Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
snake.exe

Overview

General Information

Sample name:snake.exe
Analysis ID:1502486
MD5:9500a552ea042907f1e6a7de0eb92c44
SHA1:b887f6b27f65eafc08e5f54be9617f3c993b74ac
SHA256:0fe5f5ed0d1c012f3280e368b4a5330e6ed13b3b125e5a9a3436fcb0552898dc
Infos:

Detection

Snake Keylogger
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
AI detected suspicious sample
Machine Learning detection for sample
Self deletion via cmd or bat file
Tries to detect the country of the analysis system (by using the IP)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • snake.exe (PID: 6788 cmdline: "C:\Users\user\Desktop\snake.exe" MD5: 9500A552EA042907F1E6A7DE0EB92C44)
    • cmd.exe (PID: 1420 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\snake.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 3492 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
snake.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    snake.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      snake.exeJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        snake.exeWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x14a94:$a1: get_encryptedPassword
        • 0x14d80:$a2: get_encryptedUsername
        • 0x148a0:$a3: get_timePasswordChanged
        • 0x1499b:$a4: get_passwordField
        • 0x14aaa:$a5: set_encryptedPassword
        • 0x16106:$a7: get_logins
        • 0x16069:$a10: KeyLoggerEventArgs
        • 0x15cd4:$a11: KeyLoggerEventArgsEventHandler
        snake.exeMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
        • 0x1c45a:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x1b68c:$a3: \Google\Chrome\User Data\Default\Login Data
        • 0x1babf:$a4: \Orbitum\User Data\Default\Login Data
        • 0x1cafe:$a5: \Kometa\User Data\Default\Login Data
        Click to see the 2 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1640784495.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000000.1640784495.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            00000000.00000000.1640784495.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x14894:$a1: get_encryptedPassword
            • 0x14b80:$a2: get_encryptedUsername
            • 0x146a0:$a3: get_timePasswordChanged
            • 0x1479b:$a4: get_passwordField
            • 0x148aa:$a5: set_encryptedPassword
            • 0x15f06:$a7: get_logins
            • 0x15e69:$a10: KeyLoggerEventArgs
            • 0x15ad4:$a11: KeyLoggerEventArgsEventHandler
            00000000.00000000.1640784495.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
            • 0x198a4:$x1: $%SMTPDV$
            • 0x18288:$x2: $#TheHashHere%&
            • 0x1984c:$x3: %FTPDV$
            • 0x18228:$x4: $%TelegramDv$
            • 0x15ad4:$x5: KeyLoggerEventArgs
            • 0x15e69:$x5: KeyLoggerEventArgs
            • 0x19870:$m2: Clipboard Logs ID
            • 0x19aae:$m2: Screenshot Logs ID
            • 0x19bbe:$m2: keystroke Logs ID
            • 0x19e98:$m3: SnakePW
            • 0x19a86:$m4: \SnakeKeylogger\
            00000000.00000002.1783268416.00000000032D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
              Click to see the 4 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.snake.exe.fd0000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.0.snake.exe.fd0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  0.0.snake.exe.fd0000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                    0.0.snake.exe.fd0000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                    • 0x14a94:$a1: get_encryptedPassword
                    • 0x14d80:$a2: get_encryptedUsername
                    • 0x148a0:$a3: get_timePasswordChanged
                    • 0x1499b:$a4: get_passwordField
                    • 0x14aaa:$a5: set_encryptedPassword
                    • 0x16106:$a7: get_logins
                    • 0x16069:$a10: KeyLoggerEventArgs
                    • 0x15cd4:$a11: KeyLoggerEventArgsEventHandler
                    0.0.snake.exe.fd0000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                    • 0x1c45a:$a2: \Comodo\Dragon\User Data\Default\Login Data
                    • 0x1b68c:$a3: \Google\Chrome\User Data\Default\Login Data
                    • 0x1babf:$a4: \Orbitum\User Data\Default\Login Data
                    • 0x1cafe:$a5: \Kometa\User Data\Default\Login Data
                    Click to see the 2 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    Timestamp:2024-09-01T22:01:55.825608+0200
                    SID:2803305
                    Severity:3
                    Source Port:49736
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-09-01T22:01:58.825101+0200
                    SID:2803305
                    Severity:3
                    Source Port:49740
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-09-01T22:01:50.868699+0200
                    SID:2803305
                    Severity:3
                    Source Port:49732
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-09-01T22:01:53.261099+0200
                    SID:2803305
                    Severity:3
                    Source Port:49734
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-09-01T22:01:49.091328+0200
                    SID:2803274
                    Severity:2
                    Source Port:49730
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Potentially Bad Traffic
                    Timestamp:2024-09-01T22:01:52.606954+0200
                    SID:2803274
                    Severity:2
                    Source Port:49733
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Potentially Bad Traffic
                    Timestamp:2024-09-01T22:01:50.341307+0200
                    SID:2803274
                    Severity:2
                    Source Port:49730
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Potentially Bad Traffic

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: snake.exeAvira: detected
                    Multi AV Scanner detection for submitted file
                    Source: snake.exeReversingLabs: Detection: 91%
                    Source: snake.exeVirustotal: Detection: 82%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: snake.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: snake.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
                    Source: snake.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: snake.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.snake.exe.fd0000.0.unpack, type: UNPACKEDPE
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                    Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 193.122.6.168:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 193.122.6.168:80
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 188.114.97.3:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49736 -> 188.114.97.3:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49734 -> 188.114.97.3:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49740 -> 188.114.97.3:443
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: snake.exe, 00000000.00000002.1783268416.0000000003454000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003398000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003446000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000342B000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003490000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003481000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003438000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                    Source: snake.exe, 00000000.00000002.1783268416.0000000003454000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003398000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003446000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000342B000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003490000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003481000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003438000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                    Source: snake.exe, 00000000.00000002.1783268416.0000000003454000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003461000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003398000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003446000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000342B000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000338C000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003490000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003481000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003438000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.00000000033DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: snake.exe, 00000000.00000002.1783268416.00000000032D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: snake.exe, 00000000.00000002.1783268416.0000000003454000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003461000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003398000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003446000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000342B000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003490000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003438000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.00000000033DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                    Source: snake.exeString found in binary or memory: http://checkip.dyndns.org/q
                    Source: snake.exe, 00000000.00000002.1783268416.0000000003454000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003398000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003446000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000342B000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003490000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003481000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003438000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                    Source: snake.exe, 00000000.00000002.1783268416.0000000003454000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003446000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000342B000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003490000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003481000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003438000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                    Source: snake.exe, 00000000.00000002.1783268416.0000000003454000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003446000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000342B000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003490000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003481000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003438000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                    Source: snake.exe, 00000000.00000002.1783268416.00000000032D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: snake.exe, 00000000.00000002.1783268416.0000000003454000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003398000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003446000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000342B000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003490000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003481000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003438000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.00000000033DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: snake.exeString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: snake.exe, 00000000.00000002.1783268416.00000000033DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
                    Source: snake.exe, 00000000.00000002.1783268416.0000000003454000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003446000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000342B000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003490000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003481000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003438000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.00000000033DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: snake.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: snake.exe, type: SAMPLEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: snake.exe, type: SAMPLEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: snake.exe, type: SAMPLEMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: 0.0.snake.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.0.snake.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.0.snake.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.0.snake.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: 00000000.00000000.1640784495.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000000.1640784495.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: Process Memory Space: snake.exe PID: 6788, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: snake.exe PID: 6788, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: snake.exe, 00000000.00000002.1784378806.0000000006AD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs snake.exe
                    Source: snake.exe, 00000000.00000000.1640784495.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs snake.exe
                    Source: snake.exe, 00000000.00000002.1782887346.000000000160E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs snake.exe
                    Source: snake.exeBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs snake.exe
                    Source: snake.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: snake.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: snake.exe, type: SAMPLEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: snake.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: snake.exe, type: SAMPLEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: 0.0.snake.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.0.snake.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.0.snake.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.0.snake.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: 00000000.00000000.1640784495.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000000.1640784495.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: Process Memory Space: snake.exe PID: 6788, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: snake.exe PID: 6788, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: snake.exe, --J-.csCryptographic APIs: 'TransformFinalBlock'
                    Source: snake.exe, --J-.csCryptographic APIs: 'TransformFinalBlock'
                    Source: snake.exe, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: snake.exe, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal92.troj.winEXE@6/1@2/2
                    Source: C:\Users\user\Desktop\snake.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\snake.exe.logJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6100:120:WilError_03
                    Source: C:\Users\user\Desktop\snake.exeMutant created: NULL
                    Source: snake.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: snake.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                    Source: C:\Users\user\Desktop\snake.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: snake.exeReversingLabs: Detection: 91%
                    Source: snake.exeVirustotal: Detection: 82%
                    Source: snake.exeString found in binary or memory: F-Stopw
                    Source: unknownProcess created: C:\Users\user\Desktop\snake.exe "C:\Users\user\Desktop\snake.exe"
                    Source: C:\Users\user\Desktop\snake.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\snake.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
                    Source: C:\Users\user\Desktop\snake.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\snake.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                    Source: snake.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: snake.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Self deletion via cmd or bat file
                    Source: C:\Users\user\Desktop\snake.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\snake.exe"
                    Source: C:\Users\user\Desktop\snake.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\snake.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeMemory allocated: 1820000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeMemory allocated: 32D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeMemory allocated: 52D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 599655Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 599109Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 599000Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 598890Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 598781Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 598672Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 598562Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 598453Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 598343Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 598234Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 598125Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 598015Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 597891Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 597765Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 597656Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 597543Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 597437Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 597328Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 597218Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 597109Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 597000Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 596890Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 596781Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 596672Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 596562Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 596453Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 596343Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 596234Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 596125Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 596015Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 595906Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 595797Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 595687Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 595578Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 595465Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 595358Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 595244Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 595130Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 595014Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 594902Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 594797Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 594687Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 594578Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeWindow / User API: threadDelayed 8067Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeWindow / User API: threadDelayed 1792Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep count: 33 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7052Thread sleep count: 8067 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7052Thread sleep count: 1792 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -599765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -599655s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -599547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -599437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -599328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -599218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -599109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -599000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -598890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -598781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -598672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -598562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -598453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -598343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -598234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -598125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -598015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -597891s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -597765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -597656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -597543s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -597437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -597328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -597218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -597109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -597000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -596890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -596781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -596672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -596562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -596453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -596343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -596234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -596125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -596015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -595906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -595797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -595687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -595578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -595465s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -595358s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -595244s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -595130s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -595014s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -594902s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -594797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -594687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\snake.exe TID: 7056Thread sleep time: -594578s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 599655Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 599109Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 599000Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 598890Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 598781Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 598672Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 598562Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 598453Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 598343Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 598234Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 598125Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 598015Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 597891Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 597765Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 597656Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 597543Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 597437Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 597328Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 597218Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 597109Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 597000Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 596890Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 596781Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 596672Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 596562Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 596453Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 596343Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 596234Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 596125Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 596015Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 595906Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 595797Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 595687Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 595578Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 595465Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 595358Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 595244Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 595130Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 595014Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 594902Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 594797Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 594687Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeThread delayed: delay time: 594578Jump to behavior
                    Source: snake.exe, 00000000.00000002.1782919660.0000000001679000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\snake.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\snake.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
                    Source: C:\Users\user\Desktop\snake.exeQueries volume information: C:\Users\user\Desktop\snake.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\snake.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: snake.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.snake.exe.fd0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1640784495.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1783268416.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: snake.exe PID: 6788, type: MEMORYSTR
                    Source: Yara matchFile source: snake.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.snake.exe.fd0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1640784495.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: snake.exe PID: 6788, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: snake.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.snake.exe.fd0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1640784495.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1783268416.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: snake.exe PID: 6788, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		11
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping1
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                    Virtualization/Sandbox Evasion                    		Security Account Manager31
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    File Deletion                    		DCSync12
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    snake.exe92%ReversingLabsByteCode-MSIL.Keylogger.NotFound
                    snake.exe82%VirustotalBrowse
                    snake.exe100%AviraTR/ATRAPS.Gen
                    snake.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    reallyfreegeoip.org0%VirustotalBrowse
                    checkip.dyndns.com0%VirustotalBrowse
                    checkip.dyndns.org0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://checkip.dyndns.org/0%URL Reputationsafe
                    https://reallyfreegeoip.org/xml/8.46.123.33$0%URL Reputationsafe
                    http://checkip.dyndns.org/q0%URL Reputationsafe
                    http://reallyfreegeoip.org0%URL Reputationsafe
                    https://reallyfreegeoip.org0%URL Reputationsafe
                    http://checkip.dyndns.org0%URL Reputationsafe
                    http://checkip.dyndns.com0%URL Reputationsafe
                    https://reallyfreegeoip.org/xml/8.46.123.330%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://reallyfreegeoip.org/xml/0%URL Reputationsafe
                    http://checkip.dyndns.comd0%Avira URL Cloudsafe
                    http://checkip.dyndns.orgd0%Avira URL Cloudsafe
                    http://reallyfreegeoip.orgd0%Avira URL Cloudsafe
                    http://checkip.dyndns.org/d0%Avira URL Cloudsafe
                    http://checkip.dyndns.org/d0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    reallyfreegeoip.org
                    		188.114.97.3
                    		truetrueunknown
                    checkip.dyndns.com
                    		193.122.6.168
                    		truefalseunknown
                    checkip.dyndns.org
                    		unknown
                    		unknowntrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://checkip.dyndns.org/false
                    • URL Reputation: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/8.46.123.33false
                    • URL Reputation: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://checkip.dyndns.comdsnake.exe, 00000000.00000002.1783268416.0000000003454000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003398000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003446000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000342B000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003490000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003481000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003438000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/8.46.123.33$snake.exe, 00000000.00000002.1783268416.0000000003454000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003446000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000342B000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003490000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003481000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003438000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.00000000033DB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://checkip.dyndns.org/qsnake.exefalse
                    • URL Reputation: safe
                    		unknown
                    http://reallyfreegeoip.orgdsnake.exe, 00000000.00000002.1783268416.0000000003454000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003446000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000342B000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003490000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003481000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003438000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://reallyfreegeoip.orgsnake.exe, 00000000.00000002.1783268416.0000000003454000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003446000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000342B000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003490000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003481000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003438000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://checkip.dyndns.orgdsnake.exe, 00000000.00000002.1783268416.0000000003454000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003398000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003446000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000342B000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003490000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003481000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003438000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://reallyfreegeoip.orgsnake.exe, 00000000.00000002.1783268416.0000000003454000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003398000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003446000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000342B000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003490000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003481000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003438000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.00000000033DB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://checkip.dyndns.orgsnake.exe, 00000000.00000002.1783268416.0000000003454000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003461000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003398000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003446000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000342B000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000338C000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003490000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003481000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003438000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.00000000033DB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://checkip.dyndns.comsnake.exe, 00000000.00000002.1783268416.0000000003454000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003398000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003446000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000342B000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003490000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003481000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003438000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://checkip.dyndns.org/dsnake.exe, 00000000.00000002.1783268416.0000000003454000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003461000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003398000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003446000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.000000000342B000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003490000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.0000000003438000.00000004.00000800.00020000.00000000.sdmp, snake.exe, 00000000.00000002.1783268416.00000000033DB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namesnake.exe, 00000000.00000002.1783268416.00000000032D1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/snake.exefalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    188.114.97.3
                    		reallyfreegeoip.orgEuropean Union
                    		13335CLOUDFLARENETUStrue
                    193.122.6.168
                    		checkip.dyndns.comUnited States
                    		31898ORACLE-BMC-31898USfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1502486
                    Start date and time:2024-09-01 22:00:59 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 4m 21s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:9
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:snake.exe
                    Detection:MAL
                    Classification:mal92.troj.winEXE@6/1@2/2
                    EGA Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 2
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target snake.exe, PID 6788 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    16:01:49API Interceptor104x Sleep call for process: snake.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    188.114.97.3firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                    • 188.114.97.3/
                    firmware.i586.elfGet hashmaliciousUnknownBrowse
                    • 188.114.97.3/
                    play.exeGet hashmaliciousFormBookBrowse
                    • www.playdoge.buzz/dkjp/
                    SecuriteInfo.com.Trojan.DownLoader47.19820.5694.3811.exeGet hashmaliciousUnknownBrowse
                    • rustmacro.ru/autoupdate.exe
                    QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                    • filetransfer.io/data-package/DGApDW0P/download
                    QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                    • filetransfer.io/data-package/DGApDW0P/download
                    QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • filetransfer.io/data-package/8hthkO24/download
                    gHPYUEh253.exeGet hashmaliciousDjvu, Neoreklami, Stealc, Vidar, XmrigBrowse
                    • joxi.net/4Ak49WQH0GE3Nr.mp3
                    Izvod racuna u prilogu.exeGet hashmaliciousDBatLoader, FormBookBrowse
                    • www.coinwab.com/kqqj/
                    file.exeGet hashmaliciousLummaCBrowse
                    • joxi.net/4Ak49WQH0GE3Nr.mp3
                    193.122.6.168LEK1JCI81P.exeGet hashmaliciousRedLine, Snake Keylogger, StormKitty, SugarDump, VIP Keylogger, XWormBrowse
                    • checkip.dyndns.org/
                    INQUIRY.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    Nettably.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    Autofill Manufacturing Sdn Bhd 28-08-2024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    Offer 2024-30496.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    pagamento.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    QUOTATION_AUGQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    RFQ-MR-24-09101 SPS.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    Bukti-Transfer.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    reallyfreegeoip.orgLEK1JCI81P.exeGet hashmaliciousRedLine, Snake Keylogger, StormKitty, SugarDump, VIP Keylogger, XWormBrowse
                    • 188.114.96.3
                    Invoice-2238562.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.97.3
                    INQUIRY.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.97.3
                    QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.97.3
                    SWIFT COPIES.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                    • 188.114.97.3
                    Nettably.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    Autofill Manufacturing Sdn Bhd 28-08-2024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.97.3
                    Offer 2024-30496.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    checkip.dyndns.comNordVPNInstaller.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                    • 132.226.247.73
                    librewolf-124.0.2-1-windows-x86_64-setup.exeGet hashmaliciousAgent Tesla, AgentTesla, HTMLPhisherBrowse
                    • 158.101.44.242
                    LEK1JCI81P.exeGet hashmaliciousRedLine, Snake Keylogger, StormKitty, SugarDump, VIP Keylogger, XWormBrowse
                    • 193.122.6.168
                    Invoice-2238562.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 132.226.8.169
                    INQUIRY.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 193.122.6.168
                    QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 132.226.8.169
                    SWIFT COPIES.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                    • 193.122.130.0
                    Nettably.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    ORACLE-BMC-31898USlibrewolf-124.0.2-1-windows-x86_64-setup.exeGet hashmaliciousAgent Tesla, AgentTesla, HTMLPhisherBrowse
                    • 158.101.44.242
                    LEK1JCI81P.exeGet hashmaliciousRedLine, Snake Keylogger, StormKitty, SugarDump, VIP Keylogger, XWormBrowse
                    • 193.122.6.168
                    https://indd.adobe.com/view/30080812-36e9-4257-a76c-64b9db55c4c1Get hashmaliciousHTMLPhisherBrowse
                    • 147.154.52.189
                    INQUIRY.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 193.122.6.168
                    SWIFT COPIES.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                    • 193.122.130.0
                    Nettably.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168
                    Autofill Manufacturing Sdn Bhd 28-08-2024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 193.122.6.168
                    Offer 2024-30496.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168
                    CLOUDFLARENETUSlibrewolf-124.0.2-1-windows-x86_64-setup.exeGet hashmaliciousAgent Tesla, AgentTesla, HTMLPhisherBrowse
                    • 172.67.157.127
                    file.exeGet hashmaliciousUnknownBrowse
                    • 172.64.41.3
                    file.exeGet hashmaliciousUnknownBrowse
                    • 172.64.41.3
                    4.7.exeGet hashmaliciousUnknownBrowse
                    • 162.159.128.233
                    file.exeGet hashmaliciousAmadey, StealcBrowse
                    • 172.64.41.3
                    stub.exeGet hashmaliciousStealeriumBrowse
                    • 162.159.136.232
                    firmware.mipsel.elfGet hashmaliciousUnknownBrowse
                    • 104.30.194.47
                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                    • 172.64.41.3
                    file.exeGet hashmaliciousAmadey, StealcBrowse
                    • 172.64.41.3
                    ^=L@test_PC_FilE_2024_as_P@ssKey=^.zipGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                    • 188.114.97.3

                    JA3 Fingerprints

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    3b5074b1b5d032e5620f69f9f700ff0ePDF.exeGet hashmaliciousXWormBrowse
                    • 188.114.97.3
                    stub.exeGet hashmaliciousStealeriumBrowse
                    • 188.114.97.3
                    jFzg3KFP48.exeGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    BsMXrWBfhT.exeGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    BsMXrWBfhT.exeGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    n0PDCyrFnf.exeGet hashmaliciousPureLog StealerBrowse
                    • 188.114.97.3
                    n0PDCyrFnf.exeGet hashmaliciousPureLog StealerBrowse
                    • 188.114.97.3
                    https://uppholldlgins.mystrikingly.com/Get hashmaliciousUnknownBrowse
                    • 188.114.97.3

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\snake.exe.log

                    Download File
                    Process:C:\Users\user\Desktop\snake.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1039
                    Entropy (8bit):5.353332853270839
                    Encrypted:false
                    SSDEEP:24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
                    MD5:A4AF0F36EC4E0C69DC0F860C891E8BBE
                    SHA1:28DD81A1EDDF71CBCBF86DA986E047279EF097CD
                    SHA-256:B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
                    SHA-512:A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
                    Malicious:true
                    Reputation:moderate, very likely benign file
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):5.843837591065918
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                    • Win32 Executable (generic) a (10002005/4) 49.75%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Windows Screen Saver (13104/52) 0.07%
                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                    File name:snake.exe
                    File size:133'632 bytes
                    MD5:9500a552ea042907f1e6a7de0eb92c44
                    SHA1:b887f6b27f65eafc08e5f54be9617f3c993b74ac
                    SHA256:0fe5f5ed0d1c012f3280e368b4a5330e6ed13b3b125e5a9a3436fcb0552898dc
                    SHA512:36ad9fbd6280ef3bf959c254b35eb8f43ca6db1855f2cefeceb25df47d389b28f6a294888000d09175971cf0851d5f16e161c2e3f94c19c974d8a6de8f0949f4
                    SSDEEP:3072:w99yINAgKjV545jbvk5Hbe7fMuJN07Tw7Omt1+dAMFZMb54FDmJmWLwvcXmVgbY:jINAgKjV5Cjbvk5Hbe7fMuJN07TOZHbF
                    TLSH:57D3084927F49400E5FFAA7316716111C776B8020A27DE1D1BC2F86A2F7D6E28E16F93
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P..f..............P.............n.... ... ....@.. .......................`............`................................

                    File Icon

                    Icon Hash:90cececece8e8eb0

                    Static PE Info

                    General

                    Entrypoint:0x42136e
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0x66908250 [Fri Jul 12 01:09:36 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x213180x53.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x108f.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x240000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000x1f3740x1f400e3b1ab15402c04e48db6d30f45958ca2False0.356875data5.857835218619842IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0x220000x108f0x1200f59392b7fa5e8b22ad0c6b19a0b07c20False0.3663194444444444data4.868462934974607IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x240000xc0x200a59fdbc52abfbd2b3e53111a829137b3False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_VERSION0x220a00x394OpenPGP Secret Key0.42358078602620086
                    RT_MANIFEST0x224340xc5bXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.3926651912741069

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                    2024-09-01T22:01:55.825608+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349736443192.168.2.4188.114.97.3
                    2024-09-01T22:01:58.825101+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349740443192.168.2.4188.114.97.3
                    2024-09-01T22:01:50.868699+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349732443192.168.2.4188.114.97.3
                    2024-09-01T22:01:53.261099+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349734443192.168.2.4188.114.97.3
                    2024-09-01T22:01:49.091328+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH24973080192.168.2.4193.122.6.168
                    2024-09-01T22:01:52.606954+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH24973380192.168.2.4193.122.6.168
                    2024-09-01T22:01:50.341307+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH24973080192.168.2.4193.122.6.168

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Sep 1, 2024 22:01:47.780867100 CEST4973080192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:47.785700083 CEST8049730193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:47.785788059 CEST4973080192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:47.785986900 CEST4973080192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:47.790786982 CEST8049730193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:48.494028091 CEST8049730193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:48.499177933 CEST4973080192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:48.504087925 CEST8049730193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:49.046381950 CEST8049730193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:49.091327906 CEST4973080192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:49.092734098 CEST49731443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:49.092776060 CEST44349731188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:49.092854977 CEST49731443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:49.104063034 CEST49731443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:49.104079962 CEST44349731188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:49.562791109 CEST44349731188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:49.562933922 CEST49731443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:49.586853027 CEST49731443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:49.586886883 CEST44349731188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:49.587112904 CEST44349731188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:49.638180017 CEST49731443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:49.989175081 CEST49731443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:50.036500931 CEST44349731188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:50.094858885 CEST44349731188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:50.095208883 CEST44349731188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:50.095258951 CEST49731443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:50.111422062 CEST49731443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:50.114984989 CEST4973080192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:50.119888067 CEST8049730193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:50.291588068 CEST8049730193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:50.294771910 CEST49732443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:50.294805050 CEST44349732188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:50.294888973 CEST49732443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:50.295169115 CEST49732443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:50.295181990 CEST44349732188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:50.341306925 CEST4973080192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:50.749418020 CEST44349732188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:50.751281023 CEST49732443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:50.751296997 CEST44349732188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:50.868710041 CEST44349732188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:50.868783951 CEST44349732188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:50.869070053 CEST49732443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:50.869395971 CEST49732443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:50.872392893 CEST4973080192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:50.873687983 CEST4973380192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:50.877543926 CEST8049730193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:50.877608061 CEST4973080192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:50.879380941 CEST8049733193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:50.879462957 CEST4973380192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:50.879518032 CEST4973380192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:50.885138035 CEST8049733193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:52.564371109 CEST8049733193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:52.572990894 CEST49734443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:52.573040009 CEST44349734188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:52.573107958 CEST49734443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:52.576770067 CEST49734443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:52.576786041 CEST44349734188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:52.606954098 CEST4973380192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:53.101769924 CEST44349734188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:53.103509903 CEST49734443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:53.103534937 CEST44349734188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:53.261110067 CEST44349734188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:53.261171103 CEST44349734188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:53.261346102 CEST49734443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:53.261650085 CEST49734443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:53.266020060 CEST4973580192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:53.272525072 CEST8049735193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:53.272614002 CEST4973580192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:53.272670984 CEST4973580192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:53.278031111 CEST8049735193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:55.232140064 CEST8049735193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:55.239919901 CEST49736443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:55.239953041 CEST44349736188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:55.240026951 CEST49736443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:55.240274906 CEST49736443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:55.240288019 CEST44349736188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:55.278825998 CEST4973580192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:55.690644979 CEST44349736188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:55.692253113 CEST49736443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:55.692265987 CEST44349736188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:55.825619936 CEST44349736188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:55.825685024 CEST44349736188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:55.825733900 CEST49736443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:55.826433897 CEST49736443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:55.830311060 CEST4973580192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:55.831428051 CEST4973780192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:55.835309982 CEST8049735193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:55.835407972 CEST4973580192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:55.836211920 CEST8049737193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:55.836287022 CEST4973780192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:55.836349964 CEST4973780192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:55.841105938 CEST8049737193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:56.710189104 CEST8049737193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:56.711780071 CEST49738443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:56.711810112 CEST44349738188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:56.711879969 CEST49738443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:56.712145090 CEST49738443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:56.712157011 CEST44349738188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:56.763216972 CEST4973780192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:57.155124903 CEST44349738188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:57.156733990 CEST49738443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:57.156760931 CEST44349738188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:57.286926031 CEST44349738188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:57.286999941 CEST44349738188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:57.287144899 CEST49738443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:57.287538052 CEST49738443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:57.290847063 CEST4973780192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:57.291481018 CEST4973980192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:57.295927048 CEST8049737193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:57.295988083 CEST4973780192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:57.296308994 CEST8049739193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:57.296370983 CEST4973980192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:57.296484947 CEST4973980192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:57.301197052 CEST8049739193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:57.887291908 CEST8049739193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:57.894062996 CEST49740443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:57.894112110 CEST44349740188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:57.894171000 CEST49740443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:57.894437075 CEST49740443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:57.894454002 CEST44349740188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:57.935077906 CEST4973980192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:58.372577906 CEST44349740188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:58.374270916 CEST49740443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:58.374303102 CEST44349740188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:58.825103045 CEST44349740188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:58.825176001 CEST44349740188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:58.825228930 CEST49740443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:58.825807095 CEST49740443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:58.829576969 CEST4973980192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:58.830351114 CEST4974180192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:58.834578991 CEST8049739193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:58.834640026 CEST4973980192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:58.835084915 CEST8049741193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:58.835139990 CEST4974180192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:58.835258007 CEST4974180192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:58.840192080 CEST8049741193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:59.507461071 CEST8049741193.122.6.168192.168.2.4
                    Sep 1, 2024 22:01:59.508920908 CEST49742443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:59.508953094 CEST44349742188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:59.509021997 CEST49742443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:59.509301901 CEST49742443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:59.509316921 CEST44349742188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:59.560089111 CEST4974180192.168.2.4193.122.6.168
                    Sep 1, 2024 22:01:59.966295004 CEST44349742188.114.97.3192.168.2.4
                    Sep 1, 2024 22:01:59.967797995 CEST49742443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:01:59.967811108 CEST44349742188.114.97.3192.168.2.4
                    Sep 1, 2024 22:02:00.119426012 CEST44349742188.114.97.3192.168.2.4
                    Sep 1, 2024 22:02:00.119494915 CEST44349742188.114.97.3192.168.2.4
                    Sep 1, 2024 22:02:00.119544029 CEST49742443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:02:00.119947910 CEST49742443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:02:00.123008966 CEST4974180192.168.2.4193.122.6.168
                    Sep 1, 2024 22:02:00.123991966 CEST4974380192.168.2.4193.122.6.168
                    Sep 1, 2024 22:02:00.128643036 CEST8049741193.122.6.168192.168.2.4
                    Sep 1, 2024 22:02:00.128704071 CEST4974180192.168.2.4193.122.6.168
                    Sep 1, 2024 22:02:00.128813982 CEST8049743193.122.6.168192.168.2.4
                    Sep 1, 2024 22:02:00.128879070 CEST4974380192.168.2.4193.122.6.168
                    Sep 1, 2024 22:02:00.128969908 CEST4974380192.168.2.4193.122.6.168
                    Sep 1, 2024 22:02:00.133692980 CEST8049743193.122.6.168192.168.2.4
                    Sep 1, 2024 22:02:01.010804892 CEST8049743193.122.6.168192.168.2.4
                    Sep 1, 2024 22:02:01.012041092 CEST49744443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:02:01.012085915 CEST44349744188.114.97.3192.168.2.4
                    Sep 1, 2024 22:02:01.012155056 CEST49744443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:02:01.012411118 CEST49744443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:02:01.012423992 CEST44349744188.114.97.3192.168.2.4
                    Sep 1, 2024 22:02:01.060262918 CEST4974380192.168.2.4193.122.6.168
                    Sep 1, 2024 22:02:01.451745987 CEST44349744188.114.97.3192.168.2.4
                    Sep 1, 2024 22:02:01.453485966 CEST49744443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:02:01.453511953 CEST44349744188.114.97.3192.168.2.4
                    Sep 1, 2024 22:02:01.570193052 CEST44349744188.114.97.3192.168.2.4
                    Sep 1, 2024 22:02:01.570269108 CEST44349744188.114.97.3192.168.2.4
                    Sep 1, 2024 22:02:01.570319891 CEST49744443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:02:01.570648909 CEST49744443192.168.2.4188.114.97.3
                    Sep 1, 2024 22:02:01.702879906 CEST4974380192.168.2.4193.122.6.168
                    Sep 1, 2024 22:02:01.702953100 CEST4973380192.168.2.4193.122.6.168

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Sep 1, 2024 22:01:47.768209934 CEST6329453192.168.2.41.1.1.1
                    Sep 1, 2024 22:01:47.774974108 CEST53632941.1.1.1192.168.2.4
                    Sep 1, 2024 22:01:49.084603071 CEST5471853192.168.2.41.1.1.1
                    Sep 1, 2024 22:01:49.092087984 CEST53547181.1.1.1192.168.2.4

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Sep 1, 2024 22:01:47.768209934 CEST192.168.2.41.1.1.10x3818Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Sep 1, 2024 22:01:49.084603071 CEST192.168.2.41.1.1.10x2758Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Sep 1, 2024 22:01:47.774974108 CEST1.1.1.1192.168.2.40x3818No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Sep 1, 2024 22:01:47.774974108 CEST1.1.1.1192.168.2.40x3818No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Sep 1, 2024 22:01:47.774974108 CEST1.1.1.1192.168.2.40x3818No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Sep 1, 2024 22:01:47.774974108 CEST1.1.1.1192.168.2.40x3818No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Sep 1, 2024 22:01:47.774974108 CEST1.1.1.1192.168.2.40x3818No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Sep 1, 2024 22:01:47.774974108 CEST1.1.1.1192.168.2.40x3818No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Sep 1, 2024 22:01:49.092087984 CEST1.1.1.1192.168.2.40x2758No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                    Sep 1, 2024 22:01:49.092087984 CEST1.1.1.1192.168.2.40x2758No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • reallyfreegeoip.org
                    • checkip.dyndns.org

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.449730193.122.6.168806788C:\Users\user\Desktop\snake.exe
                    TimestampBytes transferredDirectionData
                    Sep 1, 2024 22:01:47.785986900 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Sep 1, 2024 22:01:48.494028091 CEST320INHTTP/1.1 200 OK
                    Date: Sun, 01 Sep 2024 20:01:48 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 0dc66e3426e5997caa516a98b87ad71d
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                    Sep 1, 2024 22:01:48.499177933 CEST127OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Sep 1, 2024 22:01:49.046381950 CEST320INHTTP/1.1 200 OK
                    Date: Sun, 01 Sep 2024 20:01:48 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 4b5805962726768401ab3c5952473bbb
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                    Sep 1, 2024 22:01:50.114984989 CEST127OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Sep 1, 2024 22:01:50.291588068 CEST320INHTTP/1.1 200 OK
                    Date: Sun, 01 Sep 2024 20:01:50 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 6717b3264d3b6e524cfaa335d9286508
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.449733193.122.6.168806788C:\Users\user\Desktop\snake.exe
                    TimestampBytes transferredDirectionData
                    Sep 1, 2024 22:01:50.879518032 CEST127OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Sep 1, 2024 22:01:52.564371109 CEST320INHTTP/1.1 200 OK
                    Date: Sun, 01 Sep 2024 20:01:52 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: a6db3eb4b7bbf509f044e7cf2720e313
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.449735193.122.6.168806788C:\Users\user\Desktop\snake.exe
                    TimestampBytes transferredDirectionData
                    Sep 1, 2024 22:01:53.272670984 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Sep 1, 2024 22:01:55.232140064 CEST320INHTTP/1.1 200 OK
                    Date: Sun, 01 Sep 2024 20:01:55 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: fbb63230c6c999113e4d75413c3624ff
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.449737193.122.6.168806788C:\Users\user\Desktop\snake.exe
                    TimestampBytes transferredDirectionData
                    Sep 1, 2024 22:01:55.836349964 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Sep 1, 2024 22:01:56.710189104 CEST320INHTTP/1.1 200 OK
                    Date: Sun, 01 Sep 2024 20:01:56 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: b503a8ef6c61267cb305edc3ba95457c
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    4192.168.2.449739193.122.6.168806788C:\Users\user\Desktop\snake.exe
                    TimestampBytes transferredDirectionData
                    Sep 1, 2024 22:01:57.296484947 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Sep 1, 2024 22:01:57.887291908 CEST320INHTTP/1.1 200 OK
                    Date: Sun, 01 Sep 2024 20:01:57 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 3e31e2a94618430512bd3de65f4e84ea
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    5192.168.2.449741193.122.6.168806788C:\Users\user\Desktop\snake.exe
                    TimestampBytes transferredDirectionData
                    Sep 1, 2024 22:01:58.835258007 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Sep 1, 2024 22:01:59.507461071 CEST320INHTTP/1.1 200 OK
                    Date: Sun, 01 Sep 2024 20:01:59 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 56b5c3d032718c0d0a31e772c88fe024
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    6192.168.2.449743193.122.6.168806788C:\Users\user\Desktop\snake.exe
                    TimestampBytes transferredDirectionData
                    Sep 1, 2024 22:02:00.128969908 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Sep 1, 2024 22:02:01.010804892 CEST320INHTTP/1.1 200 OK
                    Date: Sun, 01 Sep 2024 20:02:00 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 2c28c86d96c1519f0496a27942941f1e
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    HTTPS Proxied Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.449731188.114.97.34436788C:\Users\user\Desktop\snake.exe
                    TimestampBytes transferredDirectionData
                    2024-09-01 20:01:49 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-09-01 20:01:50 UTC714INHTTP/1.1 200 OK
                    Date: Sun, 01 Sep 2024 20:01:50 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 30410
                    Last-Modified: Sun, 01 Sep 2024 11:35:00 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=giOvvp9aD%2FTwifFYpJphVJTZDM%2FzUwXdA6Od20UdxnqBVLOyRMYTDcLm5%2FnJMq3%2F5exN3sLiaWSlkqG2Y4B3dHQOctZA2TUklPV5wlahDVcJT9Z%2BS5K%2BWldnHt9Ezc7EenwJz%2Fio"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8bc7dabfbfc719aa-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-09-01 20:01:50 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-09-01 20:01:50 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.449732188.114.97.34436788C:\Users\user\Desktop\snake.exe
                    TimestampBytes transferredDirectionData
                    2024-09-01 20:01:50 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    2024-09-01 20:01:50 UTC708INHTTP/1.1 200 OK
                    Date: Sun, 01 Sep 2024 20:01:50 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 30410
                    Last-Modified: Sun, 01 Sep 2024 11:35:00 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bqZfWIvv8J1zaa%2FPpdUZ5uurBlyexaTbvCyEWxzMS0RvuADGZlUfJvRNOmyAV%2Bm8GOEro1Zi0itaMu98ZzsBhdi2O3bUAq1%2Bzb%2BgoQj5Jt7gWIRkSPLZKYei1MyUmuLaNTKUB2i2"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8bc7dac49b6c7c84-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-09-01 20:01:50 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-09-01 20:01:50 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.449734188.114.97.34436788C:\Users\user\Desktop\snake.exe
                    TimestampBytes transferredDirectionData
                    2024-09-01 20:01:53 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    2024-09-01 20:01:53 UTC702INHTTP/1.1 200 OK
                    Date: Sun, 01 Sep 2024 20:01:53 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 30413
                    Last-Modified: Sun, 01 Sep 2024 11:35:00 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZhJT3NhAgl8LP8vxX3LBMAoaXF1tA5xTs7CR6ujYRVgbwfZ072cjhjKXIEtR0qjRtr87utP6lF4nxUpZQ6t7YxF3tjHdHaM3rrUZTYjeXj50k4WLmc0RtSezLmfkGK8skY776z8%2F"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8bc7dad3683143d0-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-09-01 20:01:53 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-09-01 20:01:53 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.449736188.114.97.34436788C:\Users\user\Desktop\snake.exe
                    TimestampBytes transferredDirectionData
                    2024-09-01 20:01:55 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    2024-09-01 20:01:55 UTC712INHTTP/1.1 200 OK
                    Date: Sun, 01 Sep 2024 20:01:55 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 30415
                    Last-Modified: Sun, 01 Sep 2024 11:35:00 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8VcCU4%2Fj%2FAAEr%2F9QIWy25NFsijq%2BJ7%2BQlC1LUdixE1d3iUSygiPpzA9wlYbvjHL95KeQkNxfvolsonnnHGSZcTuScM87zwE4TgcBm66C7KN5FmaxcQLX0DRDx4%2B0XiyPoBxA9lhB"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8bc7dae38d444211-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-09-01 20:01:55 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-09-01 20:01:55 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    4192.168.2.449738188.114.97.34436788C:\Users\user\Desktop\snake.exe
                    TimestampBytes transferredDirectionData
                    2024-09-01 20:01:57 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-09-01 20:01:57 UTC702INHTTP/1.1 200 OK
                    Date: Sun, 01 Sep 2024 20:01:57 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 30417
                    Last-Modified: Sun, 01 Sep 2024 11:35:00 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AqwT0FVL8atcXPOUXUmcCPc1UFnRTRodBE2tJzmiR3zPQWq07qgwQm4Lo3cX2RQQRtLyTBU9PU6lPsDEh0lHCp6ZeObiuMou08f0yEFRksFdi4SxhD7hVqdRf%2BiLs6da8tp8I4ta"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8bc7daecba6341b4-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-09-01 20:01:57 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-09-01 20:01:57 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    5192.168.2.449740188.114.97.34436788C:\Users\user\Desktop\snake.exe
                    TimestampBytes transferredDirectionData
                    2024-09-01 20:01:58 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    2024-09-01 20:01:58 UTC708INHTTP/1.1 200 OK
                    Date: Sun, 01 Sep 2024 20:01:58 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 30418
                    Last-Modified: Sun, 01 Sep 2024 11:35:00 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9amsYUAG1C8U%2BBlxwa9p5%2B7PVmY7FKZHIQpXOaSxlfOGpvdAMoo3lcaSSRSm8vhSxU%2FwhUZyEW9SX16gmq2fP9mwvhmnWt9RRooTxoQViUb6IeulcnA0m3awNUL52UZU%2BkxZS985"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8bc7daf458a01971-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-09-01 20:01:58 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-09-01 20:01:58 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    6192.168.2.449742188.114.97.34436788C:\Users\user\Desktop\snake.exe
                    TimestampBytes transferredDirectionData
                    2024-09-01 20:01:59 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-09-01 20:02:00 UTC704INHTTP/1.1 200 OK
                    Date: Sun, 01 Sep 2024 20:02:00 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 30420
                    Last-Modified: Sun, 01 Sep 2024 11:35:00 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o458Xp7Ln%2BzqAHOVfnBpajocNKvQ39qEPEFu5H56rJBzJDMoDaDqry1hFf6t737W8N7KIqaCrY0QlSEW3ukoidnwTzj22Z%2FM627Dy4i9X98bNc7Pis1vSnzHoNgDhwHEIZfS8Chh"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8bc7dafe597b43b1-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-09-01 20:02:00 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-09-01 20:02:00 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    7192.168.2.449744188.114.97.34436788C:\Users\user\Desktop\snake.exe
                    TimestampBytes transferredDirectionData
                    2024-09-01 20:02:01 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-09-01 20:02:01 UTC708INHTTP/1.1 200 OK
                    Date: Sun, 01 Sep 2024 20:02:01 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 30421
                    Last-Modified: Sun, 01 Sep 2024 11:35:00 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dZ2A6%2FTZoF7E5gBMH5xWXTN9cHuB9YuseE73clJ4DVn%2Fcv2jLc0W4Q34dgaJxEGu1%2FEgeyX3GQWhrdrW32T6%2FrOwErKlO684Z4vAlgLf2mZZmyC90P7TQJbC49bS1IUZYpSNxAtK"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8bc7db077b110c9c-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-09-01 20:02:01 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-09-01 20:02:01 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:16:01:46
                    Start date:01/09/2024
                    Path:C:\Users\user\Desktop\snake.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\snake.exe"
                    Imagebase:0xfd0000
                    File size:133'632 bytes
                    MD5 hash:9500A552EA042907F1E6A7DE0EB92C44
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1640784495.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.1640784495.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000000.1640784495.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.1640784495.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1783268416.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:1
                    Start time:16:02:00
                    Start date:01/09/2024
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\snake.exe"
                    Imagebase:0x240000
                    File size:236'544 bytes
                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:2
                    Start time:16:02:01
                    Start date:01/09/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:3
                    Start time:16:02:01
                    Start date:01/09/2024
                    Path:C:\Windows\SysWOW64\choice.exe
                    Wow64 process (32bit):true
                    Commandline:choice /C Y /N /D Y /T 3
                    Imagebase:0xe90000
                    File size:28'160 bytes
                    MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:true

                    Disassembly

                    Reset < >

                      Executed Functions

                      Function 015BD404 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1782727861.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_15bd000_snake.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4a02615860ef357cce3a134036d3e1e09852c9994e08e7f5c7da6cbe806d42f5
                      • Instruction ID: e8faea990f24986178a5f2fcf0fded11176eb743a2270c353e1b60c4ee8e8bce
                      • Opcode Fuzzy Hash: 4a02615860ef357cce3a134036d3e1e09852c9994e08e7f5c7da6cbe806d42f5
                      • Instruction Fuzzy Hash: 18210371500244DFDB05DF98D9C0BAABFB5FB88328F24C569E9090F256C37AE456C6A1
                      Function 015BD3FF Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1782727861.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_15bd000_snake.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                      • Instruction ID: 880885ce67917869dcdfb9802777db89afcd5da799f20fd0a67a062ce7051e44
                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                      • Instruction Fuzzy Hash: 6A11DF72404280CFCB16CF44D5C4B9ABF71FB84328F24C1A9D9090F656C33AE45ACBA1