Edit tour

Windows Analysis Report
MB263350411AE.scr.exe

Overview

General Information

Sample name:	MB263350411AE.scr.exe
Analysis ID:	1589999
MD5:	578763e8d29b058a3332968654d6e73b
SHA1:	b86ffe9c85f35d43dadc0f4cb1a059668ce95c43
SHA256:	ff686f645ff7a1b0672895a7a72a5ee528cd112b2469182c79c98f7621af607e
Tags:	exeuser-TeamDreier
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

MB263350411AE.scr.exe (PID: 4776 cmdline: "C:\Users\user\Desktop\MB263350411AE.scr.exe" MD5: 578763E8D29B058A3332968654D6E73B)

powershell.exe (PID: 6596 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SnqkwvE.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5536 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 4208 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp21E6.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MB263350411AE.scr.exe (PID: 7008 cmdline: "C:\Users\user\Desktop\MB263350411AE.scr.exe" MD5: 578763E8D29B058A3332968654D6E73B)

SnqkwvE.exe (PID: 1220 cmdline: C:\Users\user\AppData\Roaming\SnqkwvE.exe MD5: 578763E8D29B058A3332968654D6E73B)

schtasks.exe (PID: 4828 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp34E1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SnqkwvE.exe (PID: 5608 cmdline: "C:\Users\user\AppData\Roaming\SnqkwvE.exe" MD5: 578763E8D29B058A3332968654D6E73B)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "serverhar244@gpsamsterdamqroup.com", "Password": "         feXwu@m?K@@L               ", "Server": "fiber13.dnsiaas.com", "To": "benfavour015@gmail.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3423870398.0000000003224000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefa7:$a1: get_encryptedPassword 0xf2cf:$a2: get_encryptedUsername 0xed42:$a3: get_timePasswordChanged 0xee63:$a4: get_passwordField 0xefbd:$a5: set_encryptedPassword 0x10919:$a7: get_logins 0x105ca:$a8: GetOutlookPasswords 0x103bc:$a9: StartKeylogger 0x10869:$a10: KeyLoggerEventArgs 0x10419:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.2195000631.0000000006840000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfb17:$a1: get_encryptedPassword 0x26937:$a1: get_encryptedPassword 0xfe3f:$a2: get_encryptedUsername 0x26c5f:$a2: get_encryptedUsername 0xf8b2:$a3: get_timePasswordChanged 0x266d2:$a3: get_timePasswordChanged 0xf9d3:$a4: get_passwordField 0x267f3:$a4: get_passwordField 0xfb2d:$a5: set_encryptedPassword 0x2694d:$a5: set_encryptedPassword 0x11489:$a7: get_logins 0x282a9:$a7: get_logins 0x1113a:$a8: GetOutlookPasswords 0x27f5a:$a8: GetOutlookPasswords 0x10f2c:$a9: StartKeylogger 0x27d4c:$a9: StartKeylogger 0x113d9:$a10: KeyLoggerEventArgs 0x281f9:$a10: KeyLoggerEventArgs 0x10f89:$a11: KeyLoggerEventArgsEventHandler 0x27da9:$a11: KeyLoggerEventArgsEventHandler
0000000C.00000002.3424904761.0000000003264000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2229165220.0000000002866000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x18acef:$a1: get_encryptedPassword 0x18b017:$a2: get_encryptedUsername 0x18aa8a:$a3: get_timePasswordChanged 0x18abab:$a4: get_passwordField 0x18ad05:$a5: set_encryptedPassword 0x18c661:$a7: get_logins 0x18c312:$a8: GetOutlookPasswords 0x18c104:$a9: StartKeylogger 0x18c5b1:$a10: KeyLoggerEventArgs 0x18c161:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.2190199347.0000000002606000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: MB263350411AE.scr.exe PID: 4776	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: MB263350411AE.scr.exe PID: 4776	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MB263350411AE.scr.exe PID: 4776	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MB263350411AE.scr.exe PID: 4776	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: MB263350411AE.scr.exe PID: 4776	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa9a61:$a1: get_encryptedPassword 0xcd76d:$a1: get_encryptedPassword 0xa9d7a:$a2: get_encryptedUsername 0xcda86:$a2: get_encryptedUsername 0xa9810:$a3: get_timePasswordChanged 0xcd51c:$a3: get_timePasswordChanged 0xa9931:$a4: get_passwordField 0xcd63d:$a4: get_passwordField 0xa9a77:$a5: set_encryptedPassword 0xcd783:$a5: set_encryptedPassword 0xab37a:$a7: get_logins 0xcf086:$a7: get_logins 0xab02b:$a8: GetOutlookPasswords 0xced37:$a8: GetOutlookPasswords 0xaae1d:$a9: StartKeylogger 0xceb29:$a9: StartKeylogger 0xab2ca:$a10: KeyLoggerEventArgs 0xcefd6:$a10: KeyLoggerEventArgs 0xaae7a:$a11: KeyLoggerEventArgsEventHandler 0xceb86:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: MB263350411AE.scr.exe PID: 7008	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: MB263350411AE.scr.exe PID: 7008	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MB263350411AE.scr.exe PID: 7008	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: MB263350411AE.scr.exe PID: 7008	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x37fa8:$a1: get_encryptedPassword 0x382c1:$a2: get_encryptedUsername 0x37d57:$a3: get_timePasswordChanged 0x37e78:$a4: get_passwordField 0x37fbe:$a5: set_encryptedPassword 0x398c1:$a7: get_logins 0x39572:$a8: GetOutlookPasswords 0x39364:$a9: StartKeylogger 0x39811:$a10: KeyLoggerEventArgs 0x393c1:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: SnqkwvE.exe PID: 5608	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.MB263350411AE.scr.exe.6840000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.SnqkwvE.exe.2b9618c.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.MB263350411AE.scr.exe.29361b4.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.MB263350411AE.scr.exe.6840000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.SnqkwvE.exe.2b9618c.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.MB263350411AE.scr.exe.29361b4.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.MB263350411AE.scr.exe.3529970.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.MB263350411AE.scr.exe.3529970.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.MB263350411AE.scr.exe.3529970.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.MB263350411AE.scr.exe.3529970.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
1.2.MB263350411AE.scr.exe.3529970.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bcd:$a4: \Orbitum\User Data\Default\Login Data 0x129c5:$a5: \Kometa\User Data\Default\Login Data
1.2.MB263350411AE.scr.exe.3540790.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.MB263350411AE.scr.exe.3540790.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.MB263350411AE.scr.exe.3540790.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.MB263350411AE.scr.exe.3540790.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
1.2.MB263350411AE.scr.exe.3540790.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x139cd:$a4: \Orbitum\User Data\Default\Login Data 0x147c5:$a5: \Kometa\User Data\Default\Login Data
1.2.MB263350411AE.scr.exe.3540790.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.MB263350411AE.scr.exe.3540790.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.MB263350411AE.scr.exe.3540790.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.MB263350411AE.scr.exe.3540790.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
1.2.MB263350411AE.scr.exe.3540790.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bcd:$a4: \Orbitum\User Data\Default\Login Data 0x129c5:$a5: \Kometa\User Data\Default\Login Data
1.2.MB263350411AE.scr.exe.3529970.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.MB263350411AE.scr.exe.3529970.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.MB263350411AE.scr.exe.3529970.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.MB263350411AE.scr.exe.3529970.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x25fc7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x262ef:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x25d62:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x25e83:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x25fdd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x27939:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x275ea:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x273dc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x27889:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler 0x27439:$a11: KeyLoggerEventArgsEventHandler
1.2.MB263350411AE.scr.exe.3529970.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2afe1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a4df:$a3: \Google\Chrome\User Data\Default\Login Data 0x139cd:$a4: \Orbitum\User Data\Default\Login Data 0x2a7ed:$a4: \Orbitum\User Data\Default\Login Data 0x147c5:$a5: \Kometa\User Data\Default\Login Data 0x2b5e5:$a5: \Kometa\User Data\Default\Login Data
9.2.SnqkwvE.exe.2974464.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.MB263350411AE.scr.exe.271448c.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.SnqkwvE.exe.28bbacc.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.MB263350411AE.scr.exe.265baf4.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 25 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SnqkwvE.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SnqkwvE.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MB263350411AE.scr.exe", ParentImage: C:\Users\user\Desktop\MB263350411AE.scr.exe, ParentProcessId: 4776, ParentProcessName: MB263350411AE.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SnqkwvE.exe", ProcessId: 6596, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp34E1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp34E1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\SnqkwvE.exe, ParentImage: C:\Users\user\AppData\Roaming\SnqkwvE.exe, ParentProcessId: 1220, ParentProcessName: SnqkwvE.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp34E1.tmp", ProcessId: 4828, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp21E6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp21E6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\MB263350411AE.scr.exe", ParentImage: C:\Users\user\Desktop\MB263350411AE.scr.exe, ParentProcessId: 4776, ParentProcessName: MB263350411AE.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp21E6.tmp", ProcessId: 4208, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SnqkwvE.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SnqkwvE.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MB263350411AE.scr.exe", ParentImage: C:\Users\user\Desktop\MB263350411AE.scr.exe, ParentProcessId: 4776, ParentProcessName: MB263350411AE.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SnqkwvE.exe", ProcessId: 6596, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp21E6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp21E6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\MB263350411AE.scr.exe", ParentImage: C:\Users\user\Desktop\MB263350411AE.scr.exe, ParentProcessId: 4776, ParentProcessName: MB263350411AE.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp21E6.tmp", ProcessId: 4208, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T13:16:04.962767+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49716	193.122.130.0	80	TCP
2025-01-13T13:16:07.525185+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49730	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.MB263350411AE.scr.exe.3540790.4.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "serverhar244@gpsamsterdamqroup.com", "Password": " feXwu@m?K@@L ", "Server": "fiber13.dnsiaas.com", "To": "benfavour015@gmail.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Virustotal: Detection: 30%			Perma Link

Multi AV Scanner detection for submitted file

Source: MB263350411AE.scr.exe	Virustotal: Detection: 30%			Perma Link
Source: MB263350411AE.scr.exe	ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: MB263350411AE.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: MB263350411AE.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49727 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49741 version: TLS 1.0

Source: MB263350411AE.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 4x nop then jmp 014E9731h	7_2_014E9480
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 4x nop then jmp 014E9E5Ah	7_2_014E9A40
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 4x nop then jmp 014E9E5Ah	7_2_014E9A30
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 4x nop then jmp 014E9E5Ah	7_2_014E9D87
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 01319731h	12_2_01319480
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 01319E5Ah	12_2_01319A30
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 01319E5Ah	12_2_01319D87
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 030E5E15h	12_2_030E5AD8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 030E54D1h	12_2_030E5228
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 030EE5A0h	12_2_030EE2F8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 030E83D8h	12_2_030E8130
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 030EF2A8h	12_2_030EF000
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 030EE9F8h	12_2_030EE750
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 030E5929h	12_2_030E5680
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 030E47C9h	12_2_030E4520
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 030E8830h	12_2_030E8588
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 030E76D0h	12_2_030E7428
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 030EF700h	12_2_030EF458
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 030EEE50h	12_2_030EEBA8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 030E4C21h	12_2_030E4978
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 030E7B28h	12_2_030E7880
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 030EFB58h	12_2_030EF8B0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 030E7278h	12_2_030E6FD3
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 030E5079h	12_2_030E4DD0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 030E7F80h	12_2_030E7CD8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A62B5h	12_2_055A60D8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A6C3Fh	12_2_055A60D8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A1CF8h	12_2_055A1A50
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A18A0h	12_2_055A15F8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A3840h	12_2_055A3598
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A26E0h	12_2_055A2438
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A0740h	12_2_055A0498
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A49A0h	12_2_055A46F8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A33E8h	12_2_055A3140
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_055A51D8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A1448h	12_2_055A11A0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A02E8h	12_2_055A0040
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then mov esp, ebp	12_2_055A93F0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A4548h	12_2_055A42A0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A0FF0h	12_2_055A0D48
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A2F90h	12_2_055A2CE8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A40F0h	12_2_055A3E48
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A2152h	12_2_055A1EA8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_055A59FB
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A3C98h	12_2_055A39F0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_055A581B
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A0B98h	12_2_055A08F0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A2B38h	12_2_055A2890
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 4x nop then jmp 055A4DF8h	12_2_055A4B50

Source: global traffic	TCP traffic: 192.168.2.6:59552 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.6:56773 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49716 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49730 -> 193.122.130.0:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49727 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49741 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000314E000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000318E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000314E000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000318E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: MB263350411AE.scr.exe, 00000007.00000002.3423870398.0000000003132000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000314E000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000317C000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000318E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: MB263350411AE.scr.exe, 00000007.00000002.3423870398.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000314E000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000318E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: MB263350411AE.scr.exe, 00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000314E000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000318E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: MB263350411AE.scr.exe, SnqkwvE.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: MB263350411AE.scr.exe, SnqkwvE.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: MB263350411AE.scr.exe, SnqkwvE.exe.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000316B000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.00000000031AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000316B000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.00000000031AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: MB263350411AE.scr.exe, 00000001.00000002.2190199347.0000000002521000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000007.00000002.3423870398.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 00000009.00000002.2229165220.0000000002781000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MB263350411AE.scr.exe, 00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000314E000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000318E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: MB263350411AE.scr.exe, 00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000314E000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000318E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000314E000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000318E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000314E000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000318E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: MB263350411AE.scr.exe, SnqkwvE.exe.1.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.MB263350411AE.scr.exe.3529970.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.MB263350411AE.scr.exe.3529970.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.MB263350411AE.scr.exe.3540790.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.MB263350411AE.scr.exe.3540790.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.MB263350411AE.scr.exe.3540790.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.MB263350411AE.scr.exe.3540790.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.MB263350411AE.scr.exe.3529970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.MB263350411AE.scr.exe.3529970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MB263350411AE.scr.exe PID: 4776, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MB263350411AE.scr.exe PID: 7008, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_00864204	1_2_00864204
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_008679D9	1_2_008679D9
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_04A01AEC	1_2_04A01AEC
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_04A00040	1_2_04A00040
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_04A029B0	1_2_04A029B0
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_04A009F0	1_2_04A009F0
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_04A00A00	1_2_04A00A00
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_04A01AE0	1_2_04A01AE0
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_06871620	1_2_06871620
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_0687E638	1_2_0687E638
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_06879A70	1_2_06879A70
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_06871612	1_2_06871612
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_0687E628	1_2_0687E628
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_06878851	1_2_06878851
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_06878860	1_2_06878860
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_06BD1698	1_2_06BD1698
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_06BD1EF8	1_2_06BD1EF8
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_06BD1F08	1_2_06BD1F08
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_06BD9C80	1_2_06BD9C80
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_06BD3C48	1_2_06BD3C48
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_06BD1AD0	1_2_06BD1AD0
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 1_2_06BD3370	1_2_06BD3370
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 7_2_014EC530	7_2_014EC530
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 7_2_014E9480	7_2_014E9480
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 7_2_014E1A4F	7_2_014E1A4F
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 7_2_014EC521	7_2_014EC521
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 7_2_014E2DD1	7_2_014E2DD1
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Code function: 7_2_014E946F	7_2_014E946F
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 9_2_00BD4204	9_2_00BD4204
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 9_2_00BD79D9	9_2_00BD79D9
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 9_2_06B4E638	9_2_06B4E638
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 9_2_06B41620	9_2_06B41620
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 9_2_06B49A70	9_2_06B49A70
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 9_2_06B4E628	9_2_06B4E628
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 9_2_06B4161F	9_2_06B4161F
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 9_2_06B48860	9_2_06B48860
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 9_2_06B48851	9_2_06B48851
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 9_2_06EA1689	9_2_06EA1689
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 9_2_06EA1698	9_2_06EA1698
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 9_2_06EA8F80	9_2_06EA8F80
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 9_2_06EA1F08	9_2_06EA1F08
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 9_2_06EA3C48	9_2_06EA3C48
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 9_2_06EA1AD0	9_2_06EA1AD0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 9_2_06EA3370	9_2_06EA3370
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_0131C530	12_2_0131C530
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_013127B9	12_2_013127B9
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_01319480	12_2_01319480
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_013119B8	12_2_013119B8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_0131C521	12_2_0131C521
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_01312DD1	12_2_01312DD1
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_0131946F	12_2_0131946F
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_0131FC9C	12_2_0131FC9C
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E12AE	12_2_030E12AE
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E6138	12_2_030E6138
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E0AB8	12_2_030E0AB8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E5AD8	12_2_030E5AD8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E89E0	12_2_030E89E0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030EAE78	12_2_030EAE78
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030EBC50	12_2_030EBC50
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E0320	12_2_030E0320
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E0330	12_2_030E0330
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E521A	12_2_030E521A
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E5228	12_2_030E5228
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030EE2F8	12_2_030EE2F8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E8120	12_2_030E8120
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E8130	12_2_030E8130
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030EE170	12_2_030EE170
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030EF000	12_2_030EF000
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E602A	12_2_030E602A
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030EE740	12_2_030EE740
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030EE750	12_2_030EE750
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E566F	12_2_030E566F
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E5680	12_2_030E5680
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E450F	12_2_030E450F
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E4520	12_2_030E4520
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E8579	12_2_030E8579
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E8588	12_2_030E8588
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E7418	12_2_030E7418
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E7428	12_2_030E7428
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030EF448	12_2_030EF448
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030EF458	12_2_030EF458
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030EEB98	12_2_030EEB98
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030EEBA8	12_2_030EEBA8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E5ACA	12_2_030E5ACA
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E4969	12_2_030E4969
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E4978	12_2_030E4978
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E7871	12_2_030E7871
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E7880	12_2_030E7880
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030EF8A1	12_2_030EF8A1
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030EF8B0	12_2_030EF8B0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E6FD3	12_2_030E6FD3
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030EEFF0	12_2_030EEFF0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E4DC0	12_2_030E4DC0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E4DD0	12_2_030E4DD0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E7CC8	12_2_030E7CC8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E0CD8	12_2_030E0CD8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_030E7CD8	12_2_030E7CD8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A9108	12_2_055A9108
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A8030	12_2_055A8030
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A60D8	12_2_055A60D8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A7390	12_2_055A7390
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A6D48	12_2_055A6D48
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A79E0	12_2_055A79E0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A1A50	12_2_055A1A50
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A15F8	12_2_055A15F8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A15E8	12_2_055A15E8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A3598	12_2_055A3598
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A3588	12_2_055A3588
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A2438	12_2_055A2438
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A2427	12_2_055A2427
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A0498	12_2_055A0498
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A0488	12_2_055A0488
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A8678	12_2_055A8678
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A8668	12_2_055A8668
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A46F8	12_2_055A46F8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A46E9	12_2_055A46E9
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A3140	12_2_055A3140
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A3132	12_2_055A3132
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A51D8	12_2_055A51D8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A1190	12_2_055A1190
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A11A0	12_2_055A11A0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A0040	12_2_055A0040
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A0006	12_2_055A0006
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A8024	12_2_055A8024
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A60C9	12_2_055A60C9
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A7380	12_2_055A7380
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A4290	12_2_055A4290
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A42A0	12_2_055A42A0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A0D48	12_2_055A0D48
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A0D39	12_2_055A0D39
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A6D37	12_2_055A6D37
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A2CD8	12_2_055A2CD8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A2CE8	12_2_055A2CE8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A3E48	12_2_055A3E48
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A3E38	12_2_055A3E38
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A1E9A	12_2_055A1E9A
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A1EA8	12_2_055A1EA8
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A79D0	12_2_055A79D0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A39F0	12_2_055A39F0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A39E2	12_2_055A39E2
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A08F0	12_2_055A08F0
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A08E1	12_2_055A08E1
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A2890	12_2_055A2890
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A2880	12_2_055A2880
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A4B50	12_2_055A4B50
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A4B40	12_2_055A4B40
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 12_2_055A1A40	12_2_055A1A40

Source: MB263350411AE.scr.exe

Static PE information: invalid certificate

Source: MB263350411AE.scr.exe, 00000001.00000002.2190199347.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs MB263350411AE.scr.exe
Source: MB263350411AE.scr.exe, 00000001.00000002.2187676747.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs MB263350411AE.scr.exe
Source: MB263350411AE.scr.exe, 00000001.00000002.2196895386.0000000007000000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs MB263350411AE.scr.exe
Source: MB263350411AE.scr.exe, 00000001.00000002.2195000631.0000000006840000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs MB263350411AE.scr.exe
Source: MB263350411AE.scr.exe, 00000001.00000002.2190199347.0000000002606000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs MB263350411AE.scr.exe
Source: MB263350411AE.scr.exe, 00000001.00000000.2159204543.00000000000D4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebpKV.exep( vs MB263350411AE.scr.exe
Source: MB263350411AE.scr.exe, 00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs MB263350411AE.scr.exe
Source: MB263350411AE.scr.exe, 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs MB263350411AE.scr.exe
Source: MB263350411AE.scr.exe, 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs MB263350411AE.scr.exe
Source: MB263350411AE.scr.exe, 00000007.00000002.3419499183.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs MB263350411AE.scr.exe
Source: MB263350411AE.scr.exe, 00000007.00000002.3420161506.0000000000F97000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs MB263350411AE.scr.exe
Source: MB263350411AE.scr.exe	Binary or memory string: OriginalFilenamebpKV.exep( vs MB263350411AE.scr.exe

Source: MB263350411AE.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.MB263350411AE.scr.exe.3529970.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.MB263350411AE.scr.exe.3529970.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.MB263350411AE.scr.exe.3540790.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.MB263350411AE.scr.exe.3540790.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.MB263350411AE.scr.exe.3540790.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.MB263350411AE.scr.exe.3540790.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.MB263350411AE.scr.exe.3529970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.MB263350411AE.scr.exe.3529970.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MB263350411AE.scr.exe PID: 4776, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MB263350411AE.scr.exe PID: 7008, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: MB263350411AE.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SnqkwvE.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@16/11@2/2

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe

File created: C:\Users\user\AppData\Roaming\SnqkwvE.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:716:120:WilError_03

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe

File created: C:\Users\user\AppData\Local\Temp\tmp21E6.tmp

Jump to behavior

Source: MB263350411AE.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: MB263350411AE.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MB263350411AE.scr.exe, 00000007.00000002.3423870398.00000000031CC000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000007.00000002.3423870398.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000007.00000002.3423870398.00000000031BE000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000007.00000002.3423870398.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000007.00000002.3425840077.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000007.00000002.3423870398.00000000031ED000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.00000000031EE000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.0000000003221000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.00000000031FE000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000322D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: MB263350411AE.scr.exe	Virustotal: Detection: 30%
Source: MB263350411AE.scr.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe

File read: C:\Users\user\Desktop\MB263350411AE.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MB263350411AE.scr.exe "C:\Users\user\Desktop\MB263350411AE.scr.exe"
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SnqkwvE.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp21E6.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process created: C:\Users\user\Desktop\MB263350411AE.scr.exe "C:\Users\user\Desktop\MB263350411AE.scr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SnqkwvE.exe C:\Users\user\AppData\Roaming\SnqkwvE.exe
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp34E1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process created: C:\Users\user\AppData\Roaming\SnqkwvE.exe "C:\Users\user\AppData\Roaming\SnqkwvE.exe"
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SnqkwvE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp21E6.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process created: C:\Users\user\Desktop\MB263350411AE.scr.exe "C:\Users\user\Desktop\MB263350411AE.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp34E1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process created: C:\Users\user\AppData\Roaming\SnqkwvE.exe "C:\Users\user\AppData\Roaming\SnqkwvE.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: MB263350411AE.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: MB263350411AE.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 9_2_00BD95C7 push ds; iretd		9_2_00BD95D6
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Code function: 9_2_00BD9D68 push ds; iretd		9_2_00BD9D76

Source: MB263350411AE.scr.exe	Static PE information: section name: .text entropy: 7.551840052573886
Source: SnqkwvE.exe.1.dr	Static PE information: section name: .text entropy: 7.551840052573886

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe

File created: C:\Users\user\AppData\Roaming\SnqkwvE.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp21E6.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: MB263350411AE.scr.exe PID: 4776, type: MEMORYSTR

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Memory allocated: 820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Memory allocated: 2520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Memory allocated: 2390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Memory allocated: 8780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Memory allocated: 71A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Memory allocated: 9780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Memory allocated: A780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Memory allocated: 14E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Memory allocated: 30D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Memory allocated: 50D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Memory allocated: BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Memory allocated: 4780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Memory allocated: 86C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Memory allocated: 70E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Memory allocated: 96C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Memory allocated: A6C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Memory allocated: 1310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Memory allocated: 3110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Memory allocated: 3030000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5840			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3909			Jump to behavior

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe TID: 1220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5800	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe TID: 1584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: SnqkwvE.exe, 0000000C.00000002.3422259917.00000000013AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
Source: MB263350411AE.scr.exe, 00000007.00000002.3420659038.00000000012F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe

Code function: 12_2_030E0AB8 LdrInitializeThunk,LdrInitializeThunk,

12_2_030E0AB8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SnqkwvE.exe"
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SnqkwvE.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Memory written: C:\Users\user\Desktop\MB263350411AE.scr.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Memory written: C:\Users\user\AppData\Roaming\SnqkwvE.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SnqkwvE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp21E6.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Process created: C:\Users\user\Desktop\MB263350411AE.scr.exe "C:\Users\user\Desktop\MB263350411AE.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp34E1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Process created: C:\Users\user\AppData\Roaming\SnqkwvE.exe "C:\Users\user\AppData\Roaming\SnqkwvE.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Queries volume information: C:\Users\user\Desktop\MB263350411AE.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Queries volume information: C:\Users\user\Desktop\MB263350411AE.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Queries volume information: C:\Users\user\AppData\Roaming\SnqkwvE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Queries volume information: C:\Users\user\AppData\Roaming\SnqkwvE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3529970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3540790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3540790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3529970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MB263350411AE.scr.exe PID: 4776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MB263350411AE.scr.exe PID: 7008, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.6840000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SnqkwvE.exe.2b9618c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.29361b4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.6840000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SnqkwvE.exe.2b9618c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.29361b4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SnqkwvE.exe.2974464.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.271448c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SnqkwvE.exe.28bbacc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.265baf4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2195000631.0000000006840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2229165220.0000000002866000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2190199347.0000000002606000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3529970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3540790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3540790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3529970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MB263350411AE.scr.exe PID: 4776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MB263350411AE.scr.exe PID: 7008, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\MB263350411AE.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SnqkwvE.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3529970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3540790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3540790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3529970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3423870398.0000000003224000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3424904761.0000000003264000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MB263350411AE.scr.exe PID: 4776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MB263350411AE.scr.exe PID: 7008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SnqkwvE.exe PID: 5608, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3529970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3540790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3540790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3529970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MB263350411AE.scr.exe PID: 4776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MB263350411AE.scr.exe PID: 7008, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.6840000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SnqkwvE.exe.2b9618c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.29361b4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.6840000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SnqkwvE.exe.2b9618c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.29361b4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SnqkwvE.exe.2974464.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.271448c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SnqkwvE.exe.28bbacc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.265baf4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2195000631.0000000006840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2229165220.0000000002866000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2190199347.0000000002606000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3529970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3540790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3540790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MB263350411AE.scr.exe.3529970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MB263350411AE.scr.exe PID: 4776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MB263350411AE.scr.exe PID: 7008, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	13 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MB263350411AE.scr.exe	31%	Virustotal		Browse
MB263350411AE.scr.exe	45%	ReversingLabs	ByteCode-MSIL.Virus.Virut
MB263350411AE.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\SnqkwvE.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SnqkwvE.exe	45%	ReversingLabs	ByteCode-MSIL.Virus.Virut
C:\Users\user\AppData\Roaming\SnqkwvE.exe	31%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.112.1	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000314E000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000318E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000314E000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000318E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	MB263350411AE.scr.exe, 00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000316B000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.00000000031AB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000314E000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000318E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000316B000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.00000000031AB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000314E000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000318E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000314E000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000318E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	MB263350411AE.scr.exe, 00000007.00000002.3423870398.0000000003132000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000314E000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000317C000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000318E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000314E000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000318E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000314E000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000318E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MB263350411AE.scr.exe, 00000001.00000002.2190199347.0000000002521000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000007.00000002.3423870398.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 00000009.00000002.2229165220.0000000002781000.00000004.00000800.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	MB263350411AE.scr.exe, SnqkwvE.exe.1.dr	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	MB263350411AE.scr.exe, 00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	MB263350411AE.scr.exe, 00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000007.00000002.3423870398.000000000314E000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE.scr.exe, 00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SnqkwvE.exe, 0000000C.00000002.3424904761.000000000318E000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.112.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589999
Start date and time:	2025-01-13 13:15:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MB263350411AE.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@16/11@2/2
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 98% Number of executed functions: 170 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.253.45, 2.23.242.162, 52.149.20.212, 13.85.23.206, 40.126.32.68, 2.23.227.208
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, wns2-am3p.wns.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target MB263350411AE.scr.exe, PID 7008 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:15:59	API Interceptor	1x Sleep call for process: MB263350411AE.scr.exe modified
07:16:01	API Interceptor	13x Sleep call for process: powershell.exe modified
07:16:04	API Interceptor	1x Sleep call for process: SnqkwvE.exe modified
13:16:03	Task Scheduler	Run new task: SnqkwvE path: C:\Users\user\AppData\Roaming\SnqkwvE.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.112.1	MACHINE SPECIFICATIONS.exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/w98i/
	trow.exe	Get hash	malicious	Unknown	Browse	www.rs-ag.com/
	fqbVL4XxCr.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/w7eo/
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	www.kkpmoneysocial.top/86am/
	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/qzi3/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/w98i/
	wxl1r0lntg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	beammp.com/phpmyadmin/
193.122.130.0	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
reallyfreegeoip.org	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	trow.exe	Get hash	malicious	Unknown	Browse	147.154.3.56
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
CLOUDFLARENETUS	RFQ PC25-1301 Product Specifications_PDF.exe	Get hash	malicious	FormBook	Browse	104.21.80.156
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	https://shortener.kountryboyzbailbonds.com/orVbdaZDUTFihPy?https://go.microsoft.com/ref=?ONSKE6784f8047cd90___store=ot&url=ONSKE6784f8047cd90&utm_source=follow-up-email&utm_medium=email&utm_campaign=abandoned%20helpful%20link	Get hash	malicious	Unknown	Browse	104.19.132.76
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	https://smartbooking.ma/	Get hash	malicious	Unknown	Browse	188.114.97.3
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	https://connexion-pro.support/adobe/s/assets/	Get hash	malicious	Unknown	Browse	104.21.11.138
	rRef6010273.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	Loader.exe	Get hash	malicious	Unknown	Browse	104.21.112.1
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1

Process:	C:\Users\user\Desktop\MB263350411AE.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SnqkwvE.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\SnqkwvE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379460230152629
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:fLHyIFKL3IZ2KRH9Oug8s
MD5:	5EDBE2AEEFE69FB36ECED2E31AC9386F
SHA1:	6614C7900E4994E1A3606D22916BE68F701A19D4
SHA-256:	4275A59302475C8198165F4EB61EA2A88BD12056EA6EE5197C1BF8E6B6A6F9FD
SHA-512:	CFBAB752BE8CB209B25F2D1AD30E08E5E7ADB2EE5B4CCE98DCFD20B05E4B1CEFFCB6551556B134A2123412C864A8A544701C846F204783D99CB58936DC086A76
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cjugmxdl.dij.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0tmo3zy.r2e.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_larp3awu.sgs.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nft2wobb.5aw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp21E6.tmp

Download File

Process:	C:\Users\user\Desktop\MB263350411AE.scr.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1594
Entropy (8bit):	5.093195143039198
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLOAxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTzv
MD5:	BB641185A6E04F771135E43AD78A3659
SHA1:	651809FEF5CDF5B721656F862BBC9D27F320597E
SHA-256:	9D1135C8051DE2596E8F885285C94CF421CA714F9BE860EE34C4D59775339355
SHA-512:	EC4D1592B8DE9F0019838C321F02FF1693F37B68DFCBC668ED5E0F6D03792CC757FF31E35196E4CB19971F0E0EFD7EC88F72142B2095B681F583064AB8ABE850
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmp34E1.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\SnqkwvE.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1594
Entropy (8bit):	5.093195143039198
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLOAxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTzv
MD5:	BB641185A6E04F771135E43AD78A3659
SHA1:	651809FEF5CDF5B721656F862BBC9D27F320597E
SHA-256:	9D1135C8051DE2596E8F885285C94CF421CA714F9BE860EE34C4D59775339355
SHA-512:	EC4D1592B8DE9F0019838C321F02FF1693F37B68DFCBC668ED5E0F6D03792CC757FF31E35196E4CB19971F0E0EFD7EC88F72142B2095B681F583064AB8ABE850
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Roaming\SnqkwvE.exe

Download File

Process:	C:\Users\user\Desktop\MB263350411AE.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	616968
Entropy (8bit):	7.547414224495075
Encrypted:	false
SSDEEP:	12288:6XQhdIwhfi3adcWmCKjSpqvvuBso/InAHd68Kw30odiK68mAl12tZ9uLUxL7HNHM:LhdIwhKKCWTiWqnmrG58h62qLBK
MD5:	578763E8D29B058A3332968654D6E73B
SHA1:	B86FFE9C85F35D43DADC0F4CB1A059668CE95C43
SHA-256:	FF686F645FF7A1B0672895A7A72A5EE528CD112B2469182C79C98F7621AF607E
SHA-512:	3C312A080991E9CCEE56E3CC568EEB8C143981D560BCE566AFB00951F60820C8F418ACE86B5B947792E0450AAB1FAA5658F3E68CBEA008FF510373A63D5710FD
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45% Antivirus: Virustotal, Detection: 31%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p..g..............0......$......6,... ...@....@.. ....................................`..................................+..O....@..<!...........4...6........................................................... ............... ..H............text...L.... ...................... ..`.rsrc...<!...@..."..................@..@.reloc...............2..............@..B.................,......H........v..................H...................................................}......}......}......}.....(......*..0.................}......}......}......}.....(.......(............}.....{....(......{....(......{.....o......{.....o......{......r...p.d.d.s......{......r...p.x.d..s......{......r...p .....d..s......{......r1..p .....d..s......{......r;..p ,... ......s......{......rI..p T... ......s.......+<..{.......X...s.....rW..p..X...(....re..p...(....(....&...X.......-..{.

C:\Users\user\AppData\Roaming\SnqkwvE.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\MB263350411AE.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.547414224495075
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MB263350411AE.scr.exe
File size:	616'968 bytes
MD5:	578763e8d29b058a3332968654d6e73b
SHA1:	b86ffe9c85f35d43dadc0f4cb1a059668ce95c43
SHA256:	ff686f645ff7a1b0672895a7a72a5ee528cd112b2469182c79c98f7621af607e
SHA512:	3c312a080991e9ccee56e3cc568eeb8c143981d560bce566afb00951f60820c8f418ace86b5b947792e0450aab1faa5658f3e68cbea008ff510373a63d5710fd
SSDEEP:	12288:6XQhdIwhfi3adcWmCKjSpqvvuBso/InAHd68Kw30odiK68mAl12tZ9uLUxL7HNHM:LhdIwhKKCWTiWqnmrG58h62qLBK
TLSH:	DCD4DF1521ACD602C0A26FB00971D3F84B756E99BA21CB1B8FE97DEF79767047A40363
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p..g..............0......$......6,... ...@....@.. ....................................`................................

File Icon


Icon Hash:	132d922957b24d93

Static PE Info

General

Entrypoint:	0x492c36
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67849D70 [Mon Jan 13 04:58:24 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
call far 0000h : 003E9999h
aas
int CCh
dec esp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x92be4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x94000	0x213c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x93400	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x98000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x90c4c	0x90e00	a2e58f0c6d9e30070bc20c9e2dc0b28f	False	0.8552597875323554	data	7.551840052573886	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x94000	0x213c	0x2200	6cc53da7dba7314b0f41cd8e93853723	False	0.6403952205882353	data	6.461402195633676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x98000	0xc	0x200	b2d5ce2beba0428e88414a9a7ab7b6b8	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x940c8	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 7296	0.6911123227917121
RT_GROUP_ICON	0x95d80	0x14	data	1.15
RT_VERSION	0x95da4	0x394	OpenPGP Secret Key	0.4104803493449782

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T13:16:04.962767+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49716	193.122.130.0	80	TCP
2025-01-13T13:16:07.525185+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49730	193.122.130.0	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:16:02.711895943 CET	49716	80	192.168.2.6	193.122.130.0
Jan 13, 2025 13:16:02.716660976 CET	80	49716	193.122.130.0	192.168.2.6
Jan 13, 2025 13:16:02.716730118 CET	49716	80	192.168.2.6	193.122.130.0
Jan 13, 2025 13:16:02.716989040 CET	49716	80	192.168.2.6	193.122.130.0
Jan 13, 2025 13:16:02.721725941 CET	80	49716	193.122.130.0	192.168.2.6
Jan 13, 2025 13:16:04.754336119 CET	80	49716	193.122.130.0	192.168.2.6
Jan 13, 2025 13:16:04.777080059 CET	49716	80	192.168.2.6	193.122.130.0
Jan 13, 2025 13:16:04.782051086 CET	80	49716	193.122.130.0	192.168.2.6
Jan 13, 2025 13:16:04.918770075 CET	80	49716	193.122.130.0	192.168.2.6
Jan 13, 2025 13:16:04.962766886 CET	49716	80	192.168.2.6	193.122.130.0
Jan 13, 2025 13:16:05.022552967 CET	49727	443	192.168.2.6	104.21.112.1
Jan 13, 2025 13:16:05.022610903 CET	443	49727	104.21.112.1	192.168.2.6
Jan 13, 2025 13:16:05.022674084 CET	49727	443	192.168.2.6	104.21.112.1
Jan 13, 2025 13:16:05.065529108 CET	49727	443	192.168.2.6	104.21.112.1
Jan 13, 2025 13:16:05.065562010 CET	443	49727	104.21.112.1	192.168.2.6
Jan 13, 2025 13:16:06.451697111 CET	49730	80	192.168.2.6	193.122.130.0
Jan 13, 2025 13:16:06.483158112 CET	80	49730	193.122.130.0	192.168.2.6
Jan 13, 2025 13:16:06.483232975 CET	49730	80	192.168.2.6	193.122.130.0
Jan 13, 2025 13:16:06.483830929 CET	49730	80	192.168.2.6	193.122.130.0
Jan 13, 2025 13:16:06.490169048 CET	443	49727	104.21.112.1	192.168.2.6
Jan 13, 2025 13:16:06.490231991 CET	49727	443	192.168.2.6	104.21.112.1
Jan 13, 2025 13:16:06.490885973 CET	80	49730	193.122.130.0	192.168.2.6
Jan 13, 2025 13:16:06.492986917 CET	49727	443	192.168.2.6	104.21.112.1
Jan 13, 2025 13:16:06.493005991 CET	443	49727	104.21.112.1	192.168.2.6
Jan 13, 2025 13:16:06.493428946 CET	443	49727	104.21.112.1	192.168.2.6
Jan 13, 2025 13:16:06.543121099 CET	49727	443	192.168.2.6	104.21.112.1
Jan 13, 2025 13:16:06.564194918 CET	49727	443	192.168.2.6	104.21.112.1
Jan 13, 2025 13:16:06.607335091 CET	443	49727	104.21.112.1	192.168.2.6
Jan 13, 2025 13:16:06.672683954 CET	443	49727	104.21.112.1	192.168.2.6
Jan 13, 2025 13:16:06.672766924 CET	443	49727	104.21.112.1	192.168.2.6
Jan 13, 2025 13:16:06.672893047 CET	49727	443	192.168.2.6	104.21.112.1
Jan 13, 2025 13:16:06.679037094 CET	49727	443	192.168.2.6	104.21.112.1
Jan 13, 2025 13:16:07.378289938 CET	80	49730	193.122.130.0	192.168.2.6
Jan 13, 2025 13:16:07.382591963 CET	49730	80	192.168.2.6	193.122.130.0
Jan 13, 2025 13:16:07.387432098 CET	80	49730	193.122.130.0	192.168.2.6
Jan 13, 2025 13:16:07.483958006 CET	80	49730	193.122.130.0	192.168.2.6
Jan 13, 2025 13:16:07.486284018 CET	49741	443	192.168.2.6	104.21.112.1
Jan 13, 2025 13:16:07.486325979 CET	443	49741	104.21.112.1	192.168.2.6
Jan 13, 2025 13:16:07.486552000 CET	49741	443	192.168.2.6	104.21.112.1
Jan 13, 2025 13:16:07.491257906 CET	49741	443	192.168.2.6	104.21.112.1
Jan 13, 2025 13:16:07.491276979 CET	443	49741	104.21.112.1	192.168.2.6
Jan 13, 2025 13:16:07.525185108 CET	49730	80	192.168.2.6	193.122.130.0
Jan 13, 2025 13:16:07.947896957 CET	443	49741	104.21.112.1	192.168.2.6
Jan 13, 2025 13:16:07.948081017 CET	49741	443	192.168.2.6	104.21.112.1
Jan 13, 2025 13:16:07.949604034 CET	49741	443	192.168.2.6	104.21.112.1
Jan 13, 2025 13:16:07.949620962 CET	443	49741	104.21.112.1	192.168.2.6
Jan 13, 2025 13:16:07.949868917 CET	443	49741	104.21.112.1	192.168.2.6
Jan 13, 2025 13:16:07.993915081 CET	49741	443	192.168.2.6	104.21.112.1
Jan 13, 2025 13:16:08.009346008 CET	49741	443	192.168.2.6	104.21.112.1
Jan 13, 2025 13:16:08.055329084 CET	443	49741	104.21.112.1	192.168.2.6
Jan 13, 2025 13:16:08.112478971 CET	443	49741	104.21.112.1	192.168.2.6
Jan 13, 2025 13:16:08.112536907 CET	443	49741	104.21.112.1	192.168.2.6
Jan 13, 2025 13:16:08.112610102 CET	49741	443	192.168.2.6	104.21.112.1
Jan 13, 2025 13:16:08.116394043 CET	49741	443	192.168.2.6	104.21.112.1
Jan 13, 2025 13:16:17.174097061 CET	59552	53	192.168.2.6	1.1.1.1
Jan 13, 2025 13:16:17.178963900 CET	53	59552	1.1.1.1	192.168.2.6
Jan 13, 2025 13:16:17.179035902 CET	59552	53	192.168.2.6	1.1.1.1
Jan 13, 2025 13:16:17.183892012 CET	53	59552	1.1.1.1	192.168.2.6
Jan 13, 2025 13:16:17.648972034 CET	59552	53	192.168.2.6	1.1.1.1
Jan 13, 2025 13:16:17.654019117 CET	53	59552	1.1.1.1	192.168.2.6
Jan 13, 2025 13:16:17.654097080 CET	59552	53	192.168.2.6	1.1.1.1
Jan 13, 2025 13:16:18.658660889 CET	56773	53	192.168.2.6	1.1.1.1
Jan 13, 2025 13:16:18.663465977 CET	53	56773	1.1.1.1	192.168.2.6
Jan 13, 2025 13:16:18.663532019 CET	56773	53	192.168.2.6	1.1.1.1
Jan 13, 2025 13:16:18.668591022 CET	53	56773	1.1.1.1	192.168.2.6
Jan 13, 2025 13:16:19.120739937 CET	56773	53	192.168.2.6	1.1.1.1
Jan 13, 2025 13:16:19.126677036 CET	53	56773	1.1.1.1	192.168.2.6
Jan 13, 2025 13:16:19.126760006 CET	56773	53	192.168.2.6	1.1.1.1
Jan 13, 2025 13:17:10.008763075 CET	80	49716	193.122.130.0	192.168.2.6
Jan 13, 2025 13:17:10.008812904 CET	49716	80	192.168.2.6	193.122.130.0
Jan 13, 2025 13:17:12.484821081 CET	80	49730	193.122.130.0	192.168.2.6
Jan 13, 2025 13:17:12.484895945 CET	49730	80	192.168.2.6	193.122.130.0
Jan 13, 2025 13:17:44.982781887 CET	49716	80	192.168.2.6	193.122.130.0
Jan 13, 2025 13:17:44.987692118 CET	80	49716	193.122.130.0	192.168.2.6
Jan 13, 2025 13:17:47.494425058 CET	49730	80	192.168.2.6	193.122.130.0
Jan 13, 2025 13:17:47.499412060 CET	80	49730	193.122.130.0	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:16:02.698136091 CET	60156	53	192.168.2.6	1.1.1.1
Jan 13, 2025 13:16:02.705564976 CET	53	60156	1.1.1.1	192.168.2.6
Jan 13, 2025 13:16:05.012348890 CET	49647	53	192.168.2.6	1.1.1.1
Jan 13, 2025 13:16:05.020193100 CET	53	49647	1.1.1.1	192.168.2.6
Jan 13, 2025 13:16:17.173660040 CET	53	53212	1.1.1.1	192.168.2.6
Jan 13, 2025 13:16:18.657247066 CET	53	49709	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 13:16:02.698136091 CET	192.168.2.6	1.1.1.1	0xbdc4	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:16:05.012348890 CET	192.168.2.6	1.1.1.1	0xf474	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 13:16:02.705564976 CET	1.1.1.1	192.168.2.6	0xbdc4	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 13:16:02.705564976 CET	1.1.1.1	192.168.2.6	0xbdc4	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:16:02.705564976 CET	1.1.1.1	192.168.2.6	0xbdc4	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:16:02.705564976 CET	1.1.1.1	192.168.2.6	0xbdc4	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:16:02.705564976 CET	1.1.1.1	192.168.2.6	0xbdc4	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:16:02.705564976 CET	1.1.1.1	192.168.2.6	0xbdc4	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:16:05.020193100 CET	1.1.1.1	192.168.2.6	0xf474	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:16:05.020193100 CET	1.1.1.1	192.168.2.6	0xf474	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:16:05.020193100 CET	1.1.1.1	192.168.2.6	0xf474	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:16:05.020193100 CET	1.1.1.1	192.168.2.6	0xf474	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:16:05.020193100 CET	1.1.1.1	192.168.2.6	0xf474	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:16:05.020193100 CET	1.1.1.1	192.168.2.6	0xf474	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:16:05.020193100 CET	1.1.1.1	192.168.2.6	0xf474	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49716	193.122.130.0	80	7008	C:\Users\user\Desktop\MB263350411AE.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:16:02.716989040 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 13:16:04.754336119 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:16:04 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cd66023a9c57acd2d6050f3a832682f8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 13:16:04.777080059 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 13:16:04.918770075 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:16:04 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 81578ab6f1493fa7b53a65c0cdcb1ec1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49730	193.122.130.0	80	5608	C:\Users\user\AppData\Roaming\SnqkwvE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:16:06.483830929 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 13:16:07.378289938 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:16:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a97bd49c0c808eb6b7bce79a8c6cae83 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 13:16:07.382591963 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 13:16:07.483958006 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:16:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 069df83e6d0ed9c1f377afce715bd876 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49727	104.21.112.1	443	7008	C:\Users\user\Desktop\MB263350411AE.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:16:06 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 12:16:06 UTC	860	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:16:06 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2085355 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e1JgVWxkUY8PzntPupGz02JCyuK%2F6KCfu3eRZRVzO%2FXg7Qg%2F%2FIuDvAfP9mpkbPiWoJqMwYqpCe7n3PDXMm9boRpW8wY175X%2Fso2qHMcXAbyUJr81VMjv99c843CHNicWff6qGCi2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901550c95e41424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1604&min_rtt=1603&rtt_var=604&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1806930&cwnd=249&unsent_bytes=0&cid=0da40fa24308403a&ts=1148&x=0"
2025-01-13 12:16:06 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49741	104.21.112.1	443	5608	C:\Users\user\AppData\Roaming\SnqkwvE.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:16:08 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 12:16:08 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:16:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2085357 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bb8djA7osJyWJOiK2d1D8nRLel9B1jYydEI4ZPa%2B48NLig36891rG3eez8WA9D%2Fkij7oNceioWPSOTpsW83Sl3FCXPPZxOlSll82dKJBL0acjRiJt9%2F3wTW9wWr%2BD9xkh1DtToVp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901550d26af543b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1694&min_rtt=1626&rtt_var=658&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1795817&cwnd=203&unsent_bytes=0&cid=7722941a86ea3d0a&ts=171&x=0"
2025-01-13 12:16:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	1
Start time:	07:15:58
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\MB263350411AE.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MB263350411AE.scr.exe"
Imagebase:	0x40000
File size:	616'968 bytes
MD5 hash:	578763E8D29B058A3332968654D6E73B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2195000631.0000000006840000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2191797299.0000000003529000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2191797299.0000000003566000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2190199347.0000000002606000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:15:59
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SnqkwvE.exe"
Imagebase:	0x300000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:16:00
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:16:00
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp21E6.tmp"
Imagebase:	0xa10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:16:00
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:16:00
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\MB263350411AE.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MB263350411AE.scr.exe"
Imagebase:	0xd70000
File size:	616'968 bytes
MD5 hash:	578763E8D29B058A3332968654D6E73B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3423870398.0000000003224000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.3419499183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	07:16:02
Start date:	13/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:16:03
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Roaming\SnqkwvE.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\SnqkwvE.exe
Imagebase:	0x440000
File size:	616'968 bytes
MD5 hash:	578763E8D29B058A3332968654D6E73B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.2229165220.0000000002866000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 45%, ReversingLabs Detection: 31%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:16:04
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SnqkwvE" /XML "C:\Users\user\AppData\Local\Temp\tmp34E1.tmp"
Imagebase:	0xa10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:16:04
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:16:04
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Roaming\SnqkwvE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SnqkwvE.exe"
Imagebase:	0xc40000
File size:	616'968 bytes
MD5 hash:	578763E8D29B058A3332968654D6E73B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.3424904761.0000000003264000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1%
Total number of Nodes:	308
Total number of Limit Nodes:	18

Executed Functions

Function 008679D9 Relevance: 2.7, Strings: 2, Instructions: 244
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@Ch, xrefs: 00867AB8
@Ch, xrefs: 00867B30

Memory Dump Source

Source File: 00000001.00000002.2188405410.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_860000_MB263350411AE.jbxd

Similarity

API ID:
String ID: @Ch$@Ch
API String ID: 0-1042198092
Opcode ID: 907ddccaba8e040644901581c493eac6b420038162f6268335dc714bf2763943
Instruction ID: 0ccb3098da640b2ab8e10beb84c8f2cf1f6e2cc0271292a10c98d854d00d1dad
Opcode Fuzzy Hash: 907ddccaba8e040644901581c493eac6b420038162f6268335dc714bf2763943
Instruction Fuzzy Hash: EFB1E774E01218CFDB08DFA9D8849AEBBF2FF89304F158569D408AB365DB359946DF40

Function 00864204 Relevance: 2.7, Strings: 2, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@Ch, xrefs: 00867AB8
@Ch, xrefs: 00867B30

Memory Dump Source

Source File: 00000001.00000002.2188405410.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_860000_MB263350411AE.jbxd

Similarity

API ID:
String ID: @Ch$@Ch
API String ID: 0-1042198092
Opcode ID: 80821484325296505cf485dd06b775a168ef5c696452f180787fdbb5a6d25845
Instruction ID: f304051508b85d60e0bc9d4bb003cbd376ac2c8daf8c2bd55053c667b08fc412
Opcode Fuzzy Hash: 80821484325296505cf485dd06b775a168ef5c696452f180787fdbb5a6d25845
Instruction Fuzzy Hash: DCA1E974E01218CFDB08DFA9D8849AEBBF2FF89304F158569E408AB365DB359942DF50

Function 06871620 Relevance: .6, Instructions: 623COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2195193283.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6870000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363dc0da3d48b9e0ea3dbb4f4fe4af7ec1e08b640eb4ab960f8c1c3e60e98656
Instruction ID: d432b430737bd6c0282a9a5c1ca3158d497d47533c847675b2f8624be10f5f86
Opcode Fuzzy Hash: 363dc0da3d48b9e0ea3dbb4f4fe4af7ec1e08b640eb4ab960f8c1c3e60e98656
Instruction Fuzzy Hash: 62327E30E002188FEB54DFA8C8547AEBBF2AF88700F14856AD54AEB395DB349D45CB95

Function 06871612 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2195193283.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6870000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f6fd743670498b54c8cf3e5ca9038daf6f9621c8cb94e7c02466925bab4e7eb
Instruction ID: 7ece38fa5dcc9f672497315d53c270eb7740311d3d50cc53fee8d716280cee00
Opcode Fuzzy Hash: 7f6fd743670498b54c8cf3e5ca9038daf6f9621c8cb94e7c02466925bab4e7eb
Instruction Fuzzy Hash: C5C14931E002588FDF54CFA9C88479DBBF2AF88314F18C5AAD589AB655DB30E985CF50

Function 04A01AEC Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2193864720.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a00000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94b6d8d6ea5b28ab2c1843adb2503469dbaee290f7ee574ef801411873e57d1
Instruction ID: 9ea634cfb1e8d1c8c67145e4cf7f1cfebdcad3c19e33353f8fa6eab1cedb3eee
Opcode Fuzzy Hash: b94b6d8d6ea5b28ab2c1843adb2503469dbaee290f7ee574ef801411873e57d1
Instruction Fuzzy Hash: 46A19135E00319DFCB04DFA4D898ADDBBBAFF89310F158659E416AB2A0DB70AD41CB50

Function 04A01AE0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2193864720.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a00000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159f1de732af2ea6e183b3bbb5afc63c02b2580e4723458618267628bc9f2203
Instruction ID: 6f197c5ec59b8ea873c763734be1eace8f0063e8349d11c34b72f06be6bb1cbe
Opcode Fuzzy Hash: 159f1de732af2ea6e183b3bbb5afc63c02b2580e4723458618267628bc9f2203
Instruction Fuzzy Hash: 94918135E0035ADFCB04DFA0D8949DDBBBAFF89310F158655E416AB2A4EB70A981CB50

Function 04A029B0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2193864720.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a00000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d36f52397275a94641f283fbeb9faad96eb2d5e369d38810d8e26ce8b83bc0
Instruction ID: 1cd4e4ecec9e93f5772f7da5417cf8247e736f4aa88b93163ae7f573a413bbe2
Opcode Fuzzy Hash: e9d36f52397275a94641f283fbeb9faad96eb2d5e369d38810d8e26ce8b83bc0
Instruction Fuzzy Hash: 08918135E0035A9FCB04DFA0DC949DDFBBAFF89310B158655E416AB2A4EB70A981CB50

Function 06879A70 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2195193283.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6870000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 053b13572ba9321964e67b833f7de16e69f1da0c1db8e7ef1ad4ae79c57dbb93
Instruction ID: 0d6324a8e221719447b8f9c6683fa973a3cdf95feab1eed579a0fdf855ba7f7c
Opcode Fuzzy Hash: 053b13572ba9321964e67b833f7de16e69f1da0c1db8e7ef1ad4ae79c57dbb93
Instruction Fuzzy Hash: 3191CF70D0521CCFEF94DFAAD8457AEBBB6FB49304F108069D519A7261DB349985CF80

Function 0687E638 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2195193283.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6870000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 398e36d103cc3a23fddc8373fa8ee04a3da8d6e9742dd62ae85dff3f34f6d193
Instruction ID: b018689b8d18843d415fd4dd10c94b3b39c0ca121b33fee9173f28d678ad8563
Opcode Fuzzy Hash: 398e36d103cc3a23fddc8373fa8ee04a3da8d6e9742dd62ae85dff3f34f6d193
Instruction Fuzzy Hash: 0F21D5B1D042588BEB58CFA6C8487EEBBF6BF89300F04C0AAD609B6254DB744945CF90

Function 0687E628 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2195193283.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6870000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed042335193658657493399c1054323ceaa21341d1637a6f4c70b91d4aef2278
Instruction ID: 295b71a95bc0b9f141e0361bf5a734d35db3f5af0b13ddcb5ea42849776ce99e
Opcode Fuzzy Hash: ed042335193658657493399c1054323ceaa21341d1637a6f4c70b91d4aef2278
Instruction Fuzzy Hash: 6D21F6B1D046588FEB58CFA6C9483DEBBF3AF89300F04C1AAD509B6264DB740945CF90

Function 06BD4494 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06BD46D6

Strings

U, xrefs: 06BD449C

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID: CreateProcess
String ID: U
API String ID: 963392458-3372436214
Opcode ID: a25c95112eb3a3c06836193000d04d040c058866880aed066149302842b9ab57
Instruction ID: 5718cb892019b3f17a7500fd418e51a7e864f336d8d32446bf2c19e370edd51f
Opcode Fuzzy Hash: a25c95112eb3a3c06836193000d04d040c058866880aed066149302842b9ab57
Instruction Fuzzy Hash: 8EA15BB1D00219DFEB64CF68C8417DEBBF2FB44314F0485A9E949AB240EB749985CF91

Function 06BD44A0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06BD46D6

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1cd4139287ae6cb550ef5c7a105bf743e460b588d1aa7bcdc35f0f7cf04debf0
Instruction ID: 1c33b3207ab6eed6b5c584d74c150d850c004fb7426e877a66cadc789f4ae6b4
Opcode Fuzzy Hash: 1cd4139287ae6cb550ef5c7a105bf743e460b588d1aa7bcdc35f0f7cf04debf0
Instruction Fuzzy Hash: AA913AB1D00219DFEB54CF68C8417DEBAF2FB49314F1485A9E909AB240EB749985CF91

Function 04A026A4 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04A027C2

Memory Dump Source

Source File: 00000001.00000002.2193864720.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a00000_MB263350411AE.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 48ee302bc49058535a281b5a0b14d077a3a162f31240585ee05f01ef6cf24c15
Instruction ID: 3152eed71af03533b41a4d166a451a58ed918380b1b0f2723606a58c2ece0fbf
Opcode Fuzzy Hash: 48ee302bc49058535a281b5a0b14d077a3a162f31240585ee05f01ef6cf24c15
Instruction Fuzzy Hash: 1851C1B5D00349AFDB14CFA9D884ADEBBF5FF48314F24816AE818AB250D774A845CF90

Function 04A01A98 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04A027C2

Memory Dump Source

Source File: 00000001.00000002.2193864720.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a00000_MB263350411AE.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 70340c4d0e33784545c932725569806e70e8489f0549c2c085839652c9fa0e7b
Instruction ID: dd59c0e2bd552abb15f7aeacae5816f7b6e6f01ecc38852e678347f4ad5f093c
Opcode Fuzzy Hash: 70340c4d0e33784545c932725569806e70e8489f0549c2c085839652c9fa0e7b
Instruction Fuzzy Hash: 6751C0B5D00349EFDB14CFA9D884ADEBBB5FF48314F24816AE819AB250D774A845CF90

Function 0086590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 008659C9

Memory Dump Source

Source File: 00000001.00000002.2188405410.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_860000_MB263350411AE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7ef48638202040790fa42612749572e258cc752415e775b733d0f0382c22afc7
Instruction ID: 30cb4bbf34196e4d5b3370d97cdf4b64801593d0dc1fdfd24dff7a0868faf953
Opcode Fuzzy Hash: 7ef48638202040790fa42612749572e258cc752415e775b733d0f0382c22afc7
Instruction Fuzzy Hash: 9B41CEB0C00719CAEB24CFA9C984BDEBBB5FF88704F20816AD419AB251DB756946CF50

Function 00864514 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 008659C9

Memory Dump Source

Source File: 00000001.00000002.2188405410.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_860000_MB263350411AE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 849503a81e2a9c71d32b555b7c9a63b98279ddf490df45803c00e57ca7195e95
Instruction ID: e883161949717445e3c6e6dfccb2688f9fd3b00bc748935591110bbccd3ec4b1
Opcode Fuzzy Hash: 849503a81e2a9c71d32b555b7c9a63b98279ddf490df45803c00e57ca7195e95
Instruction Fuzzy Hash: 8B41E270C0071DCBEB24CFA9C984B9EBBB5FF48704F20816AD408AB251DBB56945CF91

Function 04A04CAE Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04A04D41

Memory Dump Source

Source File: 00000001.00000002.2193864720.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a00000_MB263350411AE.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: c0d3f7bdfc1f39a1fdb2df02495b4a4bf068289fa9a3f66222e0b88f1a80ccc6
Instruction ID: e73439caec80f594b6e069bbcd5490fac15fa7accb97562a692a2c3e2856ee6a
Opcode Fuzzy Hash: c0d3f7bdfc1f39a1fdb2df02495b4a4bf068289fa9a3f66222e0b88f1a80ccc6
Instruction Fuzzy Hash: 543136B5A003059FDB14CF89C448BAABBF5FF8C314F24C599D519AB361D374A841CBA0

Function 06870978 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 06870A17

Memory Dump Source

Source File: 00000001.00000002.2195193283.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6870000_MB263350411AE.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: a5651d73412af7b0103c037d13dad4573e0f27ec68188993a092507d097f3509
Instruction ID: 6efd5f90ef92e3633de99df277135ab0c1a631e902929b30176355787e2c906f
Opcode Fuzzy Hash: a5651d73412af7b0103c037d13dad4573e0f27ec68188993a092507d097f3509
Instruction Fuzzy Hash: 6331D2B6D003499FDB10CF9AD880ADEFBF5FF48224F14842AE519A7210D775A954CFA0

Function 06BD4210 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06BD42A8

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d727af65c60cbff7333654dbb0681981596c855388c48cd68627fd3c3a0b5ba4
Instruction ID: ac689116f169dff505b52fe79069cae058299e5707c70d5e90b362be88b9a455
Opcode Fuzzy Hash: d727af65c60cbff7333654dbb0681981596c855388c48cd68627fd3c3a0b5ba4
Instruction Fuzzy Hash: DB2146B29003599FDF10CFAAC885BDEBBF5FF48324F108429E918A7240D7799950CBA5

Function 06870980 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 06870A17

Memory Dump Source

Source File: 00000001.00000002.2195193283.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6870000_MB263350411AE.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: f418f1c5e69ebbb767b801d26b562ede6d57ed1be513af4c9ab67de65422abea
Instruction ID: e954256e69b2dc20208fb715e208c95eb6035660e4c1048eb98a0921d988dc6e
Opcode Fuzzy Hash: f418f1c5e69ebbb767b801d26b562ede6d57ed1be513af4c9ab67de65422abea
Instruction Fuzzy Hash: 8221CEB5D003499FDB10CF9AD880ADEFBF5FB48324F14842AE919A7210D774A954CFA0

Function 06BD4218 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06BD42A8

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6317f48071880e0f76930645a7d331688ce282f7ce9c3e01aecb52da5aecef4a
Instruction ID: c8c3de0d3eebb64a254bfbf523587b55be6052630fc8656d34188deb6e0a95f7
Opcode Fuzzy Hash: 6317f48071880e0f76930645a7d331688ce282f7ce9c3e01aecb52da5aecef4a
Instruction Fuzzy Hash: 9E2126B19003499FDF10CFA9C885BDEBBF5FF48324F108429E918A7240D7789954CBA5

Function 06BD4300 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06BD4388

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 38ac2951e73877413af751d50eb5b88d5aab51cd21a6a8199c213e5f789b74b2
Instruction ID: 97f172b6ac5f289ec6500afeccecf6e4b8632cb68ced2043881e6e85ae1f3505
Opcode Fuzzy Hash: 38ac2951e73877413af751d50eb5b88d5aab51cd21a6a8199c213e5f789b74b2
Instruction Fuzzy Hash: 7A2125B19003599FDB10CFAAC881ADEFBF5FF48320F108429E518A7240D7799500CBA5

Function 06BD4078 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06BD40FE

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 23c793d476fa47af79f5530169ffa15a171c736752a9cd29707b63b058d0a4cf
Instruction ID: 214633b0cf49788bda609442dd59f81c1c9b950c17389a1142cbc56b88376925
Opcode Fuzzy Hash: 23c793d476fa47af79f5530169ffa15a171c736752a9cd29707b63b058d0a4cf
Instruction Fuzzy Hash: 972138B1D003099FDB10CFAAC8857EEBBF4EF88324F148429D519A7241DB78A945CFA5

Function 0086DB48 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0086DFCE,?,?,?,?,?), ref: 0086E08F

Memory Dump Source

Source File: 00000001.00000002.2188405410.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_860000_MB263350411AE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1bad214961296f344b9aa52cd2b30be0b61b7ded34fd8e61cfbdd443658929cb
Instruction ID: ebf2ac2161f0b4c49aaa5b4be6d907911a42148f29dade7f90b943167402ce4c
Opcode Fuzzy Hash: 1bad214961296f344b9aa52cd2b30be0b61b7ded34fd8e61cfbdd443658929cb
Instruction Fuzzy Hash: 9721E5B5900649AFDB10CFAAD984ADEBFF8FB48314F14841AE914A3351D374A954CFA1

Function 06BD4308 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06BD4388

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: bec6f8d6bb335dd1add72b00445379e8cafd02fa8a0edb2e04b2d615d6c9c45a
Instruction ID: 6b1f8b3d8aa98f7ec75c090f671b473c5199f1dc01831b8fd3b6961543389fa8
Opcode Fuzzy Hash: bec6f8d6bb335dd1add72b00445379e8cafd02fa8a0edb2e04b2d615d6c9c45a
Instruction Fuzzy Hash: 2521F8B19003599FDB10DFAAC881BDEFBF5FF48320F108429E519A7240D7799550DBA5

Function 06BD4080 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06BD40FE

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9a0838163949670a98b50728343ac24abc71102eacfdc303615f459d18e94456
Instruction ID: cb16177a1b94cc994eeed8f25095fdd0affb92d38f16f6b809a3b91b14f88c3c
Opcode Fuzzy Hash: 9a0838163949670a98b50728343ac24abc71102eacfdc303615f459d18e94456
Instruction Fuzzy Hash: CD2149B1D003098FDB10CFAAC8857EEBBF4EF88324F148429D519A7240DB78A944CFA5

Function 06BD4150 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06BD41C6

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 365505aba32c76b01e90306eaed80b1a1c053f196126434436caf8324b7490fe
Instruction ID: 57c025cdcc962ffaac2e31c849679f10246fa74f67efdd939b2c6f3117e56a63
Opcode Fuzzy Hash: 365505aba32c76b01e90306eaed80b1a1c053f196126434436caf8324b7490fe
Instruction Fuzzy Hash: AC1167728002499FDB20CFAAC844BDFBFF5EF88320F108819E519A7240C775A950CBA1

Function 06BD4158 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06BD41C6

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6b0b3a3479ac5a2185936022790e7bc9da9aa328607c3dfec0e63f7f78041538
Instruction ID: ad5a57207fd7026397b758c93eb6224cec5ce62b30921ef07d8d81dd3feca055
Opcode Fuzzy Hash: 6b0b3a3479ac5a2185936022790e7bc9da9aa328607c3dfec0e63f7f78041538
Instruction Fuzzy Hash: 631144729002499FDB10DFAAC844BDEBBF5EF88320F108819E519A7250C775A510CBA1

Function 06BD3B90 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06BD3BFA

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4b705b55fe01bcb1f462315b99e318da4138aeef0b361d2fb2de68889e478c8f
Instruction ID: e2d6dcd803dffeeaa2cddc952aa0cd99127dbd5374158efb9eb53b07ea0a4f21
Opcode Fuzzy Hash: 4b705b55fe01bcb1f462315b99e318da4138aeef0b361d2fb2de68889e478c8f
Instruction Fuzzy Hash: 381158B1D003498FDB20DFAAC845BDEFBF5EF88624F248419D519A7240DB79A940CBA5

Function 06BD3B98 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06BD3BFA

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d959cc34607fff4d34a8f7e9613613c431b44ffd637b567847d95df2b7f35077
Instruction ID: ec2fbc370a92531173ca3c2c114a4288fc5b419e6d35662cf19ffc328b9c7e0d
Opcode Fuzzy Hash: d959cc34607fff4d34a8f7e9613613c431b44ffd637b567847d95df2b7f35077
Instruction Fuzzy Hash: FE113AB1D003498FDB10DFAAC84579EFBF5EF88724F248419D519A7240DB79A540CB95

Function 06BD86E1 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06BD8745

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bd2efe5dcba2b5be86abffbcae0cbd27377e1e71befe4da922842d34cc151ab6
Instruction ID: 24ee10ef0c8474f6e8fb35f67de78af9d120bcd0e3630ff5ded0b46c38c8e4b5
Opcode Fuzzy Hash: bd2efe5dcba2b5be86abffbcae0cbd27377e1e71befe4da922842d34cc151ab6
Instruction Fuzzy Hash: F81106B58003499FDB10CF99C845BDEBFF8FB48724F108459E518A7640D375A944CFA1

Function 06BD8060 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06BD8745

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c7e42f49c1ea0f132bb4e57b8534e9aaaa72f5f3a078381b8e5c8682c618ca1a
Instruction ID: 2af795b5e48088fc38143a0c14ec593ab120464e3388c4c058ed7d8642a7ada0
Opcode Fuzzy Hash: c7e42f49c1ea0f132bb4e57b8534e9aaaa72f5f3a078381b8e5c8682c618ca1a
Instruction Fuzzy Hash: 9D1106B5900349DFDB50CF9AC944BDEBBF8FB48724F10845AE518A7200D375A944CFA1

Function 0086BD20 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0086BD86

Memory Dump Source

Source File: 00000001.00000002.2188405410.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_860000_MB263350411AE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7a7cb426eff8da33c80adaa3ee400739a81de561afda3412c1049ce484314ba0
Instruction ID: 36b836ba4b741ccecbd7584d51bbafbec839a5600505d64faedd7225a3c66ef8
Opcode Fuzzy Hash: 7a7cb426eff8da33c80adaa3ee400739a81de561afda3412c1049ce484314ba0
Instruction Fuzzy Hash: 6D110FB6C003498FDB10DF9AC444A9EFBF4FF88724F10841AD418A7210D3B9A545CFA1

Function 0068D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187260454.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68d000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 032494c5f84f7671ee81ce609e8fa4a482d67170fa1f35cc2f5f340536474bd3
Instruction ID: 04d28a24a179bb3469adda4c7fbbf8226c4be81636b6034e43918f38aec839e9
Opcode Fuzzy Hash: 032494c5f84f7671ee81ce609e8fa4a482d67170fa1f35cc2f5f340536474bd3
Instruction Fuzzy Hash: 8F210372504244EFDB05EF14D9D0B2ABF66FB88314F20C669EE090B296C376D916CBB1

Function 0068D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187260454.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68d000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b496af812b6a76b6a868a0005ee83f569c38a612d2c4fede47b703dac2a590
Instruction ID: 1b3cfacf3802b0d407ac621fc02d4d507bcb8db3b998ab463ab505749cc0eb4e
Opcode Fuzzy Hash: d2b496af812b6a76b6a868a0005ee83f569c38a612d2c4fede47b703dac2a590
Instruction Fuzzy Hash: 342128B2504240EFDB15EF14D9C0F26BF66FB84318F20C66AD9090B296C336D856CBB2

Function 0069D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187354882.000000000069D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69d000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95d51d7a3f835dc312dabe89eee82d5a4b3b365ddc3cb2b9ad016f5cf126133
Instruction ID: 89df483cedd5c78ceac0d29d432f3d1e5346ae4d17b5e273f75d809c3668747f
Opcode Fuzzy Hash: b95d51d7a3f835dc312dabe89eee82d5a4b3b365ddc3cb2b9ad016f5cf126133
Instruction Fuzzy Hash: 1F210075604200EFDF14DF24D980B26BB6AFB84314F20C57DD90A0B792C37AD847CA61

Function 0069D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187354882.000000000069D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69d000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1e0a354bbd8500e6aeab804ad3960574d70bc97a674d5527ad2946650e21a8
Instruction ID: 8ca39145e511fb6d10e529b8ceaf110d13c0064b3d7288698e2933a97650397a
Opcode Fuzzy Hash: bc1e0a354bbd8500e6aeab804ad3960574d70bc97a674d5527ad2946650e21a8
Instruction Fuzzy Hash: 5E212275504200EFDF04DF10D9C0B26BBAAFB84314F20C57DEA094B792C376D806CA61

Function 0069D006 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187354882.000000000069D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69d000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ace7b040e73204c37eb3833a4ac76e00350ac3efb98bc25b121f648e6c16aa6
Instruction ID: 85ec32aae3e81f8be38fb41749111df3446e66959a01df67dbd880b6a1998107
Opcode Fuzzy Hash: 1ace7b040e73204c37eb3833a4ac76e00350ac3efb98bc25b121f648e6c16aa6
Instruction Fuzzy Hash: C9218E755083809FCB02CF14D994B15BFB6EB46314F24C5AAD8498B6A6C33AD806CB62

Function 0068D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187260454.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68d000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
Instruction ID: 067f36b5c946d372cf59135decea2caa0f828f26711b84122a8a6b603f41db44
Opcode Fuzzy Hash: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
Instruction Fuzzy Hash: A121E176404284CFCB06DF00D9C4B56BF72FB84314F24C2A9DD084B296C33AD926CBA1

Function 0068D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187260454.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68d000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: bf4e24d6fbdaef3ff46e3eb8c79dfe80ed7bbfb9f501bb497f3e19b7d7721d71
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 7F11E6B6504280DFCB15DF10D5C4B5ABF72FB94318F24C6AAD8490B756C33AD856CBA2

Function 0069D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187354882.000000000069D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69d000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 9b4ca14285296876d9f9d811fb684f1ff27771952f62b1114789e011d1b32415
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: ED11BB75504280DFCB01CF10C6C0B55BBA2FB84324F24C6A9D9494B7A6C33AD80ACB61

Function 0068D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187260454.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68d000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21cb749d34062be455bf818870e44930e5f1dc125e6b8569a42ed1f8df84c6f2
Instruction ID: 6376ed90336b2e2d6b2d76464e2c838dccbeb71dd86471d0f0609a4f2112f52c
Opcode Fuzzy Hash: 21cb749d34062be455bf818870e44930e5f1dc125e6b8569a42ed1f8df84c6f2
Instruction Fuzzy Hash: 76012672004384AAF7106E65CD84B67BF99DF81364F18C61AEE081A2C6D6B99841CBB1

Function 0068D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187260454.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68d000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166fd2044c3bc99ff48577f94cdc609d9f7febe23847534e3e2f931131351969
Instruction ID: 6d055fdcb16fc44141592ee8114f28f55aee7463c1f8cc6dbadfc807706dac54
Opcode Fuzzy Hash: 166fd2044c3bc99ff48577f94cdc609d9f7febe23847534e3e2f931131351969
Instruction Fuzzy Hash: 91F062724053449AE7109E16D984B66FF98EB91734F18C55AED085A2C6C279A844CBB1

Non-executed Functions

Function 06BD3C48 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

L.H, xrefs: 06BD3CA3

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID:
String ID: L.H
API String ID: 0-2555103419
Opcode ID: baba1e272e16cbf6f092bf3e522509374ec2925d1a66f32b74f57a3807f0a970
Instruction ID: bba986187c01654baed51a020551655efe49444f1fc2d35557eb48bb5404c3cf
Opcode Fuzzy Hash: baba1e272e16cbf6f092bf3e522509374ec2925d1a66f32b74f57a3807f0a970
Instruction Fuzzy Hash: ADE11DB4E002598FDB54DFA9C580AAEFBF2FF49304F248199D414AB356D730A942CF61

Function 06BD9C80 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5767484b1fdc0121223d3d3510d0c4c29439ece1170ead8af9a9b6c289a42a6
Instruction ID: 301edc8d5a941441c7fd2c92fb3a326fc0302a1dbdca171148aa1accc3d91246
Opcode Fuzzy Hash: d5767484b1fdc0121223d3d3510d0c4c29439ece1170ead8af9a9b6c289a42a6
Instruction Fuzzy Hash: 68D1ADB0B016048FDB99EB7AC8607AEB7E6EF89300F1044ADE156DB391EB35D845CB51

Function 04A00A00 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2193864720.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a00000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbcd0b17ac5fe96f77186be6f8610873f80ef8a1292d1c64df1a5868b259c25f
Instruction ID: e6cc58ed2f2ded5b36189955b09a4c335e5550e1217f3b8b6a5aac2513b81f94
Opcode Fuzzy Hash: bbcd0b17ac5fe96f77186be6f8610873f80ef8a1292d1c64df1a5868b259c25f
Instruction Fuzzy Hash: E11252F0C817458AE718CF65F94C1897BB1BB89328FD08A09D2616F2E5DBB8156ACF44

Function 06BD1698 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928907106adc040eae98ef93302d7fbc05bdb65fc7db12948018e69be4bf499b
Instruction ID: 6e783dae437944c191d8147e294b56a7b09fe1fd1cb55ee51a309c0ab7e7aa4a
Opcode Fuzzy Hash: 928907106adc040eae98ef93302d7fbc05bdb65fc7db12948018e69be4bf499b
Instruction Fuzzy Hash: 8FE10EB4E001598FDB14DFA9C580AAEFBF2FF49304F248299D415AB356D7319942CF60

Function 06BD1F08 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e465db9ed2cfa700bace7dd1e8a0c516d06f417657127ff99b5c137798c168
Instruction ID: dcccdbd72b7261f95a8b53c90778caf7c3284e40f03c4b13e1c62b869d568415
Opcode Fuzzy Hash: f6e465db9ed2cfa700bace7dd1e8a0c516d06f417657127ff99b5c137798c168
Instruction Fuzzy Hash: B0E10EB4E001598FDB14DFA9C590AAEFBF2FF49304F248199D914AB356D731A942CF60

Function 06BD1AD0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3377966a8087c119bdbdb16b8c9affb0c02f2f864cbbdbfa6641fd863b1df14
Instruction ID: 1ab2f3febde3648632154a243e7e9f30c756e1de422dcead9a24f2b0de710df6
Opcode Fuzzy Hash: e3377966a8087c119bdbdb16b8c9affb0c02f2f864cbbdbfa6641fd863b1df14
Instruction Fuzzy Hash: F2E1FEB4E102598FDB54DF99C580AAEFBF2FF49304F2481A9D814AB356D731A942CF60

Function 06BD3370 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7279cc4d6f61b81cef908d095263734b11c6f28645cf3553541e9159346f335
Instruction ID: 2fd3b6e926e593d0ad5cb110a9c5c2795809291e19247439008dce8b43653b16
Opcode Fuzzy Hash: b7279cc4d6f61b81cef908d095263734b11c6f28645cf3553541e9159346f335
Instruction Fuzzy Hash: D5E12CB4E002598FDB54DFA9C590AAEFBF2FF49304F2481A9D414AB356D730A942CF61

Function 04A00040 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2193864720.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a00000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c39051b17cb09e2da4adbeb87fdc1ccd131f178f3cee579b75817216c53684ef
Instruction ID: 78b6428450298a8bf5301800c496c23ccb7bbce84b8bd8219c8b13263c5c4c10
Opcode Fuzzy Hash: c39051b17cb09e2da4adbeb87fdc1ccd131f178f3cee579b75817216c53684ef
Instruction Fuzzy Hash: 1FA17F36E00209CFCF19DFB4D8405EEBBB6FF85304B15856AE906AB265DB31E956CB40

Function 04A009F0 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2193864720.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a00000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b38019e81217f1f381b22be0c8d2e450d6a00163e4c9fcaef8113e1f7585238
Instruction ID: e134ec488772768bfb59bec0495bdaa75c202066d61577a72d3b2531cf4ab8c9
Opcode Fuzzy Hash: 6b38019e81217f1f381b22be0c8d2e450d6a00163e4c9fcaef8113e1f7585238
Instruction Fuzzy Hash: 64C1F7B0C817458BE718CF65F84C1897BB1FB89328FE18B09D2616B2E1DBB4156ACF44

Function 06878851 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2195193283.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6870000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9140241b226fc582ff9cc083a39066c8019dee94b59453c408571c28c5e7c869
Instruction ID: b274a18a4efee5b7bb0aa8d436dc638b31a439544dca2cff052ec3db7fb9a117
Opcode Fuzzy Hash: 9140241b226fc582ff9cc083a39066c8019dee94b59453c408571c28c5e7c869
Instruction Fuzzy Hash: 7C615C70901605CFE758EF6AE950AAA7BF3FBDD304F14D12DD004AB22ADBB51906EB50

Function 06878860 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2195193283.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6870000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b959584ca7e0c2db111d5039cba2e295a2e99515879e338cdc174bb6379db2d3
Instruction ID: 663e6cfe999b8792083257f8a2dbbbef11cc5a38fc2dedd458ed294c86e82c0b
Opcode Fuzzy Hash: b959584ca7e0c2db111d5039cba2e295a2e99515879e338cdc174bb6379db2d3
Instruction Fuzzy Hash: B5614C70D00605CFE758EF6AE950A9A7BF3FBDD304F14D129D004AB26ADBB51906EB50

Function 06BD1EF8 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2196659184.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c30a9290d662653878851bd494ef2d9a44bdaee6f7baddbf9db8db2d8aafb3
Instruction ID: 150955661643f103c4737d6af017c01e14599f120c9cd14e7f0b02f8081078c6
Opcode Fuzzy Hash: 19c30a9290d662653878851bd494ef2d9a44bdaee6f7baddbf9db8db2d8aafb3
Instruction Fuzzy Hash: 71511DB5E002598FDB14DFA9C5505AEFBF2FF89304F2481A9D518AB316D7319A42CFA0

Analysis Process: MB263350411AE.scr.exePID: 7008, Parent PID: 4776COMMON

Executed Functions

Function 014EC530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 014EF910

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: d280ed3adfbbc6a138ebc336a02d07733a842bb6319b930dd705171113db7849
Instruction ID: 686dc49e83af3af90ef81454d59fae027e34fc423bc88c865d5f4b61fa32faf6
Opcode Fuzzy Hash: d280ed3adfbbc6a138ebc336a02d07733a842bb6319b930dd705171113db7849
Instruction Fuzzy Hash: A973E531C1075A8EDB11EFA8C854A99FBB1FF99300F15D69AE44877221EB70AAC5CF41

Function 014E1A4F Relevance: .8, Instructions: 786COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f4e719b9b4ccebf2706a7dff2b25a340c6d4b61149eeeb9b565d3dc9639bdc
Instruction ID: a5fed7d083eec1f53a84ae99d4290dd992e9e021158a2fb05953a66caaf85127
Opcode Fuzzy Hash: 00f4e719b9b4ccebf2706a7dff2b25a340c6d4b61149eeeb9b565d3dc9639bdc
Instruction Fuzzy Hash: 8752173155CB628BC7B5CF2C9CA429ABBE2EF912387148BDEC0D646519E7719881CBC1

Function 014E9480 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8146488c4845e101e8f44fea11db713ec2135a2993a8bcb41384f83cb1347140
Instruction ID: 21354ac16af1cefae8af3707e221c6af061f995d076a03a28cfbdfd65c4fae87
Opcode Fuzzy Hash: 8146488c4845e101e8f44fea11db713ec2135a2993a8bcb41384f83cb1347140
Instruction Fuzzy Hash: 88C19E74E01218CFDB14DFA5D998B9DBBB2FB88301F1091AAD809A7365DB355E85CF10

Function 014EC521 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce7ca525be2bdd61dad4846669eab00725ea94435d7dd6ee33042f90844044d
Instruction ID: 8b34ae23b7920b58e1dc95163b4e3f821572c948fd5d53fee88fa2fa1fcf67fe
Opcode Fuzzy Hash: 0ce7ca525be2bdd61dad4846669eab00725ea94435d7dd6ee33042f90844044d
Instruction Fuzzy Hash: B5A10571D106598FDB10DFA9C8887ADFBB1FF89310F14C2AAD45867261EB709A85CF41

Function 014E9A30 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ec2ef103846bce4035ceb6e8a8d19f8456b6b4c49e313784ac00a2418aa3b5
Instruction ID: 273c74a0d47dc311fdb3829eac042b0ac5f89930220e77d3a648446fbc2702ee
Opcode Fuzzy Hash: 90ec2ef103846bce4035ceb6e8a8d19f8456b6b4c49e313784ac00a2418aa3b5
Instruction Fuzzy Hash: 8AA1F470D00208CFEB14DFA9C848B9DBBB1FF88305F20926AE509A73A1DB759985CF54

Function 014E9A40 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52c78477564a878e86294607718debcc8935cb1ce406a561b2139e36a648eeba
Instruction ID: 592352806f55222d3f44d5e5090e632a26c69b1f9d52d884a9545cebcab67ffd
Opcode Fuzzy Hash: 52c78477564a878e86294607718debcc8935cb1ce406a561b2139e36a648eeba
Instruction Fuzzy Hash: A6A1F370D00208CFEB14DFA9C848B9DBBB1FF88315F20926AE509A73A1DB759985CF54

Function 014E9D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 324df777b8dc4f11d9eff09bdfd55b9da80dc2e215103a267eb057643743c9e0
Instruction ID: ea05a056ca48ded25856665672b1973d7956bc0df1f9e6cf3f5a9dc11b4d0de7
Opcode Fuzzy Hash: 324df777b8dc4f11d9eff09bdfd55b9da80dc2e215103a267eb057643743c9e0
Instruction Fuzzy Hash: 8391E170D00218CFEB14DFA8C948B9DBBB1FF49315F20926AE509AB3A1DB759985CF14

Function 014E946F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93468352fc7d50a40cffcde8fea392ec26b1795d8ca922b1a227d31709d6e79f
Instruction ID: 6ed6c699d8e7336890b4a951848f34dafd8c7e1ba1e9ce51e0d92ecd679612dc
Opcode Fuzzy Hash: 93468352fc7d50a40cffcde8fea392ec26b1795d8ca922b1a227d31709d6e79f
Instruction Fuzzy Hash: 6141D474D01248CBEB18CFAAD45869DFBF2BF89301F24D12AD819AB365EB384945CF50

Function 014EAD3D Relevance: 1.8, Strings: 1, Instructions: 516COMMON

Download Yara Rule

Strings

, xrefs: 014EB015

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 791204e5ee9e737ffef8cc89c061ca03ffc34ffd38525896f45326e04aaf942a
Instruction ID: f1296db00c12118d78d9c928f0fdd9c7995d6e58a4b0202951444d9493ca68cf
Opcode Fuzzy Hash: 791204e5ee9e737ffef8cc89c061ca03ffc34ffd38525896f45326e04aaf942a
Instruction Fuzzy Hash: 9E81C270B002088FDB1AAF78985826E7FE2EFC9661B14452AE526DB3E1DF349C01CB51

Function 014EAF78 Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

, xrefs: 014EB065

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5006579389b8220cb5d440d8a05bb1050ba0c6352801b59c493e6a506a9f7441
Instruction ID: 0beab0eff5b49607574877ed6e9da25e8dab9568e982f98fcdf46d4ac109de42
Opcode Fuzzy Hash: 5006579389b8220cb5d440d8a05bb1050ba0c6352801b59c493e6a506a9f7441
Instruction Fuzzy Hash: 48B1E2707042088FDB1AAF78985866E7FE2EFC5661F10452BE9269B3E1CF359C01CB51

Function 014EB500 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30835ccbe29d7a9df29e73ddbb662596fa8a4caab798fea4256438ca24ebda4
Instruction ID: 65a492d20585ba36e29f0d080f46adb8a956ca69fcace45203d584a9fd09057c
Opcode Fuzzy Hash: b30835ccbe29d7a9df29e73ddbb662596fa8a4caab798fea4256438ca24ebda4
Instruction Fuzzy Hash: CCD1C575B002048FDB15DB68C894AAE7BF2FFC8321F24456AD546EB3A1DA31DC42CB91

Function 014EBF80 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac18ff7d2ea73df8fed4825a14c1ed1ed65c924e454b089ec26f04bf0c15d995
Instruction ID: 5c6cfd453e43f903ed102e99aa8a842ab0c8277701ae025c6adbcbe74ac6b128
Opcode Fuzzy Hash: ac18ff7d2ea73df8fed4825a14c1ed1ed65c924e454b089ec26f04bf0c15d995
Instruction Fuzzy Hash: 7A61D6B6B002059FD714DFBDD888A6FBFF5EFC9221B14852AE519D7360D631D8018790

Function 014E0B2F Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7695fd1b563068232e18c2580647d60357ef930abfaf9f305455330f2bdf1b2
Instruction ID: 0e7b0a7c3ea307884a4303955523118eb0559d3b5ca3baba04dc96f5dc4f10c6
Opcode Fuzzy Hash: e7695fd1b563068232e18c2580647d60357ef930abfaf9f305455330f2bdf1b2
Instruction Fuzzy Hash: FCA1AC74A0120ACFCB04EFA8E98499DBBB2FB84301F10556DD915BB365DB786D49CF81

Function 014E0B30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8544ba60ffbd63b7be071e7e8815a8e85ec407751eb84cb6c31f495993297557
Instruction ID: 06177acdc6f6b8cce92008785d5d1bed6fd7ada9424020bd6fe330a8b5a64872
Opcode Fuzzy Hash: 8544ba60ffbd63b7be071e7e8815a8e85ec407751eb84cb6c31f495993297557
Instruction Fuzzy Hash: 46A1AD74A0120ACFCB04EFA8E98499DBBB2FB84301F10556DD915BB365DB786D49CF81

Function 014E2C6B Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3033f2d9b3154baa414807dda179b33f45b2fa5ddda6f786074aadcf2c1d62
Instruction ID: 3077a81cee6884aaa8710033f3464e23330348f16d046871c87f6ca6704c8d57
Opcode Fuzzy Hash: 4f3033f2d9b3154baa414807dda179b33f45b2fa5ddda6f786074aadcf2c1d62
Instruction Fuzzy Hash: CE411B32B042158BDB194AA9DC9DA7F7AE9FFC0212F08007FDA06D73A1DAF58C468351

Function 014E3F78 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d35d6df8d5e6d5f814f8ffa5b68aaeda5e34591cc0659a434dfd97aa216294
Instruction ID: a6cbb0182cbdcd5bdd11a8a1d682878b3efb33324bfc309c1e4c9bdab4d3ab1c
Opcode Fuzzy Hash: 52d35d6df8d5e6d5f814f8ffa5b68aaeda5e34591cc0659a434dfd97aa216294
Instruction Fuzzy Hash: 3351B474E00208CFDB58DFA9D488A9DBBF2BF89311F14846AE915AB364DB749945CF10

Function 014E3158 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040c2efaa89e0af2463bedb43b4218872d907f9bb7508680a84dd7438d042635
Instruction ID: 3350b45093047771a6470fb49326fb18c2a5261dea8b1ff04095a228f68fe337
Opcode Fuzzy Hash: 040c2efaa89e0af2463bedb43b4218872d907f9bb7508680a84dd7438d042635
Instruction Fuzzy Hash: 7241A075E01208DFCB48DFAAD48499DBBF2BF89311F24916AE805BB364DB359846CF14

Function 014E3168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff53c0f188e6dcea9f4903baa4c1925e1463258cf7303cc2956721e39067e164
Instruction ID: cfe45f10671749599abffbac065083f36960808b37253af6e683501b47859f69
Opcode Fuzzy Hash: ff53c0f188e6dcea9f4903baa4c1925e1463258cf7303cc2956721e39067e164
Instruction Fuzzy Hash: B641A174E01208DFCB08DFAAD88499DBBF2BF89301F24956AE805BB364DB359845CF14

Function 014E9249 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96aa89c0879e61ebd63bb91b3cf49485f44233978c4fec2db9f909490390a6c6
Instruction ID: 295d08027dd89d9ee584ac38c7135fd600c554450ae68b80b27e5239d93d1bd0
Opcode Fuzzy Hash: 96aa89c0879e61ebd63bb91b3cf49485f44233978c4fec2db9f909490390a6c6
Instruction Fuzzy Hash: C731B77143264E8FD3883B21A5AE27ABFA4FB4F327B087D05F12A80565BF7044848F64

Function 014EB869 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaeda2c59831fb4a2b5246894f45ddcc239219f1d335b75f65bfd85893c74a84
Instruction ID: d5db7eb7585674a36fbf83749a0514a865255419c9ddbddd2da746f81972b36c
Opcode Fuzzy Hash: aaeda2c59831fb4a2b5246894f45ddcc239219f1d335b75f65bfd85893c74a84
Instruction Fuzzy Hash: 79310735B001098FDB45DFA8C484E9DBBF2FF88220F155559E601AB365DA71EC46CB90

Function 014EB89D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2281159cd46813899d23a1f0c4fdfdfa08b28e59b2f01ac9fde9e6bf79497114
Instruction ID: 3f8e95336adbf86c373e76b754f091e356c7d74302f90efed92046246dd7a291
Opcode Fuzzy Hash: 2281159cd46813899d23a1f0c4fdfdfa08b28e59b2f01ac9fde9e6bf79497114
Instruction Fuzzy Hash: ED310735B001098FDB45DBA8C484E9DBBF2FF88220F155559E601AF365DA71EC45CB90

Function 014EBDE8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97abb7cb7f87a69dd2e537185e42cd3dfbae934ca11d41dc65578dd9ffe4f8af
Instruction ID: af7c94128813845a0b628484fd740e08d00ff7220a26dd73d47588b2efae2d26
Opcode Fuzzy Hash: 97abb7cb7f87a69dd2e537185e42cd3dfbae934ca11d41dc65578dd9ffe4f8af
Instruction Fuzzy Hash: BC21D3347002099FCB08EF69C955A6E7BB6FFD8312F24806AD6098B7A5DF319D01CB90

Function 014E18C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66807077446496ff7542ec51144e6eaa9872cc132c64e376ebc8232001a992ee
Instruction ID: e0bda2c1d0cd15258138ab94fff48a519152478848dadef52a707647dcc7b7db
Opcode Fuzzy Hash: 66807077446496ff7542ec51144e6eaa9872cc132c64e376ebc8232001a992ee
Instruction Fuzzy Hash: 2F21B035A0014A9FCB14DF28D4449AF77A5EB89760B50C05AE80AAB350DB35EA46CB91

Function 014EBC28 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1277a04099d7743403974ce15d3b27cb21dadc9e6a528b3ddf6dc9b23210999
Instruction ID: eb8d104100bd35aa0e2fec4d12e75bcd17f89f7b84ec425c0bdf6fd81fd2cb85
Opcode Fuzzy Hash: c1277a04099d7743403974ce15d3b27cb21dadc9e6a528b3ddf6dc9b23210999
Instruction Fuzzy Hash: FA21FF317093894FD71AA7B8982966D3FE6DF96142B0944BFD509CB3A2DD348C05C361

Function 0148D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422048372.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_148d000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea3a51e0d90bbbde689f506de62ce7b2c2772bf263adc779b228b6727386fe28
Instruction ID: 8194ddd13da4b3bd16fbcee79f1f81a6f3379b10768053bca4d78a60274e47d9
Opcode Fuzzy Hash: ea3a51e0d90bbbde689f506de62ce7b2c2772bf263adc779b228b6727386fe28
Instruction Fuzzy Hash: 6F2137B1904204DFDB15EF54D9C0B2ABB61FB85318F20C56ED90A4B3A2C376D447CA62

Function 0148D006 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422048372.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_148d000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4cd38d97e263ff920226a5f9635ee382973dc09b59e96180fe1b806d861d188
Instruction ID: 2269a5943d8c8af0ca740012afebedaf211dd5d48bdf88c69e01d9745f49b413
Opcode Fuzzy Hash: a4cd38d97e263ff920226a5f9635ee382973dc09b59e96180fe1b806d861d188
Instruction Fuzzy Hash: 06215A7150A3C49FCB03DF64D990715BF71AB47214F29C5DBD8898F2A7C23A984ACB62

Function 014EBD01 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f497437ba04c5f3055ba762e79beb9187bb543691377f18924609eed84af3c2a
Instruction ID: 0b22c87d1526bda1031fa6abbb6366a79248bac0c9161d3bb2c7713eeb28811b
Opcode Fuzzy Hash: f497437ba04c5f3055ba762e79beb9187bb543691377f18924609eed84af3c2a
Instruction Fuzzy Hash: CE218E71A001099FDB44EFB9D855AAE7BF6EF98300B15846AE119E7265DB308E02CB50

Function 014E0ED7 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7c981af79a355e1e8712b8bc217f864110742f2266682db3f2667e5ac8f54e
Instruction ID: 194b53751f100d5792a0cc04334cc7ca44cbcf06f8b67b8f2b218703964020c5
Opcode Fuzzy Hash: 6d7c981af79a355e1e8712b8bc217f864110742f2266682db3f2667e5ac8f54e
Instruction Fuzzy Hash: 75213E70E00209DBDB08EFA9C4587AEBBB2FB94305F10846E99146B364DBB89945CF41

Function 014E17B8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3dc749c1194e5ec1e397baa887dce88e0fdafd68ddb9d76bce216f356ddf57
Instruction ID: ee13210f37a8cf9f91fe399edc460bbe3456b5fd6c2d19556d220ddcd451b756
Opcode Fuzzy Hash: 3a3dc749c1194e5ec1e397baa887dce88e0fdafd68ddb9d76bce216f356ddf57
Instruction Fuzzy Hash: 9821F570C4524A8FCB41DFB9D8545EEBFF0FF0A200F0445AAD449B7222EB345A95CBA1

Function 014EBB48 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67407e6896abae50f52684389f5066df9b5309c8d0c6bd25a28de10209a1d9d4
Instruction ID: 388771cdbda8b98f19e40ea9c77b67782d6989e1517dc6c553ab8665989aa083
Opcode Fuzzy Hash: 67407e6896abae50f52684389f5066df9b5309c8d0c6bd25a28de10209a1d9d4
Instruction Fuzzy Hash: 02116A71300214CFDB24DF69D988A56B7E6EF88722B2084AAE2498B775CA71EC04CB50

Function 014EBB22 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a8f3fc189bd2309c6a714e74849022a040e478aedab5c52fccbc47eb06705f
Instruction ID: e6036aa45dacdcd22fbabd19b0a9899a5056694dd65f78ed6e1732acbf60440c
Opcode Fuzzy Hash: 78a8f3fc189bd2309c6a714e74849022a040e478aedab5c52fccbc47eb06705f
Instruction Fuzzy Hash: 26116DB17052008FDB258F69C948B567BE5EF99612F1680AED149CB7B6CA70D805CB11

Function 014E4850 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e308bd1b32d0f7c917e9ac087e0815636b1772d27cf2ebaf2a54b8e8a63205
Instruction ID: 2c8f4af58b22ebe4f8942d7712223b76bc05f2c6e6281864715738d899715917
Opcode Fuzzy Hash: e9e308bd1b32d0f7c917e9ac087e0815636b1772d27cf2ebaf2a54b8e8a63205
Instruction Fuzzy Hash: AA012436F412450FD714AA7A8C1852F77EBAFC4126705443ED509C7365FE70CC018B90

Function 014E4860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2d80063edf241d10d6498e69604fa611f4446719ecbaa276896da4c360b2e3
Instruction ID: 4796bb70af4d106d8e18f6ec45de19e5f667b3e6a21bd21dfaf5c2cb10780827
Opcode Fuzzy Hash: fd2d80063edf241d10d6498e69604fa611f4446719ecbaa276896da4c360b2e3
Instruction Fuzzy Hash: BF01FD36B012414FD714AABA8C0852F77EBAFC4165714493EDA09C7364FE70CC008B90

Function 014EA508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e6b339ebba0fd1bcdfaac40b81c2bc2049494b4e6dde13301fdffe43bbf5a7
Instruction ID: 06cb7701d3b5f32848b587b9c50357f1c2d4c9c6555a6a5554239330ff9fe212
Opcode Fuzzy Hash: 52e6b339ebba0fd1bcdfaac40b81c2bc2049494b4e6dde13301fdffe43bbf5a7
Instruction Fuzzy Hash: ED014C75A1020D9FDB589F69E8595AE7FB5EB88251B10443AF91A93350EB308D10CBA1

Function 014EA4F9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83c666d4167b19e1d6bab3fd7eb3ab5247687323a361256f6ded50b38259e36
Instruction ID: 405829f24778817fbbddd71b58871cd6e4ce9270dded76b5c0ca41c9410bfd7e
Opcode Fuzzy Hash: b83c666d4167b19e1d6bab3fd7eb3ab5247687323a361256f6ded50b38259e36
Instruction Fuzzy Hash: 48014F7191021DAFCB54DF69DC499AF7FB5FB88251B504526F919D3350EB308910CBA1

Function 014EBEF8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa633bda5a97b64d95c75c350954e438259b0107d9341d2fd7e447fa3090f06
Instruction ID: 731fb527626f6b403256b3bee80b1645027194c8641a214714f6f128fc40ee95
Opcode Fuzzy Hash: ffa633bda5a97b64d95c75c350954e438259b0107d9341d2fd7e447fa3090f06
Instruction Fuzzy Hash: B3F02B36B002089BCB092774D81E66D3FD6EFC9621B144827F60AC7391DE35CC42C790

Function 014EBD78 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dfb92f1d9ae6685bc498ff82c21dd70b8d917a43044f74fdfb024610de5cc45
Instruction ID: 582305175d431827f20ca9262f2f027115b86f8528c16f34d7057e41ecfdb801
Opcode Fuzzy Hash: 1dfb92f1d9ae6685bc498ff82c21dd70b8d917a43044f74fdfb024610de5cc45
Instruction Fuzzy Hash: A7F06272A00109AFCB40EFA9DC44DBF7BF9FF4C211B00406AF519D7221EA3599118BA0

Function 014EC1B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22637f0edcc6dcd4e5a45bbca457c3083f23399e525412bc684bfdb4b74b40e
Instruction ID: c7996bdbee609836a53ee9632aeb2c625cd5145e17eb6410294c335016f077f3
Opcode Fuzzy Hash: f22637f0edcc6dcd4e5a45bbca457c3083f23399e525412bc684bfdb4b74b40e
Instruction Fuzzy Hash: C7F0A7327005155FCB1A576EE45895EB7E9DFC5632714007BE509D7360DE31DC028B90

Function 014EB9EA Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4827caba0f5b462336bb2ed412b84fc6a51170751e8e5f986e0dff796aa2a1ba
Instruction ID: 629ee5c6848f7348535a7567da460ab44f7656abd97c75c74b42778de622464a
Opcode Fuzzy Hash: 4827caba0f5b462336bb2ed412b84fc6a51170751e8e5f986e0dff796aa2a1ba
Instruction Fuzzy Hash: FEF0E9B6E001089FCB51DFA9D9805EFBBF6FF5C251B40462BD209D3710E630990687D1

Function 014E46C9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e39b1e860bbac90ede490d8982444cf62a437f7031b5fe362fabc8c5513c02
Instruction ID: 5eb2446e1ce859be908e5358195aeb9414bc0764689f332339cec01cebf9d583
Opcode Fuzzy Hash: d9e39b1e860bbac90ede490d8982444cf62a437f7031b5fe362fabc8c5513c02
Instruction Fuzzy Hash: BAF092350693828FD3212B24B8AC32E7F70EB0B31BB496D5AA14DD947ACB7058548B25

Function 014EB9F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b52f37c1f1316b765ce7696342619d6413c1b598c944a8e02e297b725fea1a63
Instruction ID: 37f361e1373a57b431f9849b9f259676c3085e4469d4db77ec2a0d5efded6db3
Opcode Fuzzy Hash: b52f37c1f1316b765ce7696342619d6413c1b598c944a8e02e297b725fea1a63
Instruction Fuzzy Hash: 1AF01271A042089F8B50DFAE984099FBFF6FF98250B50452BD609D3715EA7099168BE1

Function 014E46D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62abdc57b8fda4c1bbb3326f49504710645702e8c95dba85759bf3a48748331e
Instruction ID: 5e6a7d08a2c54860127b5a8f77c62de9480fd0e5ca71476cfd28ab8b20c948e8
Opcode Fuzzy Hash: 62abdc57b8fda4c1bbb3326f49504710645702e8c95dba85759bf3a48748331e
Instruction Fuzzy Hash: 2FE09934061303CBE3202B20B4AC33E7BB5EB0B31BB842D08A10EE80388F7048848B25

Function 014E1888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b0ddc0c68e4682d4844edd44675165202da6ac1a5e54d97c2bf824ba7f54bf
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: d5b0ddc0c68e4682d4844edd44675165202da6ac1a5e54d97c2bf824ba7f54bf
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 014E1887 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21269c602cd5a6e4fb62f707f2dfb1484c8060aeb0bd3920a182a4fbfef6e10
Instruction ID: 7c15a701314dad7276c0dfacd44edddcc9fd329bac863493924e5fcdaec31331
Opcode Fuzzy Hash: c21269c602cd5a6e4fb62f707f2dfb1484c8060aeb0bd3920a182a4fbfef6e10
Instruction Fuzzy Hash: 0AE02B31D2026B56CB11D7B0FC404FEFB34EED1220B544266E81033000EB30165ECBA0

Function 014E4831 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3422681721.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14e0000_MB263350411AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f3b369244004a9774f2e22cfcf64a901ad1203c7d83d5aff4fdd06f24c4d28
Instruction ID: d2514d87a33e87538dd90b2a5d46a65cf0686c8eb22b3a8edc39e2e098428103
Opcode Fuzzy Hash: e6f3b369244004a9774f2e22cfcf64a901ad1203c7d83d5aff4fdd06f24c4d28
Instruction Fuzzy Hash: 96B092A298038812DF161620D93B3A96B10EB51218F98089D888AC42A9EA188420C200

Analysis Process: SnqkwvE.exePID: 1220, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	223
Total number of Limit Nodes:	12

Executed Functions

Function 00BDDDC0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00BDDE3E
GetCurrentThread.KERNEL32 ref: 00BDDE7B
GetCurrentProcess.KERNEL32 ref: 00BDDEB8
GetCurrentThreadId.KERNEL32 ref: 00BDDF11

Memory Dump Source

Source File: 00000009.00000002.2228135495.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bd0000_SnqkwvE.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6f1c850dda67012ed63aa789731c81b4eb746fecbeb210fa6ea5a18605486056
Instruction ID: c54488cbe605c49eadabe49e29c9d3519ed691ae1461071b0234410a61fd2b50
Opcode Fuzzy Hash: 6f1c850dda67012ed63aa789731c81b4eb746fecbeb210fa6ea5a18605486056
Instruction Fuzzy Hash: C05177B090134A8FEB44DFA9D548B9EBBF1FF88314F20805AE019A7350DBB4A844CB65

Function 06EA4494 Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06EA46D6

Memory Dump Source

Source File: 00000009.00000002.2236371842.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_SnqkwvE.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c9ae40a34d0f26cf4354d62380007976b40e080ab70932a71be4659893115f90
Instruction ID: 10cfac722f57967f13dda257ba4cb6c8a4c4759acbc070e7e8eb6fb54b525b1a
Opcode Fuzzy Hash: c9ae40a34d0f26cf4354d62380007976b40e080ab70932a71be4659893115f90
Instruction Fuzzy Hash: 5AA15C71D00759DFEB50CF68C841BDDBAF2BF49314F1485A9E818AB280DBB4A985CF91

Function 06EA44A0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06EA46D6

Memory Dump Source

Source File: 00000009.00000002.2236371842.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_SnqkwvE.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9a8a228302a18c974fcf3077532d3eb758b2a7245a948ed5c234b720936d59f6
Instruction ID: 0f66b39474bbac83df842dc039751fc105fc10a4d931e042a84482c6186b169d
Opcode Fuzzy Hash: 9a8a228302a18c974fcf3077532d3eb758b2a7245a948ed5c234b720936d59f6
Instruction Fuzzy Hash: 50914C71D00359DFDB54CF68C8417DDBAF2BB49314F1485A9E818AB280DBB4A985CF91

Function 00BD590C Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00BD59C9

Memory Dump Source

Source File: 00000009.00000002.2228135495.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bd0000_SnqkwvE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4e72a33d6f0137f7c6a47b2d2a5d473da1781bd7fed696aa9f90a432d292c61e
Instruction ID: 5d15875916e05e8eb61d29a26647953bfc6b95313e0e249c43afd93ba5048b08
Opcode Fuzzy Hash: 4e72a33d6f0137f7c6a47b2d2a5d473da1781bd7fed696aa9f90a432d292c61e
Instruction Fuzzy Hash: CA41D2B0D0071DCBDB24CFA9C98479EBBF5BF49704F20816AD508AB251DB75A946CF90

Function 00BD4514 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00BD59C9

Memory Dump Source

Source File: 00000009.00000002.2228135495.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bd0000_SnqkwvE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9366943e25c733985758e9780ca160e0d4f58cb238c63288f0cc992596a18ade
Instruction ID: 3bb1c26ee2b1b114d8c629f6b2be3a7a52fe527ed324fd352239d127b2450d31
Opcode Fuzzy Hash: 9366943e25c733985758e9780ca160e0d4f58cb238c63288f0cc992596a18ade
Instruction Fuzzy Hash: 2041D2B0D0071DCBEB24CFA9C984B9DBBF5BF49704F20816AD508AB251DBB5A945CF90

Function 06B40978 Relevance: 1.6, APIs: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 06B40A17

Memory Dump Source

Source File: 00000009.00000002.2235677133.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b40000_SnqkwvE.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: c957c033a9f89024ca3d4df13bd085a5c3dac5585ee821febfdb50a22e41dd89
Instruction ID: 0aa446d10f708fd8b64d54327c165f5a4b8bba636f09fc5307481657a4bed5c4
Opcode Fuzzy Hash: c957c033a9f89024ca3d4df13bd085a5c3dac5585ee821febfdb50a22e41dd89
Instruction Fuzzy Hash: 3431D1B5D002099FDB10DF9AD880ADEBBF5FF58220F14842AE919A7210D775A941CBA0

Function 06EA4210 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06EA42A8

Memory Dump Source

Source File: 00000009.00000002.2236371842.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_SnqkwvE.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 884b8ba8046d79046ec1ef728bb3458aa7ac5cbcd76c0ee82d9b1d6dbaff8978
Instruction ID: 483501a8afa109dc5ebf0d89d3cba093cf2cc4d372cf755e57549b6340542d9b
Opcode Fuzzy Hash: 884b8ba8046d79046ec1ef728bb3458aa7ac5cbcd76c0ee82d9b1d6dbaff8978
Instruction Fuzzy Hash: 52211771900349DFDB50CFA9C885BEEBBF5BF48310F108429E919A7240D7B9A951CBA0

Function 06EA4218 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06EA42A8

Memory Dump Source

Source File: 00000009.00000002.2236371842.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_SnqkwvE.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c93efec848da25ec26c4f1055da9584bdbd120c8e90bca349b42a3f54a3da2b5
Instruction ID: bc39814c257577f94ef81a3de29c7ea16e8bb58d2ee329f1d95944edbcac1f26
Opcode Fuzzy Hash: c93efec848da25ec26c4f1055da9584bdbd120c8e90bca349b42a3f54a3da2b5
Instruction Fuzzy Hash: F7211571900349DFDB10CFA9C885BDEBBF5FF48320F108429E918A7240D7B8A950CBA4

Function 06B40980 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 06B40A17

Memory Dump Source

Source File: 00000009.00000002.2235677133.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b40000_SnqkwvE.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 7139d8d3cbe5f21e029c48da6085d54d6df8484384ef30000dbf20c3a9209565
Instruction ID: 599cd5146d1c4f3d75354d2e881c56e3eba6943a725a801ae5be6eab832ac341
Opcode Fuzzy Hash: 7139d8d3cbe5f21e029c48da6085d54d6df8484384ef30000dbf20c3a9209565
Instruction Fuzzy Hash: FC21CEB5D002499FDB10DF9AD884A9EFBF4FF58220F14842AE919A7210D775A954CFA0

Function 06B44EE8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 06B44F77

Memory Dump Source

Source File: 00000009.00000002.2235677133.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b40000_SnqkwvE.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: edaaa942982d8f25b8fdfa3bc886604661bcec87327e75d1d9d8984baad5ce37
Instruction ID: 4d26214d635db2c89c5e842fba6126982679e4e5e3abe9e258b2fe2261c52665
Opcode Fuzzy Hash: edaaa942982d8f25b8fdfa3bc886604661bcec87327e75d1d9d8984baad5ce37
Instruction Fuzzy Hash: 5B2169B19053999FDB20EFA9D444BDEBFF4FB49314F10804AE898A7241C774A909CFA1

Function 06EA4078 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06EA40FE

Memory Dump Source

Source File: 00000009.00000002.2236371842.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_SnqkwvE.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a11782ce976670275396774c3c0ad11cda0f0117dbc8295fe2a4ae595f656599
Instruction ID: 798d6f686f0b7b2f4a074d01fed1468ed0b41ab1da940189e4b7587394bfd70c
Opcode Fuzzy Hash: a11782ce976670275396774c3c0ad11cda0f0117dbc8295fe2a4ae595f656599
Instruction Fuzzy Hash: 66213971D00309CFDB50DFA9C4857EEBBF4BF98314F148429D519A7240D7B8A955CBA1

Function 06B44EF8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 06B44F77

Memory Dump Source

Source File: 00000009.00000002.2235677133.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b40000_SnqkwvE.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: e9f84c24fd097bc7e47d662ea828b37e7c2604b75b25b74ecd7dd81c9bc8fe33
Instruction ID: 83f50caba2bf07597d5dc35933407b35bf83e37a8f5aeaa1f465e50e2f6b106a
Opcode Fuzzy Hash: e9f84c24fd097bc7e47d662ea828b37e7c2604b75b25b74ecd7dd81c9bc8fe33
Instruction Fuzzy Hash: 76217AB1A002499FDB50EF99D404BAEFBF5EF88314F10801AE959B7380C774A909CFA1

Function 06EA4308 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06EA4388

Memory Dump Source

Source File: 00000009.00000002.2236371842.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_SnqkwvE.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fe8b9d888a2d6afa03d65452a3bb26ff5fa85d413f185477c0eef32ee7812a7a
Instruction ID: 01a2202b127ead48d3f99dd4a1283b6dccd6b6c802d1cac90bc70cd00abb868c
Opcode Fuzzy Hash: fe8b9d888a2d6afa03d65452a3bb26ff5fa85d413f185477c0eef32ee7812a7a
Instruction Fuzzy Hash: 78211671900349DFDB10DFAAC885BDEBBF5FF48320F108429E518A7240C778A514CBA5

Function 06EA4080 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06EA40FE

Memory Dump Source

Source File: 00000009.00000002.2236371842.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_SnqkwvE.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 11b1ca8b4a3534c0f94b2a759f4f690aa9c0d97be1742c9187e5571d1faaa55b
Instruction ID: 525fc9950f671f75b7fae40585a1733845fb06194fcaba29e4d44f4a40909164
Opcode Fuzzy Hash: 11b1ca8b4a3534c0f94b2a759f4f690aa9c0d97be1742c9187e5571d1faaa55b
Instruction Fuzzy Hash: 1D213871D00309CFDB10DFAAC8857AEBBF4BF98324F148429D519A7240DBB8A944CFA5

Function 00BDE008 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BDE08F

Memory Dump Source

Source File: 00000009.00000002.2228135495.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bd0000_SnqkwvE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d86b7edf981a32f185668c2b5e3c928a917f37b78be3b82f202f7e68f0c95836
Instruction ID: 998e16a391cffa29bb48f6ef19b5c52cfe840988be8306fe3998963b59254c92
Opcode Fuzzy Hash: d86b7edf981a32f185668c2b5e3c928a917f37b78be3b82f202f7e68f0c95836
Instruction Fuzzy Hash: ED21E3B59002499FDB10CFAAD984ADEFBF8FB48320F14841AE914A7310D374A950CFA4

Function 06EA4150 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06EA41C6

Memory Dump Source

Source File: 00000009.00000002.2236371842.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_SnqkwvE.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3dbbb20717f3e8e6811679c7b9a78fbb87ccf212f9f18583c760dfded329981b
Instruction ID: 8100e2bbb859efdaea9affc7b2db38583224d19bf5553b8fd5717ad3e1e73d71
Opcode Fuzzy Hash: 3dbbb20717f3e8e6811679c7b9a78fbb87ccf212f9f18583c760dfded329981b
Instruction Fuzzy Hash: 05115672900349CFDB10DFA9C844BEEBFF5BF98320F208819E519A7250C7B5A514CBA1

Function 06EA4158 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06EA41C6

Memory Dump Source

Source File: 00000009.00000002.2236371842.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_SnqkwvE.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 91b0bbc2bbe45f5aada4e18b86d2d0b3c6ceab7f189e759e4149da78fc0d34a3
Instruction ID: 3933273b181d41e39e2a27441b51bbe93514acec64340a7266151e8f243e0435
Opcode Fuzzy Hash: 91b0bbc2bbe45f5aada4e18b86d2d0b3c6ceab7f189e759e4149da78fc0d34a3
Instruction Fuzzy Hash: 16115672900349DFDB10DFAAC845BEEBBF5FF88320F108819E519A7250C7B5A510CBA0

Function 06EA3B90 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06EA3BFA

Memory Dump Source

Source File: 00000009.00000002.2236371842.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_SnqkwvE.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 730cd54eac667535fbba808466ba1409b722c3b49fc1d0261c913692455ce87f
Instruction ID: 4f9a1cbeda6f5249e9a45fc07587d9906d1a75aded8be971b32b993258120298
Opcode Fuzzy Hash: 730cd54eac667535fbba808466ba1409b722c3b49fc1d0261c913692455ce87f
Instruction Fuzzy Hash: 2C113A71D00349CFDB10DFAAC8457EEFBF5AF88324F248419D519A7240C775A940CB94

Function 06EA3B98 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06EA3BFA

Memory Dump Source

Source File: 00000009.00000002.2236371842.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_SnqkwvE.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3321bc83582d61b8adc9d0c93dcc26c66d30da495c34c446fc6dc9229868d6dc
Instruction ID: 65dd4000a70473377b0017dd0615a198c34e9f51f411b1623d32bcfc6ed52a79
Opcode Fuzzy Hash: 3321bc83582d61b8adc9d0c93dcc26c66d30da495c34c446fc6dc9229868d6dc
Instruction Fuzzy Hash: 571106B1D003498FDB20DFAAC84579EFBF5AF88724F248419D519A7240CB79A944CBA5

Function 06EA3B94 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06EA3BFA

Memory Dump Source

Source File: 00000009.00000002.2236371842.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_SnqkwvE.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 378508b43df184bf30ce9f4c3c2f1321e11b2685de2ecb666f6885ed717857f2
Instruction ID: c586aab0d503763a54a08198f65461ae019115379c46040a4791678851c14198
Opcode Fuzzy Hash: 378508b43df184bf30ce9f4c3c2f1321e11b2685de2ecb666f6885ed717857f2
Instruction Fuzzy Hash: E4112875D003498FDB10DFAAC84579EFBF5AF88324F248819D519A7240CB75A944CBA5

Function 00BDBD20 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00BDBD86

Memory Dump Source

Source File: 00000009.00000002.2228135495.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bd0000_SnqkwvE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fb1833ff805a9929d905f4ca4a2293ff5306ae8196e4f3b0d88bcb0f51cf5cc5
Instruction ID: 6c00c75d2e33ae5eb72cdd59ae5cadaab42a08ff4cfaaf9918fe53c057841f78
Opcode Fuzzy Hash: fb1833ff805a9929d905f4ca4a2293ff5306ae8196e4f3b0d88bcb0f51cf5cc5
Instruction Fuzzy Hash: 3E11F0B6C00349CBCB10DF9AC444A9EFBF5AF88320F10846AD418A7210D3B5A545CFA1

Function 06EA7360 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06EA7A45

Memory Dump Source

Source File: 00000009.00000002.2236371842.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_SnqkwvE.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5163a3bfd6d8606da64e14503133c6eb9c29e995d219aad52d8c1b21cfcc1bbb
Instruction ID: d9abc95810eda359b149533cb27432000eb5270db300b025dff1e0e1d4fa0dba
Opcode Fuzzy Hash: 5163a3bfd6d8606da64e14503133c6eb9c29e995d219aad52d8c1b21cfcc1bbb
Instruction Fuzzy Hash: B61103B5900349DFDB50DF9AC945BDEBBF8FB48324F10941AE918A7200C3B5A954CFA1

Function 06EA79E0 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06EA7A45

Memory Dump Source

Source File: 00000009.00000002.2236371842.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_SnqkwvE.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: be0573679ef0e726a696c31f1f53fd409e652ad9c3f2a44ff96ff03ff23b6e17
Instruction ID: 84a3e7f3921a57ac5f958d41c01b4ea1e412c5c8d9753209f41debe6bdfc04db
Opcode Fuzzy Hash: be0573679ef0e726a696c31f1f53fd409e652ad9c3f2a44ff96ff03ff23b6e17
Instruction Fuzzy Hash: B41115B5800349DFDB10CF99D985BEEBBF4FB48324F20941AD519A7200C375A644CFA1

Function 00A6D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2225884270.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a6d000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e4b822f7b30547fb52360bf8fafa491bac9a742d8d48c3a65d5fed1a904ee6
Instruction ID: 0f2c59bf432a43f9e1de4f64a3be910310edbabe84528592a2caba3b6d911395
Opcode Fuzzy Hash: 98e4b822f7b30547fb52360bf8fafa491bac9a742d8d48c3a65d5fed1a904ee6
Instruction Fuzzy Hash: D2210372A04240EFDB15DF14D9C0B26BF75FB88358F24C569E90A0B656C336D856CAA1

Function 00A6D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2225884270.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a6d000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd0dfc8c1425cff54170a0a703aa16636aeb498f1d5b554ef4b1ff226a2ac41
Instruction ID: 08712b134f05978bb268c096f68abd59c9f7cf93b18f6f2f3c85d797ef4f973e
Opcode Fuzzy Hash: 1dd0dfc8c1425cff54170a0a703aa16636aeb498f1d5b554ef4b1ff226a2ac41
Instruction Fuzzy Hash: 532136B6A00244EFDB04DF00D9C4B26BF75FB98364F20C168D9090B256C736EC56CAA1

Function 00A7D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2225964885.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a7d000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90687885140fe17256a4e2afe358ffd1d3b84573e39f9d874d222691428acdd
Instruction ID: 23d82bf71bf1500841fe6668a7cd8146cc342211478100783728ca72ab5edae6
Opcode Fuzzy Hash: d90687885140fe17256a4e2afe358ffd1d3b84573e39f9d874d222691428acdd
Instruction Fuzzy Hash: 9321D0B5604204EFDB05DF14D9C0B66BBB5FF84314F24C6ADE90E4B292C776D846CAA1

Function 00A7D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2225964885.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a7d000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf4db89233aba03888f92e805b0500abe7fbbc5b086743d8ba1eedbd8c8e3a3
Instruction ID: 69328d55505df0fd8f3485b2c650ac06d45a005d1b633a23928e0b9ffa1b79c1
Opcode Fuzzy Hash: 4cf4db89233aba03888f92e805b0500abe7fbbc5b086743d8ba1eedbd8c8e3a3
Instruction Fuzzy Hash: 72210E75604200EFCB14DF24D980B26BBB5FF88314F20C56DE90E0B296C37AD807CA61

Function 00A6D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2225884270.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a6d000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 1b024368f35371feb3c1e9006481ac3c0680213bbd519baf4661f04e15cd2832
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: CF11E676904280CFCB16CF10D5C4B16BF71FB94318F24C6A9D84A0F656C33AD856CBA1

Function 00A6D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2225884270.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a6d000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 975764cd515c4e868fdebdecdb2f45f6c539aefae921e022fa844f5ea989c9fa
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 1011E6B6904284DFCB16CF10D5C4B16BF71FB94324F24C6A9D8094F656C33AE856CBA1

Function 00A7D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2225964885.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a7d000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: ddcbe480f6cabb983591df35f17d9b265d5b85462379d229d2b116cb8422753d
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 9A118E75504284DFCB15CF14D9C4B15BB71FB44314F24C6A9D84E4B656C33AD85BCB61

Function 00A7D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2225964885.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a7d000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: aedde42f5afe06d5b9fc19254c5e083657edb133e69d22c2a7e12a679cb03278
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 7A118BB5504284DFCB15CF10D9C4B55BBB1FF84314F28C6A9D8494B6A6C33AD84ACBA1

Analysis Process: SnqkwvE.exePID: 5608, Parent PID: 1220COMMON

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10.3%
Total number of Nodes:	68
Total number of Limit Nodes:	11

Executed Functions

Function 0131C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 0131F910

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: be01f056258d96f23d7645448c9d08f062dba4f588c1727f6fe3047a619da9c0
Instruction ID: 0b3144ae383e9f70ab2ddca6f5a90613e27b718eec4aded37fe2a9114cbe85c7
Opcode Fuzzy Hash: be01f056258d96f23d7645448c9d08f062dba4f588c1727f6fe3047a619da9c0
Instruction Fuzzy Hash: DB73F531C1075A8EDB11EF68C844A99FBB1FF99304F14D69AE44877225EB70AAC5CF81

Function 030E0AB8 Relevance: 3.5, APIs: 2, Instructions: 529
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 030E0D70

Memory Dump Source

Source File: 0000000C.00000002.3424666482.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_30e0000_SnqkwvE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3dda906b5df28504221b27b05508543f7d8c90155d208ed729e30c58432e3beb
Instruction ID: 72049b6bb1de4da63849105aa55ac958de077aff51fe5a352ddf245dc077953d
Opcode Fuzzy Hash: 3dda906b5df28504221b27b05508543f7d8c90155d208ed729e30c58432e3beb
Instruction Fuzzy Hash: E6222974E01219CFDB18DFA9C884B9EFBB2BF88304F1485A9D409AB355DB719986CF50

Function 030E0CD8 Relevance: 1.6, APIs: 1, Instructions: 88
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 030E0D70

Memory Dump Source

Source File: 0000000C.00000002.3424666482.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_30e0000_SnqkwvE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 245fa79b5acd2fe248e445951a1b6ce84b4324daca2e77b3fa45e3a5a9506e13
Instruction ID: ef6ef66501f60d372a041ccbcb4f22d9b2e609f1ded0c2903aeca564b69387ba
Opcode Fuzzy Hash: 245fa79b5acd2fe248e445951a1b6ce84b4324daca2e77b3fa45e3a5a9506e13
Instruction Fuzzy Hash: 0631E7B1E016189BEB18CFABD8847DDFBF6BF88314F14C66AD418A72A4DB7049458F10

Function 013127B9 Relevance: .7, Instructions: 701
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d6cbed86bbc489d497df213121787921e5d1328eee9dae6732be0e7ffa25ba5
Instruction ID: 6ee006ec5b20f2468af609bc58730f6e93bfbd45873f91caec322125b3b76a1f
Opcode Fuzzy Hash: 6d6cbed86bbc489d497df213121787921e5d1328eee9dae6732be0e7ffa25ba5
Instruction Fuzzy Hash: 7542F73255A3A58FC74F5F74D45A2A73FB1AF6B21C36814ECD483CA4B5E2AA1483CB05

Function 013119B8 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1622999d20a28d95fdabc764233077068eba660447526cda93c080dbf4cd2f43
Instruction ID: 4b5e597b2a1c0f672bc60430bd36118e19f525f49f20988115ed1f499adf65dd
Opcode Fuzzy Hash: 1622999d20a28d95fdabc764233077068eba660447526cda93c080dbf4cd2f43
Instruction Fuzzy Hash: E7C1B0319053298FCB9EAF78D4452EB7BB2FF59304F6058A9D142EB1A8E7314983CB40

Function 01319480 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76fbe00e0a1d41bc6b5d39629eaf2bb3fa1029b57b2d2a742f0116ffa6591dc9
Instruction ID: 04d23e52d8457aa1faf120dde27c05eb4bc3bae1884dab3e9410f932baf443e9
Opcode Fuzzy Hash: 76fbe00e0a1d41bc6b5d39629eaf2bb3fa1029b57b2d2a742f0116ffa6591dc9
Instruction Fuzzy Hash: 69C19E74E01218CFEB14DFA5D994B9DBBB2FB88304F2081A9D809A7365DB355E85CF11

Function 0131C521 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a372931a3193a3509b4faeb941773ab4531f09e7d02e00bfc3b54ee2e5c785a8
Instruction ID: fb401aa7eb1fecb3adff4a69be27a23b2983dd201d684adbe21458e9b48323a8
Opcode Fuzzy Hash: a372931a3193a3509b4faeb941773ab4531f09e7d02e00bfc3b54ee2e5c785a8
Instruction Fuzzy Hash: 83A12371D006598FDB14DFA9C884BEDFBB1EF89314F10D2AAD408A7265EB709A85CF40

Function 01319A30 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d4810a312776762b8bd2330eb2e745a03c541b14f207e639283cd163afb9ae
Instruction ID: 358ebdc475c9f5ab875ed4aa73ba47988fb6bba0ac192af9ca94cda814b5ed31
Opcode Fuzzy Hash: 51d4810a312776762b8bd2330eb2e745a03c541b14f207e639283cd163afb9ae
Instruction Fuzzy Hash: D2A11570D00208CFEB24DFA9C958BEDBBB1FF89314F208269D409A72A5DB759985CF50

Function 01319D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea013f27d725fc34ef29269001262efbec95fc92586b07961ea97f3c34f802a
Instruction ID: f006036ce2549d4fff963b19be1afcf877d92e54d4d45f57841c2b84bdd1866d
Opcode Fuzzy Hash: 7ea013f27d725fc34ef29269001262efbec95fc92586b07961ea97f3c34f802a
Instruction Fuzzy Hash: 0C911570D00208CFEB24DFA8C458BDCBBB1FF49318F209259E409AB295DB759985CF14

Function 0131946F Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc205682571c0ec7e84fedd3c79b606d779e1158870a4f84aae35b92ee3e0d6
Instruction ID: 1e4cd9693921776751ec8b779b2695d583675404275d833d95cc7e3599cc2ef6
Opcode Fuzzy Hash: 6bc205682571c0ec7e84fedd3c79b606d779e1158870a4f84aae35b92ee3e0d6
Instruction Fuzzy Hash: 4341D374E01248CBEB18DFAAD95479DFBB2BF88304F24C12AC815BB259EB345945CF54

Function 055AA540 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 055AA5CE
GetCurrentThread.KERNEL32 ref: 055AA60B
GetCurrentProcess.KERNEL32 ref: 055AA648
GetCurrentThreadId.KERNEL32 ref: 055AA6A1

Strings

Ltv, xrefs: 055AA56C

Memory Dump Source

Source File: 0000000C.00000002.3427607632.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_55a0000_SnqkwvE.jbxd

Similarity

API ID: Current$ProcessThread
String ID: Ltv
API String ID: 2063062207-427712718
Opcode ID: 4b613e48edf0474dafc7981a43780876ae8086a740cbc09136fb2474aa5ce1a3
Instruction ID: cd5867807092fa11673c1e31631dc23d6f70b8bbf7a911c9b4cc13c87f786b68
Opcode Fuzzy Hash: 4b613e48edf0474dafc7981a43780876ae8086a740cbc09136fb2474aa5ce1a3
Instruction Fuzzy Hash: FD5165B190130A8FDB14CFAAD948BAEBBF1FF88314F20805DD019A7250DB789944CF65

Function 055AA550 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 055AA5CE
GetCurrentThread.KERNEL32 ref: 055AA60B
GetCurrentProcess.KERNEL32 ref: 055AA648
GetCurrentThreadId.KERNEL32 ref: 055AA6A1

Strings

Ltv, xrefs: 055AA56C

Memory Dump Source

Source File: 0000000C.00000002.3427607632.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_55a0000_SnqkwvE.jbxd

Similarity

API ID: Current$ProcessThread
String ID: Ltv
API String ID: 2063062207-427712718
Opcode ID: 90160d3a3bee47df85c1ead8c20b11dcc4ebdc0542b4a89085e2b3b69a769d13
Instruction ID: 414e8dcfa97f0e44d94886311af69fd44741b456ee555b831fe9499c25924ec3
Opcode Fuzzy Hash: 90160d3a3bee47df85c1ead8c20b11dcc4ebdc0542b4a89085e2b3b69a769d13
Instruction Fuzzy Hash: 165165B190134A8FDB14DFAAD948BAEBBF1FF88314F20805DD119A7250DB789944CF66

Function 055AA792 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 055AA81F

Strings

Ltv, xrefs: 055AA7B7

Memory Dump Source

Source File: 0000000C.00000002.3427607632.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_55a0000_SnqkwvE.jbxd

Similarity

API ID: DuplicateHandle
String ID: Ltv
API String ID: 3793708945-427712718
Opcode ID: 73f29cc7b0c1d41f4ff5586bd1643662839d3f6491466988e8d5900d63b117d4
Instruction ID: 7c7bd9df30f530b0ec88b6d9931ed8ff01633ac53dc26364edfd2a7940db37a5
Opcode Fuzzy Hash: 73f29cc7b0c1d41f4ff5586bd1643662839d3f6491466988e8d5900d63b117d4
Instruction Fuzzy Hash: A821B5B59002499FDB10CF9AD984ADEBFF4FF48320F14841AE914A7350D778A954CF65

Function 055AA798 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 055AA81F

Strings

Ltv, xrefs: 055AA7B7

Memory Dump Source

Source File: 0000000C.00000002.3427607632.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_55a0000_SnqkwvE.jbxd

Similarity

API ID: DuplicateHandle
String ID: Ltv
API String ID: 3793708945-427712718
Opcode ID: 919e799b03957d9a5c1b4fb74e179932734eb9be415ced31d0805f01a1b94cf6
Instruction ID: bf46d027849acbe3eb0c53edcefdf5f0a6ecb3f4fcc493b18fdb7f61f3948aeb
Opcode Fuzzy Hash: 919e799b03957d9a5c1b4fb74e179932734eb9be415ced31d0805f01a1b94cf6
Instruction Fuzzy Hash: ED21B3B59002499FDB10CF9AD984ADEBBF4FB48320F14841AE918A3250D374A954CFA5

Function 0131AD3D Relevance: 1.8, Strings: 1, Instructions: 506
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 0131B065

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5d6693d0eeb1d87f6bf8021332dfb11c189507c8c9b0f70f0d4011e13d05de24
Instruction ID: d6dcc7501b583f16a8251c0352e70866623a067b2a927b6f1d5bc0d8c36aa89b
Opcode Fuzzy Hash: 5d6693d0eeb1d87f6bf8021332dfb11c189507c8c9b0f70f0d4011e13d05de24
Instruction Fuzzy Hash: 3481B4307002059FDF2AAF78D45827EBAA2EFC9374F148229E9269B3D8CB358C01C751

Function 030E10BC Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 030E11FE

Memory Dump Source

Source File: 0000000C.00000002.3424666482.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_30e0000_SnqkwvE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 75e70bca732d1bd3e5f57b94279b19e3b238309457aed02f4795feb311b800ee
Instruction ID: a9e1183b3490e343dac921dc46f2588a05a4a824ffc4800d4fca1e9d3d4d8920
Opcode Fuzzy Hash: 75e70bca732d1bd3e5f57b94279b19e3b238309457aed02f4795feb311b800ee
Instruction Fuzzy Hash: F2114F78F021199FDB08DBA8D884BADB7F5FB88315F1482A5E804A7355D771DC42CB54

Function 0131B500 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0b854635ced72cb2ca506466eb8906461eb1404a0bc0058ecfa28807fdc181
Instruction ID: c6145c37c0c51b53830b7a6dd7664da995e0b8820d138430d9490bf31deea57e
Opcode Fuzzy Hash: ba0b854635ced72cb2ca506466eb8906461eb1404a0bc0058ecfa28807fdc181
Instruction Fuzzy Hash: 89D1D471B002048FDB19DB6CC490AAEBBB6FFC9324F144569D506EB3A9DA71DC42CB91

Function 01310B20 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e38437c8f940aff83259db54758d568f42f6bd109a16843784e467d319dbd7a
Instruction ID: 459c1a9b44cc17c5e0ec8030d863388e67531466bebde3ccd5796eddbe1810f5
Opcode Fuzzy Hash: 9e38437c8f940aff83259db54758d568f42f6bd109a16843784e467d319dbd7a
Instruction Fuzzy Hash: 10A13B74A0024ACFCB48DFA9EA8499DBFB1FF88304B104269D515BB369DB746D85CF81

Function 0131BF6F Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e74c616de54b95955a8174c19053c7cbddc3350ec013acad8ae021478e75d2b9
Instruction ID: dd8bbbefb3f6fa2f192269690ca3d00547ab66fd3042fa6068e801e7ce314863
Opcode Fuzzy Hash: e74c616de54b95955a8174c19053c7cbddc3350ec013acad8ae021478e75d2b9
Instruction Fuzzy Hash: 0A510472A443059FC728CBADD840A6BBBF9FBCA328F14853EE519D7754D631E8018790

Function 01310B30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bcde6419ad5dd9aa88982efc6583ca47374f233278c564670b89af3391782f2
Instruction ID: 0e608a21d5d992a155f372af38abd2e8d8d40940b8747676cde4212acc88b317
Opcode Fuzzy Hash: 9bcde6419ad5dd9aa88982efc6583ca47374f233278c564670b89af3391782f2
Instruction Fuzzy Hash: 30A11C74A1020ACFDF48DFA9EA8499DBBB2FB88304F105129D515BB368DB746D85CF80

Function 01313F78 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ff261d721aa8568ab25be3edfadefa0d75358c5f52f4b4921eee86970b4ba2
Instruction ID: 8219b4380bca5ef6195423b1f586d2b3adcd3a91aee255baef551fd42945e3d8
Opcode Fuzzy Hash: 48ff261d721aa8568ab25be3edfadefa0d75358c5f52f4b4921eee86970b4ba2
Instruction Fuzzy Hash: 8A51CF74E00208CFDB48DFAAD584A9DFBF2BF89314F108429E815AB368DB749945CF50

Function 0131BC98 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd9a219abeea76772c6041c518cce7d1587a66f6c1b57e112e4106ca0e033af
Instruction ID: e29091afd5dd2cedc5e607d78c1692dccafcee8636eaa93b51ca0757fe1fc552
Opcode Fuzzy Hash: 1fd9a219abeea76772c6041c518cce7d1587a66f6c1b57e112e4106ca0e033af
Instruction Fuzzy Hash: 06318E31A002099FDB48EFB8D854ABE7BF6EFC9214F10847AE509DB259DE308902CB50

Function 01313168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016132ef1bfd581736697ef49c6ae9817a7c4d45fcc61923b0a8567dbcf38bc9
Instruction ID: c09cf062c8b9c1d2b5a3a6a0072038b01e568f2e50c936fdd034d6e2a9bdd0c0
Opcode Fuzzy Hash: 016132ef1bfd581736697ef49c6ae9817a7c4d45fcc61923b0a8567dbcf38bc9
Instruction Fuzzy Hash: B041A274E01208DFCB08DFAAD98499DBBB2FF89310F249569E805B7368DB359841CF14

Function 01319249 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56dfb42b11dd988f33154743dcb1284faa55f779af15e23f0c359657c6d01e5a
Instruction ID: 131b224e601ace54a18216de3a473731ffead0c07b967649fd918ba3254c8ab3
Opcode Fuzzy Hash: 56dfb42b11dd988f33154743dcb1284faa55f779af15e23f0c359657c6d01e5a
Instruction Fuzzy Hash: 0031CB710A634ACFD2603B61A5EC17ABBA0FB4F337F09ED15E02A825599B3051848F90

Function 0131B869 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c7aad10f5c3496273af7a5572e5d740f9a709c1816a3a525d7f41e82a643eb
Instruction ID: 6d5c21d1c5604cf053c05017d6fd3d6a4aaf4fc9562f65dab26b69aab52d97ef
Opcode Fuzzy Hash: a9c7aad10f5c3496273af7a5572e5d740f9a709c1816a3a525d7f41e82a643eb
Instruction Fuzzy Hash: B0310835B001098FDB49DBA8C480E9DBBB6FF88324F555554E501EB369DA71EC46CB90

Function 0131B89D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09081870bece27ea6af398e8e21e3e2487d7313a39c9d5437aa5d6f79623c260
Instruction ID: eb7da3383320f50800996168a03b512aa94d64c162d6ddcb661a894d28884223
Opcode Fuzzy Hash: 09081870bece27ea6af398e8e21e3e2487d7313a39c9d5437aa5d6f79623c260
Instruction Fuzzy Hash: 0D311935B001098FDB49DBA8C480E9DBBB2FF88324F555554E501EF369DA71EC46CB90

Function 0131BDD9 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583156dda6e2da11530e939b13b13b1e15b42e5c6f92e57b7800483c4ceca565
Instruction ID: 71defe6d08a5a8a2d92851c98329598a853f73c5a10d928549824da1441e75fb
Opcode Fuzzy Hash: 583156dda6e2da11530e939b13b13b1e15b42e5c6f92e57b7800483c4ceca565
Instruction Fuzzy Hash: 0521D130B042099FDB19EF68D960A6EBFB6FFD5314F24806AD5099B259CE318D05CB91

Function 01310E98 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f36b1dc4b7d1ebbf16be96a5d7b379c6263a3b7f576906b63380427a322fc4
Instruction ID: fa8ef97f874b17d98b5ec040f1303b58a555b3ccd86137d5eccd7516e0fc8c89
Opcode Fuzzy Hash: d8f36b1dc4b7d1ebbf16be96a5d7b379c6263a3b7f576906b63380427a322fc4
Instruction Fuzzy Hash: 01318B30A04249CFDB0DEBB9D4402AEBBB2FB85308F0085AAD455AB298DB744989CF51

Function 013118C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e60004bd6b238379b6632e69c5f8b6f8714444be08222366ec495569bd1ed9
Instruction ID: 420cd99256d03fe635690aadcb952b24365aec14c3977a7feb3eec1eec663d51
Opcode Fuzzy Hash: c4e60004bd6b238379b6632e69c5f8b6f8714444be08222366ec495569bd1ed9
Instruction Fuzzy Hash: 7A21C131A0014A9FCF18DF38D4409EE77A5EBC9364B50C059E919AB344EB35EE46CBD1

Function 01310EC8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48989cecf2668cd38c79d3eef0ad665a94b85e454beb59a23ef971c6c8a1f7c5
Instruction ID: c3866358aa875b332462804e0b988ea796fcd0b678e987b916f83d1672b7c2f0
Opcode Fuzzy Hash: 48989cecf2668cd38c79d3eef0ad665a94b85e454beb59a23ef971c6c8a1f7c5
Instruction Fuzzy Hash: 75219F70E04249DFDB0CEFB9C4406AEBBB2FF84308F0084A99415AB298DB749944CF51

Function 012BD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421239958.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_12bd000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd21f9caac712c5bb9e0146c1b93c9be92c5fde36f9594f0b305afab48b9a88
Instruction ID: 8fe97d240cdae8ba14cf727f695cc8675e1cf8281ead1644784176a114fef825
Opcode Fuzzy Hash: 4fd21f9caac712c5bb9e0146c1b93c9be92c5fde36f9594f0b305afab48b9a88
Instruction Fuzzy Hash: 02216471524208EFCB14DF54D9C0BA6BBA1FB84398F20C96DDA0A0B252C37BD407CB62

Function 0131BB37 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38fb370550580a5cf7cb6c3305b8773c2e1c1dd6030663b48217e26740ea5b56
Instruction ID: 5ef5687f2eb7aa3860016de0eb76477d232c1dfa97adee9b5262bd7bcb9e3d62
Opcode Fuzzy Hash: 38fb370550580a5cf7cb6c3305b8773c2e1c1dd6030663b48217e26740ea5b56
Instruction Fuzzy Hash: A0113A72740204CFD728DB69D994A66BBF5FF98725F20806AE1498B769CA71D805CB10

Function 013117B8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036a0b1f3c54cfd3bfc9d267846ed04048aa3ff2f298ca2835505056eac77b84
Instruction ID: 2bd885ad0c8ec9d41a1308c5ec398664e78f99489339d816fa4036495df59352
Opcode Fuzzy Hash: 036a0b1f3c54cfd3bfc9d267846ed04048aa3ff2f298ca2835505056eac77b84
Instruction Fuzzy Hash: 9021E370C1524A8FCB15DFB8D9845EEBFB4AF0A314F0442AAD405B7225EB345A85CBA5

Function 01314850 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bff90809bd8ee3c337a55c292fa70393fb3c591c5d66d1c6bef802c95d31794
Instruction ID: c2cdd82375da2c4eae0f1c6ab347f5506dfee0bf1a1f6d193d276566aa84fad3
Opcode Fuzzy Hash: 0bff90809bd8ee3c337a55c292fa70393fb3c591c5d66d1c6bef802c95d31794
Instruction Fuzzy Hash: 3701D232B012414FD7289AB98C4456A7BEBAFC5368B14453ADE05CB359FE71C8018795

Function 0131C108 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830cba31e5d394c1f377fdbfe29818f07dc94bebde9e20bddcf48f74cd72655f
Instruction ID: 41bb5e078edbdf5cf88b67912dd2d0753ec27b6368a6043ad29aa1580407591d
Opcode Fuzzy Hash: 830cba31e5d394c1f377fdbfe29818f07dc94bebde9e20bddcf48f74cd72655f
Instruction Fuzzy Hash: 07117335E8021A8BCB68EFBC984469EBBF5AF88154B045535C509E3308DB319C4287E1

Function 012BD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421239958.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_12bd000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 12df960b328f2e856cc4becd7d686a64b7e5dc4e3eedddd4887cb15a7d114021
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 5E11BB75504288CFCB12CF54D5C0B95BBA1FB84318F28CAAAD9494B666C33AD44ACB62

Function 01310FB8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a2f086936694b7d5933529f9eb1cc275cbbb9ae009a499f11d83499215ab76c
Instruction ID: b5144ffbeeef3f6013cfe7843175e9da0bdc3d30811ecc2f19341fd653d29f9e
Opcode Fuzzy Hash: 0a2f086936694b7d5933529f9eb1cc275cbbb9ae009a499f11d83499215ab76c
Instruction Fuzzy Hash: 9E014C32A083499FCF2D96A884015F87B79AF9329C74445AFF581D750ADA718C8DCB11

Function 01314860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58444700e0cfd792748cba8d3848a2f9f2aab93083e6b1ae4cb58161ce849f1c
Instruction ID: 18d9e330d7d0d9b7eb4598bd1cb3b5699e818752a31c06c544971aa2b4ee0ff3
Opcode Fuzzy Hash: 58444700e0cfd792748cba8d3848a2f9f2aab93083e6b1ae4cb58161ce849f1c
Instruction Fuzzy Hash: BF016D32B012554FD728ABBA884852EBAEBAFC46647104539DA05C7359FE71C8018B95

Function 0131A508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305139e30d9e83e032c48789330ff0d87db4f97da35b6bcbf04980b853adeb31
Instruction ID: d769a6fc5854d34b525db742848a86a0f83577edfd0f480daae40b04eb23bb48
Opcode Fuzzy Hash: 305139e30d9e83e032c48789330ff0d87db4f97da35b6bcbf04980b853adeb31
Instruction Fuzzy Hash: 9D015E75E0020A9FCF65DFA9D8485AE7BB5FB88261F408439E95A93344DB709D10CBA1

Function 0131BB48 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963f7ab58735aaa105cbf5d4f88e99102b86e78bc9a44a9dbbb2ae72b2905f9b
Instruction ID: d28664dd371f8bf015e6a982d6fa191121a9e6799ffff47a1f6e6f9035531c29
Opcode Fuzzy Hash: 963f7ab58735aaa105cbf5d4f88e99102b86e78bc9a44a9dbbb2ae72b2905f9b
Instruction Fuzzy Hash: 29015A71300204CFE728DB6AD984B26BBF9FF88725F118069E1498B769CA70EC04CB50

Function 0131BEE9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e2a5b532414f13e56ca38bfe88f3c33798efa3f38d99e836e959e2432e83e4
Instruction ID: f509adce815bd98d28fa3a817fade32a8f70488f858f20f0f33602fe94052a1c
Opcode Fuzzy Hash: a1e2a5b532414f13e56ca38bfe88f3c33798efa3f38d99e836e959e2432e83e4
Instruction Fuzzy Hash: B901A2317042049BCB2A6B78A81866D7FA6EFD5224F15412FE506C7259DA258802CB44

Function 0131A4F9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb720c6707022dbd1c6f8b7725c3197890841c4963d946177546127670585574
Instruction ID: 37310f3afca7a910418142664973edba6c4fc78e973b0293057d112a3486c841
Opcode Fuzzy Hash: fb720c6707022dbd1c6f8b7725c3197890841c4963d946177546127670585574
Instruction Fuzzy Hash: 0E018475D00119DFCF65DF68D8449AE7BB5FB8C321F108426E959D3344D7708910CB91

Function 0131C1A0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7190491e04b668cdafaa4c7a1b8f565964aa7b141328bbf8ee047a08a123369d
Instruction ID: a9f8838b8bf8990948360f01aa0fcfeaab2eebb4ff49512a28ccfde3e44fbcc8
Opcode Fuzzy Hash: 7190491e04b668cdafaa4c7a1b8f565964aa7b141328bbf8ee047a08a123369d
Instruction Fuzzy Hash: FAF05932B801118FCB19566DE41465EBBE9DFC4635B14407AE409D7358CE31CC028790

Function 013146C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d729911aad611cd994d3c15fc3b3b5ae5e86455d57cede9225375ccb1c549fd8
Instruction ID: 570470d09bd7aac9e00bea5f7f1d823879735f7b81968f4f5bd4a3bc5ab841a9
Opcode Fuzzy Hash: d729911aad611cd994d3c15fc3b3b5ae5e86455d57cede9225375ccb1c549fd8
Instruction Fuzzy Hash: A5F058300293828FE7266F34B8EC67A7F74EF0B31BB042D85E44ADA05ACB715400CB24

Function 0131B9EA Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a91c5ae52190ff70c106aa16c2d31e833dc5fb7908b09e25bdbaf9d29281a4
Instruction ID: f0ef8192a38c3b0a64d043bc9a7d9388042ccb53a51e4abb2ca92cd9f2a68cde
Opcode Fuzzy Hash: a5a91c5ae52190ff70c106aa16c2d31e833dc5fb7908b09e25bdbaf9d29281a4
Instruction Fuzzy Hash: 20F0F671D001099FCB24DF6DD84099FFBF6FF88350B00452AD505D3609D63099128BD5

Function 0131BE98 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcbc71375d70d7489cfb22c5b8bf5b0c40f02eb88598f0ac9c9f9c280c86185
Instruction ID: 713b814e57e32355f2d2632f2fcf07a367a0626017d4acd85e9e42757c9580bf
Opcode Fuzzy Hash: 6bcbc71375d70d7489cfb22c5b8bf5b0c40f02eb88598f0ac9c9f9c280c86185
Instruction Fuzzy Hash: 2FF05E35300105DFC714CF59D484D6AFBEAFF88724B508069EA0987335CB719C11CB90

Function 01311877 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea8684d2002b3c866b6c290e592696d293ace33199c2869739837e85281ddf5
Instruction ID: 10c9dab0b3d36d6feb371fd58bfa61870438214a6073f6efb4e0491bdcb9c160
Opcode Fuzzy Hash: bea8684d2002b3c866b6c290e592696d293ace33199c2869739837e85281ddf5
Instruction Fuzzy Hash: 34F02B36D153968EC71BABB4AC140DDBF39ADC325071A86A3EA20F7165E730094DCBB1

Function 013146D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64fec023bf79a63f3e738cc28dfaca636686059003780543d701e37689f7f2b
Instruction ID: 094559f8e0a202639d15eb4f47a7914d3b13c8782ed775267386c2b3e34a54ec
Opcode Fuzzy Hash: f64fec023bf79a63f3e738cc28dfaca636686059003780543d701e37689f7f2b
Instruction Fuzzy Hash: 97E099700217428FE3352F20B4EC23ABA69EB0B317B402D00E00EC80298F7044448B14

Function 01311888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480a83d27c04a6d69794c14ded38727b8e30596173355a789399ae9c6a517568
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: 480a83d27c04a6d69794c14ded38727b8e30596173355a789399ae9c6a517568
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 0131BF48 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2d359edaa670d181a0d167ab0b4b68404c67f24d987a3775b00865fd9bfe5c
Instruction ID: bd48ed7f078548feb259e7cc68d62b86927eeb9472d5c548dcc36ea9a711a020
Opcode Fuzzy Hash: 9b2d359edaa670d181a0d167ab0b4b68404c67f24d987a3775b00865fd9bfe5c
Instruction Fuzzy Hash: 43D0C736300114A74B251A89F8088AE7B5EEBCD771705C026F91583344CE714D1197D5

Function 01314831 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3421959216.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_SnqkwvE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e88dd3a82c3eedc72f766232ef0dc1cd27096a67b8fef27ae126b494374c1d0f
Instruction ID: 650bf309457da7353abb65611858e3799bd1aef6a6b93d09ba0bc9f8d7c45180
Opcode Fuzzy Hash: e88dd3a82c3eedc72f766232ef0dc1cd27096a67b8fef27ae126b494374c1d0f
Instruction Fuzzy Hash: CCC04C7144D3C05FDB2B9B708425156BBB0AB07310B2648DFC041C609AD5699405C715

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MB263350411AE.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MB263350411AE.scr.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SnqkwvE.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cjugmxdl.dij.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0tmo3zy.r2e.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_larp3awu.sgs.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nft2wobb.5aw.ps1

C:\Users\user\AppData\Local\Temp\tmp21E6.tmp

C:\Users\user\AppData\Local\Temp\tmp34E1.tmp

C:\Users\user\AppData\Roaming\SnqkwvE.exe

C:\Users\user\AppData\Roaming\SnqkwvE.exe:Zone.Identifier

Static File Info

General

Windows Analysis Report
MB263350411AE.scr.exe

Function 008679D9 Relevance: 2.7, Strings: 2, Instructions: 244
COMMON

Function 00864204 Relevance: 2.7, Strings: 2, Instructions: 241
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre