719C8D7D4AADB362EF24CC818755

Function 010D9B48 Relevance: 1.8, Strings: 1, Instructions: 522COMMON

Download Yara Rule

Strings

(o]q, xrefs: 010D9C78

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: ea4017f9283470a5ac6e14375719efeb4499f6c56f824eae0e0765fee1be611b
Instruction ID: 880644f4013b5dcae6dd6e4f040918843c762ed21f6a5bc48e17a0976fed9f51
Opcode Fuzzy Hash: ea4017f9283470a5ac6e14375719efeb4499f6c56f824eae0e0765fee1be611b
Instruction Fuzzy Hash: F622503570030ADFCB15CF68C984AAEBBF2FF88354F158995E4859B292D734E841CB61

Function 0582BCD0 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4536102202.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5820000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c0fdc3fa2447fbbc5a599d0726b69ff31ba90885a346fb87e0a7e3862b221ee8
Instruction ID: a537e95886147f9cb41d8d5c834b8ce7f5e26512baa13a92605103615c22f182
Opcode Fuzzy Hash: c0fdc3fa2447fbbc5a599d0726b69ff31ba90885a346fb87e0a7e3862b221ee8
Instruction Fuzzy Hash: AE7148B0A01B158FD724DF29D0547AABBF6FF88301F10892DD886DBA50D775E885CB91

Function 0582DE10 Relevance: 1.7, APIs: 1, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4536102202.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5820000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: dddda08498b99d54b43002b911b7d90bf731191d1985390aa660651e6b48f003
Instruction ID: 58e5661a688b162783264b58e8ca560a21df9ecc3ccf8392145fd5592857d6db
Opcode Fuzzy Hash: dddda08498b99d54b43002b911b7d90bf731191d1985390aa660651e6b48f003
Instruction Fuzzy Hash: E16125B5C05349AFCB02CFA9C844ADEBFBABF49314F15815AF808AB261D7719885CF51

Function 010D0C8F Relevance: 1.6, Strings: 1, Instructions: 400COMMON

Download Yara Rule

Strings

LR]q, xrefs: 010D0E5E

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 7ea2ddb32eb635468649b524f77c67c484b2687f812d87cf394b77f558270665
Instruction ID: 86b7b1f9d3127ae8d655e045fa137b554eba6ee1d2db53cfe5b3318240a6e0a0
Opcode Fuzzy Hash: 7ea2ddb32eb635468649b524f77c67c484b2687f812d87cf394b77f558270665
Instruction Fuzzy Hash: 3622A578A0021ACFCB54EF64E995B9DBBB2FF88301F1089A5E849A7358DB345D95CF40

Function 010D0CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR]q, xrefs: 010D0E5E

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 5197579ea9e3d62a0de675e5bd8b378b7c947aed025c09e8c1b47fba2c0251a0
Instruction ID: 6f21149d91bba786ab47bcdca91caf4e342ca9ba05db0556240b616956f39962
Opcode Fuzzy Hash: 5197579ea9e3d62a0de675e5bd8b378b7c947aed025c09e8c1b47fba2c0251a0
Instruction Fuzzy Hash: E922B678A0021ACFCB54EF64E995B9DBBB2FF88301F1089A5E849A7358DB345D95CF40

Function 0582B35C Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0582DFC2

Memory Dump Source

Source File: 00000005.00000002.4536102202.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5820000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 15ba2aec8843d28078c5effcf76a00d620691f74815eb8b7903039ec469adcea
Instruction ID: b9da77a65b9a273817393d8679c912e36405c9996e2901108d3a17fceda9ba5e
Opcode Fuzzy Hash: 15ba2aec8843d28078c5effcf76a00d620691f74815eb8b7903039ec469adcea
Instruction Fuzzy Hash: 9B51DFB1C143599FDB14CF99C884ADEBFF5BF88304F20812AE819AB210D774A885CF95

Function 05248174 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 052482B6

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e01258d64ff06b8da04733171fdb59fd6fc7f5e8bd8e7417963a8b9ccedfcae3
Instruction ID: 02cf5f6f3d52ba3f03cc3d58a05803efc2227b9ed798f5623cfb4e006c768202
Opcode Fuzzy Hash: e01258d64ff06b8da04733171fdb59fd6fc7f5e8bd8e7417963a8b9ccedfcae3
Instruction Fuzzy Hash: 9E117974E211098FCB08EFA8D884EBDBBB5FF88304F548165E904A7241E770A981CF65

Function 0582B1A4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0582BCEC), ref: 0582BF26

Memory Dump Source

Source File: 00000005.00000002.4536102202.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5820000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0f70eb406526e963ce49b5dd556e8ba8b17ceda95cfecb7bf280e5306408224f
Instruction ID: 4b8976bb1eb210a43fe7e084ef69cee7d05a2e884208eb558004abc81143521b
Opcode Fuzzy Hash: 0f70eb406526e963ce49b5dd556e8ba8b17ceda95cfecb7bf280e5306408224f
Instruction Fuzzy Hash: 23113FB5C043498FCB10DF9AD444A9EFFF4EF88215F20842AD819B7210C379A985CFA5

Function 010DA65B Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

(o]q, xrefs: 010DA7D9

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: 25f4a710fce9555079e68323c8b28ad9b54173f0313c8026d7d619e798e9b34d
Instruction ID: ccaf0bc16493bc3d82e77a8440eac2308139b953e02f7b11329c4d6d535d9ca3
Opcode Fuzzy Hash: 25f4a710fce9555079e68323c8b28ad9b54173f0313c8026d7d619e798e9b34d
Instruction Fuzzy Hash: 0F41BF35B002059FCB159B78D864AAEBBF6BFCC710F144469E946D7391CE319C06CBA0

Function 010DA1F3 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

4']q, xrefs: 010DA273

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: d4148dc6ad381fb45c8ae8cc9be67480c9ca37466576fa985097552f5d5b16d3
Instruction ID: 92c830d80a894286cdabb64dad1ac802184262112b6c6f8ba66a05d4ed23c044
Opcode Fuzzy Hash: d4148dc6ad381fb45c8ae8cc9be67480c9ca37466576fa985097552f5d5b16d3
Instruction Fuzzy Hash: C1414575700215CFCB158F69D888AAE7BB2BF88310F1144A9F9468B2A1CB71DD41CB90

Function 010D77F0 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8211fc7cfbd5b9a33642ae4d12e169604fc317711ccf609be66e840a6c0f155c
Instruction ID: 7dcf3b9827920b52a41c529be98e199b9f185230e025d23655fb32afbb270e7e
Opcode Fuzzy Hash: 8211fc7cfbd5b9a33642ae4d12e169604fc317711ccf609be66e840a6c0f155c
Instruction Fuzzy Hash: 57421B74A10219CFEB64DBA4C860BAEBA77FF88300F1080A9C14A6B394DF355E95DF55

Function 010D77EB Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a122b0aaa812c364e0d924b10124ff3bf1e3b912ff64daa6b0216869bd04939
Instruction ID: 1facb264c2827bb9215b67c8f519173f26c96521bd05f8fdefd2e67151748b25
Opcode Fuzzy Hash: 6a122b0aaa812c364e0d924b10124ff3bf1e3b912ff64daa6b0216869bd04939
Instruction Fuzzy Hash: E4421B74A10219CFEB64DBA4C860BAEBA77FF88300F1080A9C14A6B394DF355E95DF51

Function 010D7438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb08dc3f125dc8605d064d25882328d479f2e01bba089860638aec8f387e0aa
Instruction ID: 1315cd68fe8b2075b71fcaf9016e3fca7b0b0696ae7ceef57c38a9a946ddb6f2
Opcode Fuzzy Hash: aeb08dc3f125dc8605d064d25882328d479f2e01bba089860638aec8f387e0aa
Instruction Fuzzy Hash: E57118347002568FDB55DF2CC498AAE7BE5AF49348F5900A9E946CB3B1DB70DC41CB91

Function 010DCEC7 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c659a42f28cc2d007fef726590c9d30ed1f60f2557daf82c5372d33843dfcbf1
Instruction ID: 229770fd54cb7328eed14f4ab8778464dbeaf37a7b3d8d1e1c75fc1b7b21df12
Opcode Fuzzy Hash: c659a42f28cc2d007fef726590c9d30ed1f60f2557daf82c5372d33843dfcbf1
Instruction Fuzzy Hash: AC51C1B88A5B478FD2142F24A6EC16ABBA0FF1F3177046D84B08E95815DF75946ACB20

Function 010DCED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ad4d184faa905c2468bf459b573cd1b5a0e321a27fea1687e13b4b0a4a3e6e
Instruction ID: 5978dbf2a2a58c18358a0924dc00fb5e362f096c69aa28bf57c7fad3d52a0fbd
Opcode Fuzzy Hash: e5ad4d184faa905c2468bf459b573cd1b5a0e321a27fea1687e13b4b0a4a3e6e
Instruction Fuzzy Hash: 7651B0B88A1B079FD2142F24A6EC16ABBA4FF4F3177406C48B08E95815DF75946ACB20

Function 010D9904 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f281d2656753ce52a52c47b98eb022c24e87d86a36e31309dcf5bb09e6b91f67
Instruction ID: d3f73d49da5a1234888d4ea0129d00af7098c808367e1eba5b3cc3c820e5e8d9
Opcode Fuzzy Hash: f281d2656753ce52a52c47b98eb022c24e87d86a36e31309dcf5bb09e6b91f67
Instruction Fuzzy Hash: C0517671E0035A9FCF09CFE8C8549DDBFB2BF88304F14845AE845AB261EB349956CB90

Function 010DE2E3 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b998e8ae12804bcce3bb358a837aa3694fbe2ef7c7066096b0cb55d7fe1a98
Instruction ID: 65154ed3ae5083a3a760ec1b6f3b0182c0cd59ca8742d47c855484ebefdbf034
Opcode Fuzzy Hash: 73b998e8ae12804bcce3bb358a837aa3694fbe2ef7c7066096b0cb55d7fe1a98
Instruction Fuzzy Hash: 44511374D01319CFDB14DFA4D998AAEBBB2FF88304F208529E809AB355DB355986CF41

Function 010DCD15 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352ae6c27f46c2f42544e11c6980a600f976c48ec03b79add4c3bf24476f6837
Instruction ID: dc76816f1eba4e3c0904f931038d58e1d83174c958a8594d21514290b94cec09
Opcode Fuzzy Hash: 352ae6c27f46c2f42544e11c6980a600f976c48ec03b79add4c3bf24476f6837
Instruction Fuzzy Hash: A7518174E01208DFDB58DFAAD5849DDBBF2BF89300F208169E819AB365DB31A801CF40

Function 010D3908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c04ae9f068631b5545cf1e3b606459152612c5e7ed2050d04bd7ac02038c2f1
Instruction ID: 596e57b9c2103126743ad3a58b275e1eac930566461c102d31d2369e2c0400ab
Opcode Fuzzy Hash: 7c04ae9f068631b5545cf1e3b606459152612c5e7ed2050d04bd7ac02038c2f1
Instruction Fuzzy Hash: 68518378E01308CFCB48DFA9D59499DBBB6FF89310B209469E809AB364DB35AD41CF50

Function 010DF0E9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d874ea59c8a661cbf5042d669f42423eb694874d85d508b4b0fcca578072539
Instruction ID: 7956cee2ad6e2acffb92d28249ea88adcacc364c37bd724bf21b1a899aace0f5
Opcode Fuzzy Hash: 7d874ea59c8a661cbf5042d669f42423eb694874d85d508b4b0fcca578072539
Instruction Fuzzy Hash: 0051AE74E01229CFCB64DF68D984BEDBBB1BB49305F1095AAE409A7350D735AE81CF50

Function 010DD7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c21784d130eae455f621c4a2c631b5facb8a97595a8836519c6fd3174a65189
Instruction ID: 6256f7c9ff1fc42f337143dafa321c7cf242ab596196fa44acff3fe064bdeb47
Opcode Fuzzy Hash: 7c21784d130eae455f621c4a2c631b5facb8a97595a8836519c6fd3174a65189
Instruction Fuzzy Hash: 2F414374D00249CFCB15EFE8D4846EDBBB1FF89300F61915AD49AA7284EB34A882CF54

Function 010D6730 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241fa82a33f7c1202ecdf51dc5c2b691320df21afd74a351e5e603373d2650f1
Instruction ID: 7b42f6852f4f72eefb0ff0a26b11cea716500feefc6078e3f268f7a104c92a02
Opcode Fuzzy Hash: 241fa82a33f7c1202ecdf51dc5c2b691320df21afd74a351e5e603373d2650f1
Instruction Fuzzy Hash: 7741AE30A00309DFCB119F68C844BAABBF6FF88304F05846AE8959B241DB75DD55CBA1

Function 010DD76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bbe0cee5a7c615417a5302de7768b5101fdb07c13304f17adcfe030b8ae791b
Instruction ID: 52a2be79d4bbbb0f1194b2ccea219f530d68d17d943c55189a418b44ff9202e8
Opcode Fuzzy Hash: 3bbe0cee5a7c615417a5302de7768b5101fdb07c13304f17adcfe030b8ae791b
Instruction Fuzzy Hash: E6412374D01249CFCB11EFE8D4946EDBBB2FF49310F21916AE489A7284E735A881CF54

Function 010DD620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10bc7a644801c45f144a3740965507c153d911560e1db4878c911dfdd61e9ca8
Instruction ID: b6bf67811955430f663618f17db3f29f5b3fd086342fe8ae3cce7096cd535863
Opcode Fuzzy Hash: 10bc7a644801c45f144a3740965507c153d911560e1db4878c911dfdd61e9ca8
Instruction Fuzzy Hash: 83411374D012088BDB04EFA9D444AEEFBB2BF89300F55D16AD848A7294EB75A841CF94

Function 010D4DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5827d0c1cacde9f22ca5dc8edfe5a4ac654ceed2bb829dc4b2cd261b23de0c3
Instruction ID: 76aef2462badae0f59e63b755691e0516df4f8ad362ff9359f8d9fd3e65859ee
Opcode Fuzzy Hash: f5827d0c1cacde9f22ca5dc8edfe5a4ac654ceed2bb829dc4b2cd261b23de0c3
Instruction Fuzzy Hash: 1331813160424AAFCF169F68D894AAF7BA6FF88300F004424F956CB651CF35DC66DBA0

Function 010DA84F Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 236dd3032acb522eb95eb650f5d2806a407b6b30a0f92329a9cf90f21667bcf4
Instruction ID: fad5a6bd9c456948a43145ae33ba6bb1ad13ea34f1d976b94f16fd0e416e412d
Opcode Fuzzy Hash: 236dd3032acb522eb95eb650f5d2806a407b6b30a0f92329a9cf90f21667bcf4
Instruction Fuzzy Hash: 9031C171F0030ACFC705CF68C4846AEFBB2BF85310B158456D6949B3A2C7359852CB90

Function 010D76E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd1b4bcdc489ab46d100dca8a986e903b2578047dcae793ee29b8077f80f2de
Instruction ID: 2084005da079804a49e735a6721f99ccb048dfa85d0fdb63bcb5b6200058aef3
Opcode Fuzzy Hash: 4bd1b4bcdc489ab46d100dca8a986e903b2578047dcae793ee29b8077f80f2de
Instruction Fuzzy Hash: 572180383003128BEB651A29C894A7E36D7BFC875CF1548B9D646CB795EE25CC43D781

Function 010D76DB Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df20c65ddd289ea8cdd04dfccbdde7ddd91d3680fccf4fabb883bd824d9b909
Instruction ID: 441286c3b3032ee5f98e5791d5e660a961ff9f4d6d8d79c1678f71ceccd50daf
Opcode Fuzzy Hash: 8df20c65ddd289ea8cdd04dfccbdde7ddd91d3680fccf4fabb883bd824d9b909
Instruction Fuzzy Hash: CB2192343003128BEB661B3D8894A7E36D7BFC865CB1548B9D646CB755EE25CC429781

Function 010D2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd2c8e94398add0b8d6152d051211a15f48dd3c7a2e295ec145622fd9959192
Instruction ID: 997bf5f133f0ca7c6630205157b1b31288ec0be33529a5298567de5e342ffd18
Opcode Fuzzy Hash: edd2c8e94398add0b8d6152d051211a15f48dd3c7a2e295ec145622fd9959192
Instruction Fuzzy Hash: E521C139A002059FCB15DF78D8509AE77B6EB98264B10C459E94A8B340EB35EE46CBD2

Function 010D5A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ac33ffadaa0c536f156e913dcdc0c9e20c7e8f428c175c751cba2e73bf895e
Instruction ID: 6482f93f4b65a571cc674c38deed356884647ee59f7f4a777d8473c75585e965
Opcode Fuzzy Hash: 88ac33ffadaa0c536f156e913dcdc0c9e20c7e8f428c175c751cba2e73bf895e
Instruction Fuzzy Hash: B321AE357007228BD7259A29C8A492FB7A6AFC9761B1541A9ED46CB354CF30DC02CBC1

Function 0104D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4532853109.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_104d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734e6e150ee7246cc6f02eb1ae8cffbd4f924876b4394dbbaffe89561da08ea5
Instruction ID: 24665fa55226ed8fac623695bb322232835f2db63597fcfd974efb2eb98aba74
Opcode Fuzzy Hash: 734e6e150ee7246cc6f02eb1ae8cffbd4f924876b4394dbbaffe89561da08ea5
Instruction Fuzzy Hash: 792167F1504204EFCB11CF98D8C0B2ABBA5FB94314F20C9BDE9890B242C736D446CB61

Function 010D39ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a1725b9df24d2f9d777863b6c7d4aeba5d83530d28c96573a639db02decb1c
Instruction ID: e12619a8d7d80a705986a2a1eacb1e04cd34b978cdc1ec50d504aaec976ff40d
Opcode Fuzzy Hash: f3a1725b9df24d2f9d777863b6c7d4aeba5d83530d28c96573a639db02decb1c
Instruction Fuzzy Hash: 0131A578E11309CFCB44DFA8E59499DBBB6FF49305B208469E809AB324DB31AD45CF41

Function 010D4DBB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d66a113fbbe57ee6176879bdbcd1e3dc84f5c1bc59c7dd69fe7f643949d61cb
Instruction ID: b024be3c6e9fd474ec51206c87ff33c41a1e7fe109ef04729c97bbdabc9259e9
Opcode Fuzzy Hash: 2d66a113fbbe57ee6176879bdbcd1e3dc84f5c1bc59c7dd69fe7f643949d61cb
Instruction Fuzzy Hash: 2021C231608245AFCB229F68D4946AB3FA6EF84310F044469F495CB642CF38DC16CBA0

Function 010D9B43 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff70ecc9fa4e95b4e48e59fc1346df7e381aedc9e552260883917c20ad69a107
Instruction ID: 097c78b073c17b9bc050726882da758ee2a931f24a851768b52ba2b6316af2ad
Opcode Fuzzy Hash: ff70ecc9fa4e95b4e48e59fc1346df7e381aedc9e552260883917c20ad69a107
Instruction Fuzzy Hash: E821E431A00349DFDB15CF68C940B9EBFF2EF85328F058695D5989B292D371E810CBA4

Function 010D5A63 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa3e1add7babd8dadd4a9321e8ff184782682a3c53491eadd749b84ccd91946
Instruction ID: 5aef2f7d1f92fe8c24938424f4aabadc27052b86e188b1b3d4869a934a1711d5
Opcode Fuzzy Hash: 4fa3e1add7babd8dadd4a9321e8ff184782682a3c53491eadd749b84ccd91946
Instruction Fuzzy Hash: C611C4317047129FD3165B69C8A452EBBF6EF8925070944A9ED46CB351CF20DC02CB81

Function 010DE203 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2895929141be8297480d84eadb2fca48efc5d159720770fd599b137a2e3033c6
Instruction ID: 28031d107f1bec7b7c2095d85850eb88930e0ad6ed834108d897eb19b2ba903c
Opcode Fuzzy Hash: 2895929141be8297480d84eadb2fca48efc5d159720770fd599b137a2e3033c6
Instruction Fuzzy Hash: 54211AB4D0010A9FDB45EFB8D58479EBFF2FB85300F2085AAD4449B215EB355A5ACB81

Function 010DD617 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a24d76e2248d336942b78a39112b0ee35a46f834fdecdf672156da1091a354
Instruction ID: 9887db5a87f241c709a3557740ff416ac8d4deed925d29b496a446183b37944f
Opcode Fuzzy Hash: 01a24d76e2248d336942b78a39112b0ee35a46f834fdecdf672156da1091a354
Instruction Fuzzy Hash: 01113A70D002498BDB18DFEAD4446EEBBF6AFCD310F14D066D858B72A5DB3058568F54

Function 010D1F08 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a2b27431ad2c9684faf8010b698d590c40e13d7665b80aff241e140b4a26ef
Instruction ID: ecbfb44ffbaf168e373b551e5000330138615cb2d4ea7282a5f13d70d7a0ca3a
Opcode Fuzzy Hash: e1a2b27431ad2c9684faf8010b698d590c40e13d7665b80aff241e140b4a26ef
Instruction Fuzzy Hash: A32136B4C0560A8FCB40EFA8C5445EEBFF1FF49300F1041AAD945B7264EB349A46CB91

Function 010DE208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87dfb2ce3e52b0327b37e75e4bf19e939cec596c5a248033398dbff28ab06af8
Instruction ID: c1a1602a541715d14dc522486eeceb401722c8c5e32fdca1dc2c73f94ba2ebdb
Opcode Fuzzy Hash: 87dfb2ce3e52b0327b37e75e4bf19e939cec596c5a248033398dbff28ab06af8
Instruction Fuzzy Hash: 9F113AB4D0020ADFDB44EFA8D58479EBBF2FB84300F2085AAD4489B214EB345E56CB81

Function 010D1F61 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e583600069be5420afb1f0f666188a667e34c9ee0aa639b9d75193fe42d1278
Instruction ID: f5f143d67d76c7ed1678cee2e62a5f23ce2925bd8df9f2ed89555359e0c8f381
Opcode Fuzzy Hash: 5e583600069be5420afb1f0f666188a667e34c9ee0aa639b9d75193fe42d1278
Instruction Fuzzy Hash: AC21CFB8C0520A8FCB40EFA9D9856EEBFF0BF09300F10456AD845B3250EB345A56CFA1

Function 0104D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4532853109.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_104d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: 4ad3fe4aa630b382e075fee55281535929ce7660dc15a9faedefcab7c5502642
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: 8111DDB5504284DFDB12CF54D9C4B15BFA2FB88314F24C6ADE9894B662C33AD44ACF62

Function 010D5607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8364cd7e82461ab3725a995aa9d4702b3b692846633a004b0150d9be99c8c0e7
Instruction ID: 0eceaa48f778600aa3f5d7ab826ba684976ba5f0d006359abfec3ad653ebf80c
Opcode Fuzzy Hash: 8364cd7e82461ab3725a995aa9d4702b3b692846633a004b0150d9be99c8c0e7
Instruction Fuzzy Hash: 4101D271B042155FDB028E68AC10AEE3FF7DFC9251B1880AAF945CB294DE71C812C790

Function 010DD453 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f52469aed22e8da37479982151c0c5a3f5836e75322f4d9605faaff2ac6ad7
Instruction ID: c9c5dd7fa07a6248f85f38105824c4074664d16c2aae0b3358bfc36b9e6463a9
Opcode Fuzzy Hash: c2f52469aed22e8da37479982151c0c5a3f5836e75322f4d9605faaff2ac6ad7
Instruction Fuzzy Hash: 20E02674C4020897CB10AEE9EA0C3EAB7B5DBCA311F40A421D244A2184CF7921168B91

Function 010DDF13 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96f995352c1408885aa5990c1a576071bb8b3265b6f76c0fe99965e13636e23
Instruction ID: 2054d2c567bf15cd4afb501610dc97b9a466bdc68578e0b0a20474e41cd4eb6d
Opcode Fuzzy Hash: c96f995352c1408885aa5990c1a576071bb8b3265b6f76c0fe99965e13636e23
Instruction Fuzzy Hash: CCE02634D002089BCB04AED9E9083EAB7F5EB8A311F409461E644A3180CB7A851A8B91

Function 010DD4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1129bcbb24c476884b4788c41b67cee447ed4ce49aeac303b6f0a063ea2e7064
Instruction ID: 1baafbf2af0b33c17f43910d8bafc74c79651c27dfff966b4e8422eb134a9191
Opcode Fuzzy Hash: 1129bcbb24c476884b4788c41b67cee447ed4ce49aeac303b6f0a063ea2e7064
Instruction Fuzzy Hash: A5E026E2C09340DBE7209BEA69260F9BF70CDE7251784A0C7D0C9DB5A9DB19E206DB11

Function 010D2010 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a594ef34090771f72bd6982ffe1a7ddf9ea98ec0359fac9cee4a900d42e31fa2
Instruction ID: 81a7535741f0bb05ff766ce4813b0d4f2a2a33fc5bee85a7914a3216a6e0e4c8
Opcode Fuzzy Hash: a594ef34090771f72bd6982ffe1a7ddf9ea98ec0359fac9cee4a900d42e31fa2
Instruction Fuzzy Hash: 2CE06831D243D396CB12ABB4AC044EEFF30AF83220F4442D7E0642E492E730158AC392

Function 010D2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2abf546f6295b99d2abb194b1b5771787dcbab5470957903f29ec7fdd1e49bb
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: b2abf546f6295b99d2abb194b1b5771787dcbab5470957903f29ec7fdd1e49bb
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 010D8253 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6151d7b1d3b1172bf5584a8cbc85d66b0e5e397391462f4434b0848a5003be9f
Instruction ID: 8b3f438c078d8ce39cd6e0827b908f7cdeb4f458571bd2dd0826c9b190964860
Opcode Fuzzy Hash: 6151d7b1d3b1172bf5584a8cbc85d66b0e5e397391462f4434b0848a5003be9f
Instruction Fuzzy Hash: F1D0123764C5645EA626008D7C41AF66BCDCAC93B5B2941F7F99CD776098428C5141A4

Function 010DA70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99416af67fd1302ce517c46f966fc2cb4461ba4f243553a4e44404be6beb9c36
Instruction ID: 5b90c4560535c0e0c84b9645b9b7ab914828ec4ad047513a171b015b8dd7261d
Opcode Fuzzy Hash: 99416af67fd1302ce517c46f966fc2cb4461ba4f243553a4e44404be6beb9c36
Instruction Fuzzy Hash: 75D0677BB410199FCB049F9CE8508DDB7B6FB9C321B048526E925A3261C6319921DBA0

Function 010D5EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3ac816d25d7b4708d3da969b1914da93ad70f3e22a2bea13c22ffbc2e40da0
Instruction ID: e0c536b241b290a2203f979047906b7762b2ca72b53fb142d80dc3a38a79ee31
Opcode Fuzzy Hash: ad3ac816d25d7b4708d3da969b1914da93ad70f3e22a2bea13c22ffbc2e40da0
Instruction Fuzzy Hash: 79D0C2744083828BC722E374F9915983F32AA80204B604994B8414A006EF795C5B8B50

Function 010DFBEB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d358f90ffa1347fceed067115ce9c533c185c447cb17a43314fef0c0ba3d9af
Instruction ID: 41ac4a1146c82e4cc78585bfee4b230bfc1351ff18e9c5c83ee8fecda47b5e89
Opcode Fuzzy Hash: 3d358f90ffa1347fceed067115ce9c533c185c447cb17a43314fef0c0ba3d9af
Instruction Fuzzy Hash: ECD06774D4421ECBCB20DF98EA442DCBBB0EF85300F1014D69809B3200D7305AA18F11

Function 010D5EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377578a4f8911cf74a31b3ebdfd490e0adafced4bd6b6ef8472428b5cf9ffe1f
Instruction ID: 726bad8682d07aac3df8961593a3079994b982a248f60748177124af14208677
Opcode Fuzzy Hash: 377578a4f8911cf74a31b3ebdfd490e0adafced4bd6b6ef8472428b5cf9ffe1f
Instruction Fuzzy Hash: 91C0127450430B87C655F775FA45655776BBBC0304F704D10B40A4A119EF7C6C954690

Non-executed Functions

Function 010DE528 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5uq, xrefs: 010DE643

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: .5uq
API String ID: 0-910421107
Opcode ID: 3529f813f6077d69d2414cc17e997d16f1a94c1de40ab776c9628ec7c0a8e6f4
Instruction ID: e42c2f63413839a8cc891254114e3c185abda4b2802265072849999a4deb337f
Opcode Fuzzy Hash: 3529f813f6077d69d2414cc17e997d16f1a94c1de40ab776c9628ec7c0a8e6f4
Instruction Fuzzy Hash: 64528C74E01229CFDB64DF69C884BDDBBB2BB89304F1485EAD449AB254DB319E81CF50

Function 05240900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3523f7d46b155100cc42b38a057a708c6e31f7da8d3e2c0d68df530509143406
Instruction ID: 7e2db60fd876284a2b0bc0c60e31e96c9b2b198effe2e3614250c2073ad9ba28
Opcode Fuzzy Hash: 3523f7d46b155100cc42b38a057a708c6e31f7da8d3e2c0d68df530509143406
Instruction Fuzzy Hash: AFC1B078E00219CFDB54DFA5D994B9DBBB2BF88304F2080A9D809AB354DB359E85CF51

Function 0524E908 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db7f8d4561c752c5707254ef0fbf3fd326bc2b0a55ec0b975d922997b77b0544
Instruction ID: 9d5dee2e59b11e518700f1e7720636dc61f7b3c23c2f315d4fa8224a2ee14670
Opcode Fuzzy Hash: db7f8d4561c752c5707254ef0fbf3fd326bc2b0a55ec0b975d922997b77b0544
Instruction Fuzzy Hash: 38C1D274E10218CFDB18DFA5D994B9DBBB2BF88304F2080A9D809AB354DB359E85CF51

Function 05240D60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eafc7d6dab55bfeb0558dc5e7cc2098b2bceeebfe768df52e658a4440db6af8
Instruction ID: a84723e9c46d99baabddaf815c3da3cf63844bd93bf07e166cd22026a43ec72a
Opcode Fuzzy Hash: 9eafc7d6dab55bfeb0558dc5e7cc2098b2bceeebfe768df52e658a4440db6af8
Instruction Fuzzy Hash: 66C1B278E00219CFDB54DFA5D994B9DBBB2BF88304F2080A9D809AB354DB359E95CF50

Function 0524ED60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a929399345c25327872f0dcdb4a62ae57e1e3f512508c460f6a098c5dfa7402
Instruction ID: 0b07cadbc6cd257d9fc04df7d47af80a7eb26cfee7fc7de870bf2ca875602e6b
Opcode Fuzzy Hash: 7a929399345c25327872f0dcdb4a62ae57e1e3f512508c460f6a098c5dfa7402
Instruction Fuzzy Hash: 43C1C074E10218CFDB18DFA5D994B9DBBB2BF88304F2480A9D809AB355DB359E85CF50

Function 0524B940 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc22b36c16b66130878aa683b10ac9dc61d49cf37f6549a064fb9812500f29a
Instruction ID: 1b1c447e987ba2a5b6f39af18da55d39237177e06b6820f9ec41861640bfa2b9
Opcode Fuzzy Hash: 1dc22b36c16b66130878aa683b10ac9dc61d49cf37f6549a064fb9812500f29a
Instruction Fuzzy Hash: 74C1C274E10218CFDB18DFA5D994B9DBBB2BF88304F2080A9D809AB355DB359E85CF50

Function 0524F1B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a987eeeb071210e84afa26fa0b9ae9fa2ee5426ecccb7a7f8fe0a7b5eafd457
Instruction ID: 410cc781cc7a21d6d280bb8e2dfdc60ee3fda14264a23e062eb13b8ab7b926da
Opcode Fuzzy Hash: 2a987eeeb071210e84afa26fa0b9ae9fa2ee5426ecccb7a7f8fe0a7b5eafd457
Instruction Fuzzy Hash: F6C1D274E10218CFDB58DFA5D994B9DBBB2BF88304F2080A9D809AB355DB359E85CF50

Function 0524BD98 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca15eda78deebb082b4c7c6e2a10fc574a017beb99e8a84cef751b3fe0878f06
Instruction ID: 08b0ee007ca38e128ba3a58d4c0d7a42b1c19c99de27c5bc76a95295233f8264
Opcode Fuzzy Hash: ca15eda78deebb082b4c7c6e2a10fc574a017beb99e8a84cef751b3fe0878f06
Instruction Fuzzy Hash: 28C1C374E11218CFDB18DFA5D994B9DBBB2BF88304F2080A9D809AB355DB359E85CF50

Function 0524C1F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bab1e3663ddbbb4a635ae9350bfdf363f6d5ef0ceb69c6f4c9ee6a328291dad
Instruction ID: 4e8261189fec3ca7a75cc2ddf4ec2d5f190add0109ed606ff20169f8582f2bf5
Opcode Fuzzy Hash: 6bab1e3663ddbbb4a635ae9350bfdf363f6d5ef0ceb69c6f4c9ee6a328291dad
Instruction Fuzzy Hash: 87C1C574E11218CFDB18DFA5D994B9DBBB2BF88304F1080A9D409AB354DB359D85CF50

Function 0524DC00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4677bbae75779cad9d75a6b7a5e5ccaae5ef7c5875312658281df4481a549f6
Instruction ID: 692b054836e8df73fdef7c5bff2ba32abef4199c0a182c25af5775ee6e80201b
Opcode Fuzzy Hash: e4677bbae75779cad9d75a6b7a5e5ccaae5ef7c5875312658281df4481a549f6
Instruction Fuzzy Hash: DEC1C274E10219CFDB18DFA5D994B9DBBB2BF88304F2080A9D809AB355DB359E85CF50

Function 0524E058 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b819d3d267e92748293e12864a2d9c5a7b4da46535e6acfc6e13dd0e4db07a80
Instruction ID: 8b74e58a1d204bc2eec4c2b6c607f55e3cec315bf31e608a998a1c636e2da71c
Opcode Fuzzy Hash: b819d3d267e92748293e12864a2d9c5a7b4da46535e6acfc6e13dd0e4db07a80
Instruction Fuzzy Hash: 80C1C374E10218CFDB18DFA5D994B9DBBB2BF88304F2080A9D809AB355DB359E85CF51

Function 052404A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3823c6c37aaa2a64741159ee13d4e447d087d5362ca3a8fa69c529413f0faf9a
Instruction ID: 2793e697ef1c10d105a97a3a771b5b09f028c2bfdddd5fbf9ec7dbcce3095e81
Opcode Fuzzy Hash: 3823c6c37aaa2a64741159ee13d4e447d087d5362ca3a8fa69c529413f0faf9a
Instruction Fuzzy Hash: CFC1B274E01219CFDB54DFA5D958B9DBBB2BF88304F1080A9D809AB354DB359D85CF50

Function 0524E4B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad865fced0b355643f7c9dadbf8f0e5dc29791704751785a9a21e3b27361d6b
Instruction ID: 455425e84e9815a016d577f0f4168488c401988904b535a3fea70138a48ba295
Opcode Fuzzy Hash: 5ad865fced0b355643f7c9dadbf8f0e5dc29791704751785a9a21e3b27361d6b
Instruction Fuzzy Hash: 65C1D374E10218CFDB18DFA5D994B9DBBB2BF88304F2080A9D809AB355DB359E85CF51

Function 0524B4E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1505ceee0451bb67b22e4d7c4ccd38b6b665d057e69f8658c1270afb41686c97
Instruction ID: aa945f093cee0d1d04a2c6c57a8b00bc94bad1d6a48aafacb572702997e5e6ec
Opcode Fuzzy Hash: 1505ceee0451bb67b22e4d7c4ccd38b6b665d057e69f8658c1270afb41686c97
Instruction Fuzzy Hash: C7C1B074E10218CFDB58DFA5D994B9DBBB2BF88304F2080A9D809AB355DB359E85CF50

Function 0524D350 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078608bbf1ba586aabd90299c2e7215a76482618ca64caaf48a4a18b1249f4a6
Instruction ID: de4a657789f3857077555a3ffd7efa3ca4e178a323122c88179f67130fd019ed
Opcode Fuzzy Hash: 078608bbf1ba586aabd90299c2e7215a76482618ca64caaf48a4a18b1249f4a6
Instruction Fuzzy Hash: 02C1C374E10218CFDB58DFA5D994B9DBBB2BF88304F2080A9D809AB355DB359E85CF50

Function 0524D7A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59375dfc4577c9f0a60f5a64659302fc79a321164e8e0628af8e460ba9c51e95
Instruction ID: eee3784c9db017f279cfaf00cedb892590b0d79ffb2ac42374bb8ef52b89f20f
Opcode Fuzzy Hash: 59375dfc4577c9f0a60f5a64659302fc79a321164e8e0628af8e460ba9c51e95
Instruction Fuzzy Hash: 77C1D274E10218CFDB18DFA5D994B9DBBB2BF88304F2080A9D809AB355DB359E85CF50

Function 0524F610 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc629bc9fc0965e9d2ed95a60e9222b98e38fa233563696fa618e192ccb68920
Instruction ID: bcc86c39cf0fa5e5e0f86ee4819d2b71ead95971bfabbde397a7a7ca0b801fde
Opcode Fuzzy Hash: dc629bc9fc0965e9d2ed95a60e9222b98e38fa233563696fa618e192ccb68920
Instruction Fuzzy Hash: AFC1C174E10218CFDB18DFA5D994B9DBBB2BF88304F2080A9D809AB355DB359E85CF50

Function 0524FA68 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288b7b8d936a29ecfeeed7afb54a7f35d938cac605d02ac288cc89ffc90d5d55
Instruction ID: d966ace811a945ac820622aa892e3b23924e57dbd0f4c46974737c94c39b7ba6
Opcode Fuzzy Hash: 288b7b8d936a29ecfeeed7afb54a7f35d938cac605d02ac288cc89ffc90d5d55
Instruction Fuzzy Hash: 71C1C174E10218CFDB18DFA5D994B9DBBB2BF88304F2080A9D809AB355DB359E85CF50

Function 0524C648 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd428f509de4480367e20ce9a3f80ee12521e3250063b2659d625a43a0ba64f9
Instruction ID: bb5d8798656a2801bc129b2fbb1284590355db65c0373b12e4598b10c84662fc
Opcode Fuzzy Hash: dd428f509de4480367e20ce9a3f80ee12521e3250063b2659d625a43a0ba64f9
Instruction Fuzzy Hash: BCC1D474E11218CFDB18DFA9D994B9DBBB2BF88304F2080A9D809AB355DB359D81CF50

Function 0524CAA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6a2937b89d5ec398f56b9e0335b193e481a01001e87a354167068bf34eff40
Instruction ID: 07d28b8ef877cb299d96a7706586e15f74fda2b163c2376a707ef5cc98e3c219
Opcode Fuzzy Hash: fc6a2937b89d5ec398f56b9e0335b193e481a01001e87a354167068bf34eff40
Instruction Fuzzy Hash: 88C1D474E11218CFDB18DFA5D954B9DBBB2BF88304F1080A9D409AB355DB359D85CF50

Function 0524CEF8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4535690819.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5240000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476b4b6cc9bfaff069dd5f62e06886a2577f8781762379f0a0d06b0ca51caace
Instruction ID: 1af94008877be9b03d9a50b8e83c103771cb844773212f1b403eaab6f070ae89
Opcode Fuzzy Hash: 476b4b6cc9bfaff069dd5f62e06886a2577f8781762379f0a0d06b0ca51caace
Instruction Fuzzy Hash: 04C1C274E10218CFDB58DFA5D994B9DBBB2BF88304F2080A9D809AB355DB359E85CF50

Function 010DEB5B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60fda3c3bf4e43689970628c638c3a52ea6537ac8fe5cfae8973115d0b5f8687
Instruction ID: d7ed338f7727164318887dee1002afe290cacd398c43f82124328aa15eea4d39
Opcode Fuzzy Hash: 60fda3c3bf4e43689970628c638c3a52ea6537ac8fe5cfae8973115d0b5f8687
Instruction Fuzzy Hash: 33A17E74A01229CFDB64DF64C994BDABBB2BF49301F1085EAE44DA7250DB319E81CF51

Function 010DED3C Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ad01bcddd55c6b3279c3fac4cd816e644fbc89db5996256f78d09a08b1cf99
Instruction ID: 4216b6b9136f32a1f7b8267372fc3c77bc20422d372c9f504e246036b872c98b
Opcode Fuzzy Hash: c9ad01bcddd55c6b3279c3fac4cd816e644fbc89db5996256f78d09a08b1cf99
Instruction Fuzzy Hash: 3A517074A01229CFCB64DF24C954B9AB7B2BF4A305F5089E9E40EA7350DB319E81CF51

Function 010D6088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 010D60C6
\;]q, xrefs: 010D6094
\;]q, xrefs: 010D60BA
\;]q, xrefs: 010D609E

Memory Dump Source

Source File: 00000005.00000002.4533076989.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: 0ea2f01878e47479c01966b160095a3a88c2b9233109c6ae70d9a750f7305aa4
Instruction ID: 4527d96a0292fa0a4d95dacb9926618fffea3340f8a63c63852f9b803e47b091
Opcode Fuzzy Hash: 0ea2f01878e47479c01966b160095a3a88c2b9233109c6ae70d9a750f7305aa4
Instruction Fuzzy Hash: 59018F717102158FDBA48E2DC48492B7FF6AF88B6072541BAF681CB3B1DA73DC418B90

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZpYFG94D4C.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZpYFG94D4C.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02byoap2.4nc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2sxpngya.am3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3d3p5osn.xjt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tn0qsffc.210.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
ZpYFG94D4C.exe

Function 056A0940 Relevance: 7.8, Strings: 6, Instructions: 325
COMMON

Function 056AEC60 Relevance: 7.6, Strings: 6, Instructions: 109
COMMON

Function 056A4248 Relevance: 6.6, Strings: 5, Instructions: 328
COMMON

Function 056AE108 Relevance: 6.4, Strings: 5, Instructions: 139
COMMON

Function 056AE0F8 Relevance: 3.9, Strings: 3, Instructions: 129
COMMON

Function 056A0F90 Relevance: 2.8, Strings: 2, Instructions: 292
COMMON

Function 056A5EAC Relevance: 2.7, Strings: 2, Instructions: 216
COMMON

Function 056A0910 Relevance: 2.6, Strings: 2, Instructions: 140
COMMON

Function 076BBB44 Relevance: 1.8, APIs: 1, Instructions: 272
processCOMMON

Function 076BBB50 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0228ADE8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre