Edit tour

Windows Analysis Report
#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Overview

General Information

Sample name:	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe (renamed file extension from exe_ to exe, renamed because original name is a hash value)
Original sample name:	.exe_
Analysis ID:	1543585
MD5:	80b56ae302fea7f0f9e00b63f7ad598b
SHA1:	6411184877abfdd8b7743c27ef94e0f257ce1f1d
SHA256:	82c8e9440da130cb3c991bfd2b98afbf11fff2be9acd3e56b3107096a11a69e6
Infos:

Detection

PureLog Stealer, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Snake Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Self deletion via cmd or bat file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe (PID: 1864 cmdline: "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe" MD5: 80B56AE302FEA7F0F9E00B63F7AD598B)

powershell.exe (PID: 5968 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2952 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe (PID: 5996 cmdline: "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe" MD5: 80B56AE302FEA7F0F9E00B63F7AD598B)

cmd.exe (PID: 4760 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 6160 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7461961891:AAHpgycZJEK7D2I9irTI6QgjGM_Z4Ne7WIQ", "Chat_id": "-4555977660", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2126706265.0000000005440000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.2333395480.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.2333395480.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1447a:$a1: get_encryptedPassword 0x1475e:$a2: get_encryptedUsername 0x14286:$a3: get_timePasswordChanged 0x14381:$a4: get_passwordField 0x14490:$a5: set_encryptedPassword 0x15b2e:$a7: get_logins 0x15a91:$a10: KeyLoggerEventArgs 0x156fc:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.2333395480.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19478:$x1: $%SMTPDV$ 0x17e54:$x2: $#TheHashHere%& 0x19420:$x3: %FTPDV$ 0x17df4:$x4: $%TelegramDv$ 0x156fc:$x5: KeyLoggerEventArgs 0x15a91:$x5: KeyLoggerEventArgs 0x19444:$m2: Clipboard Logs ID 0x19682:$m2: Screenshot Logs ID 0x19792:$m2: keystroke Logs ID 0x19a6c:$m3: SnakePW 0x1965a:$m4: \SnakeKeylogger\
00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb1312:$a1: get_encryptedPassword 0xd1732:$a1: get_encryptedPassword 0xf1952:$a1: get_encryptedPassword 0xb15f6:$a2: get_encryptedUsername 0xd1a16:$a2: get_encryptedUsername 0xf1c36:$a2: get_encryptedUsername 0xb111e:$a3: get_timePasswordChanged 0xd153e:$a3: get_timePasswordChanged 0xf175e:$a3: get_timePasswordChanged 0xb1219:$a4: get_passwordField 0xd1639:$a4: get_passwordField 0xf1859:$a4: get_passwordField 0xb1328:$a5: set_encryptedPassword 0xd1748:$a5: set_encryptedPassword 0xf1968:$a5: set_encryptedPassword 0xb29c6:$a7: get_logins 0xd2de6:$a7: get_logins 0xf3006:$a7: get_logins 0xb2929:$a10: KeyLoggerEventArgs 0xd2d49:$a10: KeyLoggerEventArgs 0xf2f69:$a10: KeyLoggerEventArgs
00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xb6310:$x1: $%SMTPDV$ 0xd6730:$x1: $%SMTPDV$ 0xf6950:$x1: $%SMTPDV$ 0xb4cec:$x2: $#TheHashHere%& 0xd510c:$x2: $#TheHashHere%& 0xf532c:$x2: $#TheHashHere%& 0xb62b8:$x3: %FTPDV$ 0xd66d8:$x3: %FTPDV$ 0xf68f8:$x3: %FTPDV$ 0xb4c8c:$x4: $%TelegramDv$ 0xd50ac:$x4: $%TelegramDv$ 0xf52cc:$x4: $%TelegramDv$ 0xb2594:$x5: KeyLoggerEventArgs 0xb2929:$x5: KeyLoggerEventArgs 0xd29b4:$x5: KeyLoggerEventArgs 0xd2d49:$x5: KeyLoggerEventArgs 0xf2bd4:$x5: KeyLoggerEventArgs 0xf2f69:$x5: KeyLoggerEventArgs 0xb62dc:$m2: Clipboard Logs ID 0xb651a:$m2: Screenshot Logs ID 0xb662a:$m2: keystroke Logs ID
00000004.00000002.2334935296.0000000003071000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 1864	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 1864	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 1864	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5b8fa:$a1: get_encryptedPassword 0x5bb20:$a2: get_encryptedUsername 0x5b724:$a3: get_timePasswordChanged 0x5b812:$a4: get_passwordField 0x5b910:$a5: set_encryptedPassword 0x5d7d1:$a7: get_logins 0x5d749:$a10: KeyLoggerEventArgs 0x5d4b0:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 1864	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5d4b0:$x5: KeyLoggerEventArgs 0x5d749:$x5: KeyLoggerEventArgs 0x5dfa1:$x5: KeyLoggerEventArgs 0x5e302:$x5: KeyLoggerEventArgs 0x5f84b:$m2: Clipboard Logs ID 0x5f947:$m2: Screenshot Logs ID 0x5f99d:$m2: keystroke Logs ID 0x5fad2:$m3: SnakePW 0x5f933:$m4: \SnakeKeylogger\
Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 5996	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 5996	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2cf3:$a1: get_encryptedPassword 0x2fcd:$a2: get_encryptedUsername 0x2b09:$a3: get_timePasswordChanged 0x2c04:$a4: get_passwordField 0x2d09:$a5: set_encryptedPassword 0x51c1:$a7: get_logins 0x5124:$a10: KeyLoggerEventArgs 0x4d8f:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 5996	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4d8f:$x5: KeyLoggerEventArgs 0x5124:$x5: KeyLoggerEventArgs 0x5a2b:$x5: KeyLoggerEventArgs 0x5d8c:$x5: KeyLoggerEventArgs 0x7353:$m2: Clipboard Logs ID 0x7459:$m2: Screenshot Logs ID 0x74af:$m2: keystroke Logs ID 0x75e4:$m3: SnakePW 0x7445:$m4: \SnakeKeylogger\
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.5440000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.5440000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1467a:$a1: get_encryptedPassword 0x1495e:$a2: get_encryptedUsername 0x14486:$a3: get_timePasswordChanged 0x14581:$a4: get_passwordField 0x14690:$a5: set_encryptedPassword 0x15d2e:$a7: get_logins 0x15c91:$a10: KeyLoggerEventArgs 0x158fc:$a11: KeyLoggerEventArgsEventHandler
4.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c076:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b2a8:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b6db:$a4: \Orbitum\User Data\Default\Login Data 0x1c71a:$a5: \Kometa\User Data\Default\Login Data
4.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15282:$s1: UnHook 0x15289:$s2: SetHook 0x15291:$s3: CallNextHook 0x1529e:$s4: _hook
4.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19678:$x1: $%SMTPDV$ 0x18054:$x2: $#TheHashHere%& 0x19620:$x3: %FTPDV$ 0x17ff4:$x4: $%TelegramDv$ 0x158fc:$x5: KeyLoggerEventArgs 0x15c91:$x5: KeyLoggerEventArgs 0x19644:$m2: Clipboard Logs ID 0x19882:$m2: Screenshot Logs ID 0x19992:$m2: keystroke Logs ID 0x19c6c:$m3: SnakePW 0x1985a:$m4: \SnakeKeylogger\
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1287a:$a1: get_encryptedPassword 0x12b5e:$a2: get_encryptedUsername 0x12686:$a3: get_timePasswordChanged 0x12781:$a4: get_passwordField 0x12890:$a5: set_encryptedPassword 0x13f2e:$a7: get_logins 0x13e91:$a10: KeyLoggerEventArgs 0x13afc:$a11: KeyLoggerEventArgsEventHandler
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a276:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x194a8:$a3: \Google\Chrome\User Data\Default\Login Data 0x198db:$a4: \Orbitum\User Data\Default\Login Data 0x1a91a:$a5: \Kometa\User Data\Default\Login Data
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13482:$s1: UnHook 0x13489:$s2: SetHook 0x13491:$s3: CallNextHook 0x1349e:$s4: _hook
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17878:$x1: $%SMTPDV$ 0x16254:$x2: $#TheHashHere%& 0x17820:$x3: %FTPDV$ 0x161f4:$x4: $%TelegramDv$ 0x13afc:$x5: KeyLoggerEventArgs 0x13e91:$x5: KeyLoggerEventArgs 0x17844:$m2: Clipboard Logs ID 0x17a82:$m2: Screenshot Logs ID 0x17b92:$m2: keystroke Logs ID 0x17e6c:$m3: SnakePW 0x17a5a:$m4: \SnakeKeylogger\
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1287a:$a1: get_encryptedPassword 0x12b5e:$a2: get_encryptedUsername 0x12686:$a3: get_timePasswordChanged 0x12781:$a4: get_passwordField 0x12890:$a5: set_encryptedPassword 0x13f2e:$a7: get_logins 0x13e91:$a10: KeyLoggerEventArgs 0x13afc:$a11: KeyLoggerEventArgsEventHandler
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a276:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x194a8:$a3: \Google\Chrome\User Data\Default\Login Data 0x198db:$a4: \Orbitum\User Data\Default\Login Data 0x1a91a:$a5: \Kometa\User Data\Default\Login Data
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13482:$s1: UnHook 0x13489:$s2: SetHook 0x13491:$s3: CallNextHook 0x1349e:$s4: _hook
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17878:$x1: $%SMTPDV$ 0x16254:$x2: $#TheHashHere%& 0x17820:$x3: %FTPDV$ 0x161f4:$x4: $%TelegramDv$ 0x13afc:$x5: KeyLoggerEventArgs 0x13e91:$x5: KeyLoggerEventArgs 0x17844:$m2: Clipboard Logs ID 0x17a82:$m2: Screenshot Logs ID 0x17b92:$m2: keystroke Logs ID 0x17e6c:$m3: SnakePW 0x17a5a:$m4: \SnakeKeylogger\
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1467a:$a1: get_encryptedPassword 0x34a9a:$a1: get_encryptedPassword 0x54cba:$a1: get_encryptedPassword 0x1495e:$a2: get_encryptedUsername 0x34d7e:$a2: get_encryptedUsername 0x54f9e:$a2: get_encryptedUsername 0x14486:$a3: get_timePasswordChanged 0x348a6:$a3: get_timePasswordChanged 0x54ac6:$a3: get_timePasswordChanged 0x14581:$a4: get_passwordField 0x349a1:$a4: get_passwordField 0x54bc1:$a4: get_passwordField 0x14690:$a5: set_encryptedPassword 0x34ab0:$a5: set_encryptedPassword 0x54cd0:$a5: set_encryptedPassword 0x15d2e:$a7: get_logins 0x3614e:$a7: get_logins 0x5636e:$a7: get_logins 0x15c91:$a10: KeyLoggerEventArgs 0x360b1:$a10: KeyLoggerEventArgs 0x562d1:$a10: KeyLoggerEventArgs
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15282:$s1: UnHook 0x356a2:$s1: UnHook 0x558c2:$s1: UnHook 0x15289:$s2: SetHook 0x356a9:$s2: SetHook 0x558c9:$s2: SetHook 0x15291:$s3: CallNextHook 0x356b1:$s3: CallNextHook 0x558d1:$s3: CallNextHook 0x1529e:$s4: _hook 0x356be:$s4: _hook 0x558de:$s4: _hook
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19678:$x1: $%SMTPDV$ 0x39a98:$x1: $%SMTPDV$ 0x59cb8:$x1: $%SMTPDV$ 0x18054:$x2: $#TheHashHere%& 0x38474:$x2: $#TheHashHere%& 0x58694:$x2: $#TheHashHere%& 0x19620:$x3: %FTPDV$ 0x39a40:$x3: %FTPDV$ 0x59c60:$x3: %FTPDV$ 0x17ff4:$x4: $%TelegramDv$ 0x38414:$x4: $%TelegramDv$ 0x58634:$x4: $%TelegramDv$ 0x158fc:$x5: KeyLoggerEventArgs 0x15c91:$x5: KeyLoggerEventArgs 0x35d1c:$x5: KeyLoggerEventArgs 0x360b1:$x5: KeyLoggerEventArgs 0x55f3c:$x5: KeyLoggerEventArgs 0x562d1:$x5: KeyLoggerEventArgs 0x19644:$m2: Clipboard Logs ID 0x19882:$m2: Screenshot Logs ID 0x19992:$m2: keystroke Logs ID
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1467a:$a1: get_encryptedPassword 0x3489a:$a1: get_encryptedPassword 0x1495e:$a2: get_encryptedUsername 0x34b7e:$a2: get_encryptedUsername 0x14486:$a3: get_timePasswordChanged 0x346a6:$a3: get_timePasswordChanged 0x14581:$a4: get_passwordField 0x347a1:$a4: get_passwordField 0x14690:$a5: set_encryptedPassword 0x348b0:$a5: set_encryptedPassword 0x15d2e:$a7: get_logins 0x35f4e:$a7: get_logins 0x15c91:$a10: KeyLoggerEventArgs 0x35eb1:$a10: KeyLoggerEventArgs 0x158fc:$a11: KeyLoggerEventArgsEventHandler 0x35b1c:$a11: KeyLoggerEventArgsEventHandler
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15282:$s1: UnHook 0x354a2:$s1: UnHook 0x15289:$s2: SetHook 0x354a9:$s2: SetHook 0x15291:$s3: CallNextHook 0x354b1:$s3: CallNextHook 0x1529e:$s4: _hook 0x354be:$s4: _hook
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19678:$x1: $%SMTPDV$ 0x39898:$x1: $%SMTPDV$ 0x18054:$x2: $#TheHashHere%& 0x38274:$x2: $#TheHashHere%& 0x19620:$x3: %FTPDV$ 0x39840:$x3: %FTPDV$ 0x17ff4:$x4: $%TelegramDv$ 0x38214:$x4: $%TelegramDv$ 0x158fc:$x5: KeyLoggerEventArgs 0x15c91:$x5: KeyLoggerEventArgs 0x35b1c:$x5: KeyLoggerEventArgs 0x35eb1:$x5: KeyLoggerEventArgs 0x19644:$m2: Clipboard Logs ID 0x19882:$m2: Screenshot Logs ID 0x19992:$m2: keystroke Logs ID 0x39864:$m2: Clipboard Logs ID 0x39aa2:$m2: Screenshot Logs ID 0x39bb2:$m2: keystroke Logs ID 0x19c6c:$m3: SnakePW 0x39e8c:$m3: SnakePW 0x1985a:$m4: \SnakeKeylogger\
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x93b82:$a1: get_encryptedPassword 0xb3fa2:$a1: get_encryptedPassword 0xd41c2:$a1: get_encryptedPassword 0x93e66:$a2: get_encryptedUsername 0xb4286:$a2: get_encryptedUsername 0xd44a6:$a2: get_encryptedUsername 0x9398e:$a3: get_timePasswordChanged 0xb3dae:$a3: get_timePasswordChanged 0xd3fce:$a3: get_timePasswordChanged 0x93a89:$a4: get_passwordField 0xb3ea9:$a4: get_passwordField 0xd40c9:$a4: get_passwordField 0x93b98:$a5: set_encryptedPassword 0xb3fb8:$a5: set_encryptedPassword 0xd41d8:$a5: set_encryptedPassword 0x95236:$a7: get_logins 0xb5656:$a7: get_logins 0xd5876:$a7: get_logins 0x95199:$a10: KeyLoggerEventArgs 0xb55b9:$a10: KeyLoggerEventArgs 0xd57d9:$a10: KeyLoggerEventArgs
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x9478a:$s1: UnHook 0xb4baa:$s1: UnHook 0xd4dca:$s1: UnHook 0x94791:$s2: SetHook 0xb4bb1:$s2: SetHook 0xd4dd1:$s2: SetHook 0x94799:$s3: CallNextHook 0xb4bb9:$s3: CallNextHook 0xd4dd9:$s3: CallNextHook 0x947a6:$s4: _hook 0xb4bc6:$s4: _hook 0xd4de6:$s4: _hook
0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x98b80:$x1: $%SMTPDV$ 0xb8fa0:$x1: $%SMTPDV$ 0xd91c0:$x1: $%SMTPDV$ 0x9755c:$x2: $#TheHashHere%& 0xb797c:$x2: $#TheHashHere%& 0xd7b9c:$x2: $#TheHashHere%& 0x98b28:$x3: %FTPDV$ 0xb8f48:$x3: %FTPDV$ 0xd9168:$x3: %FTPDV$ 0x974fc:$x4: $%TelegramDv$ 0xb791c:$x4: $%TelegramDv$ 0xd7b3c:$x4: $%TelegramDv$ 0x94e04:$x5: KeyLoggerEventArgs 0x95199:$x5: KeyLoggerEventArgs 0xb5224:$x5: KeyLoggerEventArgs 0xb55b9:$x5: KeyLoggerEventArgs 0xd5444:$x5: KeyLoggerEventArgs 0xd57d9:$x5: KeyLoggerEventArgs 0x98b4c:$m2: Clipboard Logs ID 0x98d8a:$m2: Screenshot Logs ID 0x98e9a:$m2: keystroke Logs ID
Click to see the 30 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe", ParentImage: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, ParentProcessId: 1864, ParentProcessName: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe", ProcessId: 5968, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe", ParentImage: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, ParentProcessId: 1864, ParentProcessName: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe", ProcessId: 5968, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-28T07:30:13.352944+0100	2803305	3	Unknown Traffic	192.168.2.5	56870	188.114.97.3	443	TCP
2024-10-28T07:30:14.963024+0100	2803305	3	Unknown Traffic	192.168.2.5	56875	188.114.97.3	443	TCP
2024-10-28T07:30:17.575204+0100	2803305	3	Unknown Traffic	192.168.2.5	56895	188.114.97.3	443	TCP
2024-10-28T07:30:23.415584+0100	2803305	3	Unknown Traffic	192.168.2.5	56936	188.114.97.3	443	TCP
2024-10-28T07:30:25.028845+0100	2803305	3	Unknown Traffic	192.168.2.5	56948	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-28T07:30:11.020266+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	56866	193.122.6.168	80	TCP
2024-10-28T07:30:12.614019+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	56866	193.122.6.168	80	TCP
2024-10-28T07:30:14.254629+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	56873	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.2333395480.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7461961891:AAHpgycZJEK7D2I9irTI6QgjGM_Z4Ne7WIQ", "Chat_id": "-4555977660", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	ReversingLabs: Detection: 55%
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Virustotal: Detection: 72%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:56868 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.5:56936 -> 188.114.97.3:443 version: TLS 1.0

Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: EUWD.pdb source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe
Source:	Binary string: EUWD.pdbSHA256 source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:56866 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:56873 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56870 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56875 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56948 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56895 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56936 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:56868 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.5:56936 -> 188.114.97.3:443 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.122.6.168
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031C8000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000322C000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000321E000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.0000000003135000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031C8000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000322C000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000321E000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031FE000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.0000000003135000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2333395480.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000314D000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031C8000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000322C000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000321E000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000000.00000002.2125321098.00000000029E6000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.0000000003178000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031C8000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000322C000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000321E000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.0000000003135000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2333395480.0000000000402000.00000040.00000400.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.0000000003135000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.0000000003135000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.188
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.0000000003178000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031C8000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000322C000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000321E000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.188$

Source: unknown	Network traffic detected: HTTP traffic on port 56875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56919
Source: unknown	Network traffic detected: HTTP traffic on port 56936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56936
Source: unknown	Network traffic detected: HTTP traffic on port 56907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56868
Source: unknown	Network traffic detected: HTTP traffic on port 56868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56870
Source: unknown	Network traffic detected: HTTP traffic on port 56919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56948 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.2333395480.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2333395480.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 1864, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 1864, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 5996, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 5996, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 0_2_027DDE8C	0_2_027DDE8C
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 0_2_07106630	0_2_07106630
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 0_2_07108538	0_2_07108538
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 0_2_07108548	0_2_07108548
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 0_2_07108F50	0_2_07108F50
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 0_2_07106EA0	0_2_07106EA0
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 0_2_0710DDA8	0_2_0710DDA8
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 0_2_07106A62	0_2_07106A62
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 0_2_07106A68	0_2_07106A68
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 4_2_01396108	4_2_01396108
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 4_2_0139C190	4_2_0139C190
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 4_2_0139B328	4_2_0139B328
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 4_2_0139C470	4_2_0139C470
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 4_2_01396730	4_2_01396730
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 4_2_0139C753	4_2_0139C753
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 4_2_01399858	4_2_01399858
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 4_2_0139BBD3	4_2_0139BBD3
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 4_2_0139CA33	4_2_0139CA33
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 4_2_01394AD9	4_2_01394AD9
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 4_2_0139CD10	4_2_0139CD10
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 4_2_0139BEB0	4_2_0139BEB0
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 4_2_01393573	4_2_01393573
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Code function: 4_2_0139B4F3	4_2_0139B4F3

Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000000.00000002.2125630362.0000000003BCB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000000.00000002.2125321098.00000000029E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000000.00000002.2123922426.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000000.00000002.2127315659.0000000007640000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2333395480.0000000000422000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2336477144.00000000069E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Binary or memory string: OriginalFilenameEUWD.exe" vs #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.2333395480.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2333395480.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 1864, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 1864, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 5996, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 5996, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.5440000.4.raw.unpack, at4ONG9F0NYCELN5Tj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack, at4ONG9F0NYCELN5Tj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack, -Z-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack, -Z-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack, -Z-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack, -Z-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack, -.cs	Base64 encoded string: 'Z4lvkHkqC0nAKFL7u1nHfKgpoB491WruXa7bM4PzJJA2qnACTXM2e9TV8NgL6du/'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack, -.cs	Base64 encoded string: 'Z4lvkHkqC0nAKFL7u1nHfKgpoB491WruXa7bM4PzJJA2qnACTXM2e9TV8NgL6du/'

Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, Anb0cYArpoKo1yhtyt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, uyK1WwGMfcWSqQflgQ.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, uyK1WwGMfcWSqQflgQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, uyK1WwGMfcWSqQflgQ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, Anb0cYArpoKo1yhtyt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, uyK1WwGMfcWSqQflgQ.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, uyK1WwGMfcWSqQflgQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, uyK1WwGMfcWSqQflgQ.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/6@2/2

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3608:120:WilError_03
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Mutant created: \Sessions\1\BaseNamedObjects\EpBDCFiBxICp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n50tx1ur.3ua.ps1

Jump to behavior

Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	ReversingLabs: Detection: 55%
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Virustotal: Detection: 72%

Source: unknown	Process created: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe"
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe"
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process created: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe"	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process created: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe"	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: EUWD.pdb source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe
Source:	Binary string: EUWD.pdbSHA256 source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.5440000.4.raw.unpack, at4ONG9F0NYCELN5Tj.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{cPRyvIfYviaTKciquO(typeof(IntPtr).TypeHandle),cPRyvIfYviaTKciquO(typeof(Type).TypeHandle)})
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack, at4ONG9F0NYCELN5Tj.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{cPRyvIfYviaTKciquO(typeof(IntPtr).TypeHandle),cPRyvIfYviaTKciquO(typeof(Type).TypeHandle)})

.NET source code contains potential unpacker

Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, uyK1WwGMfcWSqQflgQ.cs	.Net Code: C4udwQc9nJ System.Reflection.Assembly.Load(byte[])
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, uyK1WwGMfcWSqQflgQ.cs	.Net Code: C4udwQc9nJ System.Reflection.Assembly.Load(byte[])

Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Static PE information: section name: .text entropy: 7.967958121672599

Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.5440000.4.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'YgSHuitkd', 'aiP2N9Y7C', 'gHQx79i6W', 'AGv9PUWi3', 'QMsbTCblb', 'beIGikGSa', 'clTPOt4ON', 'fF0vNYCEL', 'C5TCjFvvv', 'ln3BTm5Rw'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.5440000.4.raw.unpack, at4ONG9F0NYCELN5Tj.cs	High entropy of concatenated method names: 'nVoxarmF975Urj2p8sJ', 'tIta6WmWAkGE6iVCWgt', 'Y8N2DklRel', 'hpreq0m6Xcu1pidWj9b', 'KFC0XvmT5N8D2LR210h', 'a5foommXYpDAHBV6LjL', 'd3wYgimbV84NAc2fo7p', 'ItvPp5mqvV1adE08UOg', 'KA7rbWmJ0EMRNxYE2Vd', 'PPtPBAmQMyT7QpfjJpI'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'YgSHuitkd', 'aiP2N9Y7C', 'gHQx79i6W', 'AGv9PUWi3', 'QMsbTCblb', 'beIGikGSa', 'clTPOt4ON', 'fF0vNYCEL', 'C5TCjFvvv', 'ln3BTm5Rw'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack, at4ONG9F0NYCELN5Tj.cs	High entropy of concatenated method names: 'nVoxarmF975Urj2p8sJ', 'tIta6WmWAkGE6iVCWgt', 'Y8N2DklRel', 'hpreq0m6Xcu1pidWj9b', 'KFC0XvmT5N8D2LR210h', 'a5foommXYpDAHBV6LjL', 'd3wYgimbV84NAc2fo7p', 'ItvPp5mqvV1adE08UOg', 'KA7rbWmJ0EMRNxYE2Vd', 'PPtPBAmQMyT7QpfjJpI'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, KtckAGP4KduPbF19OL.cs	High entropy of concatenated method names: 'z3G8J5hhfq', 'xWH8igJfCg', 'z0O8M5qqCq', 'W1OMSaO6qD', 'jhLMzYbGYb', 'SGV827Cp0J', 'EEW8YdY0n5', 'Dek8NPjqJT', 'nLh8hJIfK6', 'r9J8dnwcd4'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, Qd9oHHF5356ntDR93t.cs	High entropy of concatenated method names: 'aGSZUHsYu0', 'hu6ZSripkJ', 'cExe2INvob', 'NPceY2FaOV', 'Ls0ZFHENcD', 'k4SZamPcn2', 'Ne4ZLpMY4G', 'kETZmWnqH6', 'rF5ZfD47k9', 'W5VZxUDFgN'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, dhjLZ71Qcg7PFDfiPh.cs	High entropy of concatenated method names: 'r0LipLrhvq', 'lCfiyBT9TV', 'V0IiBfrnnV', 'aV6iDiZo1A', 'LOui431L7d', 'pAriWP7lXc', 'o5WiZ9FVCK', 'zmyieWBMLr', 'l5piKyCQ1B', 'Fu2iCXbeLP'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, Vd9pFr3dyrKFhc0FTEf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ExjCmJyfQx', 'WKWCfpxhwa', 'rJ1CxOe4wB', 'BlQCPlHyTc', 'cXhCI6v7u3', 'BTNCONyjNw', 'g0WCt8Wfxp'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, TEe4hMMB43E5tw1PaQ.cs	High entropy of concatenated method names: 'vX2eJVwk4C', 'zAte16ZSFF', 'vNSeinspWN', 'x5ieVOeFD2', 'U3SeM9LWbE', 'owLe8RFV2F', 'QFyebyoPlJ', 'CFsecwtqU9', 'mwIe3cCUMC', 'OyyeqSelFr'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, Dxgl03ctXyn07SAmmH.cs	High entropy of concatenated method names: 'tuc46qv60U', 'JyK4aACb7k', 'Owr4mgCS42', 'l694f7TWsu', 'ObA4T5XxuB', 'JJe4AV0boA', 'eSy4lKtUtJ', 'Wuf40TpHO6', 'ssL49V7t3U', 'YBG4ng6N78'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, WcK5ZwvvWKvNsa3Aub.cs	High entropy of concatenated method names: 'VOvKYlKc66', 'uMvKhhI5Wm', 'CKMKd5qTCD', 'aCxKJY7tLv', 'D0CK1D8qAO', 'b9UKVL2Hua', 'fHxKMSjf1Q', 'sPhet7IMI0', 'HVheU2c8f3', 'rhXeHTJpte'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, dDQSxhVD9kXbPF8MmU.cs	High entropy of concatenated method names: 'Dispose', 'z9nYHKSe4h', 'woXNTdrQjV', 'QtijjjIlGm', 'VokYShEDS4', 'QGEYzUA4Ex', 'ProcessDialogKey', 'DRsN2ZLCjC', 'UfHNY2ur3P', 'JDlNN2ydcs'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, uyK1WwGMfcWSqQflgQ.cs	High entropy of concatenated method names: 'YwHhowlmZc', 'T5DhJ9aj34', 'CRgh1ycAyJ', 'E5uhiCQHvv', 'pb5hVwmLfT', 'UCrhMWRgYH', 'xeNh8oVDgL', 'LXkhb22X1a', 'Kekhc3mPjy', 'IEKh33dc5x'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, NCxtIEODogvXdXdW3v.cs	High entropy of concatenated method names: 'yJY4tbK7TT', 'rBt4UJLINu', 'LY84Heq8vG', 'O6d4SWhyjK', 'HZMMfX5bGbMIp1uoPLq', 'IlETwO5iSigx6BqWpDk', 'ae9ALq5sCOXtC5rWHw7'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, kBBGMbJqa9vcwLf0Ye.cs	High entropy of concatenated method names: 'V3fwQLbiw', 'p5Op2e48J', 'SIGyPRLKl', 'tPekAcRrC', 'yI9D54O9V', 'zMsvEJx1l', 'NqDbq4d6eIlVGwKRN4', 'XOvu9egnaZBeCnLLeY', 'sNweGUOT0', 'IB4ChvNUU'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, aSVla14Vjle8v5RVC6.cs	High entropy of concatenated method names: 'KSYY8vrnsg', 'pNVYbhRO06', 'NWFY3SmfNh', 'O8nYqcreTS', 'THUY4yy3Jc', 'pgsYWUl1wC', 'Q1EtGJaj9Dhhmc2MIA', 'VP0hdQZtVE45M3jPZO', 'bPsYYgwLAH', 'zOHYhj3qsU'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, yYIsrngYJoLmkm4uHU.cs	High entropy of concatenated method names: 'AjmZ3xQv7O', 'OYvZqiGb2u', 'ToString', 'tSuZJk9ZFV', 'PLTZ1JmxX0', 'ecwZicN2l8', 'JLdZVOqHPs', 'V9bZMITSgt', 'EUTZ8iDdyI', 'GLZZbSLKiK'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, fZjjLS8rBJd637hSUC.cs	High entropy of concatenated method names: 'VN4Mo831Ul', 'iIAM15byxo', 'f8YMVbUDAs', 'TkmM8u7VKW', 'IW4MbO6Cl6', 'fKUVI2Y3rT', 'oX0VOKnBq1', 'wxMVtd0iV0', 'RbqVUQUDBA', 'WTUVHWp3RE'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, EuSdkS3YXPmAULTSjF1.cs	High entropy of concatenated method names: 'eV9Kgh7LKt', 'OnvK7Alt1Q', 'qgrKw1rWEI', 'dFYKp5bLHg', 'XgsKu6pdTF', 'g3hKyrYkrl', 'ixhKkpXXcL', 'vOnKBqpuT5', 'MSyKD6K5AB', 'XSHKvt1arp'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, SwxenDzNWdRYCNKgTj.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HYjKsvqMgb', 'QxEK4bScLU', 'pdKKWcK2X7', 'UHAKZuaX3X', 'EsfKeHLYTM', 'wkyKKX0jm9', 'wsQKCXYEUZ'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, zWGqxwycZ09tq4rIEJ.cs	High entropy of concatenated method names: 'nD1sBmnxWV', 'GVgsDTQgw6', 'vDksGZM4YV', 'tqLsTyC461', 'kpAslHAro3', 'TBRs0mXYG3', 'XaosnCCvjw', 'V95s5X9mQo', 'sgys6mdxaY', 'ANssFDv9uj'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, AQMVsEnn3la4EhpHVC.cs	High entropy of concatenated method names: 'ToString', 'vlSWFHCBCP', 'pGwWTYLYwI', 'B4AWACCybk', 'dExWl7CQqQ', 'B27W0dauPg', 'LHRW9bsw8G', 'kfHWnhU15L', 'CeVW5i1JJa', 'yGQWQVgl6J'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, cehbQI9lhi7h2Uj9ar.cs	High entropy of concatenated method names: 'm6xVu4W7f6', 'Ed0VkRoYTB', 'MPViAbmbyL', 'CvuilT4JiZ', 'zdgi0dPatO', 'f7hi957cex', 'CKWinCgGSR', 'DS4i5Y3fai', 'R14iQkgBVV', 'sD7i6pQeDE'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, Anb0cYArpoKo1yhtyt.cs	High entropy of concatenated method names: 'AQZ1mmPlTu', 'DC21fdCJxA', 'HBy1xIMr4q', 'ruG1PgBDN4', 'x5p1IQ8xOe', 'Vxp1O4dokC', 'YCs1tFhHeB', 'sBZ1USMed7', 'XJK1H1CmPR', 'PCC1S0YJCQ'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, E8UpcgHPWpknOxWxSY.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fFANHyPAKy', 'rPvNSr3HJ2', 'Up4NzUmJCw', 'qjIh2bXA7Q', 'IP1hYYioJm', 'PArhN1C0tm', 'vFFhhrdc1n', 'creMYPcjLkgm5HpBya1'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.7640000.5.raw.unpack, EIZ2dcf53pP09rW20m.cs	High entropy of concatenated method names: 'uZ88gTJ5yj', 'aPi87QVUsv', 'nLT8wsJemP', 'P5Q8pl0GSS', 'Od58uv5yqS', 'xXe8yAT0oR', 'pBd8kmE8nR', 'VCD8Bfokfi', 'IIL8DGpWpl', 'jDw8vD9B2v'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, KtckAGP4KduPbF19OL.cs	High entropy of concatenated method names: 'z3G8J5hhfq', 'xWH8igJfCg', 'z0O8M5qqCq', 'W1OMSaO6qD', 'jhLMzYbGYb', 'SGV827Cp0J', 'EEW8YdY0n5', 'Dek8NPjqJT', 'nLh8hJIfK6', 'r9J8dnwcd4'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, Qd9oHHF5356ntDR93t.cs	High entropy of concatenated method names: 'aGSZUHsYu0', 'hu6ZSripkJ', 'cExe2INvob', 'NPceY2FaOV', 'Ls0ZFHENcD', 'k4SZamPcn2', 'Ne4ZLpMY4G', 'kETZmWnqH6', 'rF5ZfD47k9', 'W5VZxUDFgN'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, dhjLZ71Qcg7PFDfiPh.cs	High entropy of concatenated method names: 'r0LipLrhvq', 'lCfiyBT9TV', 'V0IiBfrnnV', 'aV6iDiZo1A', 'LOui431L7d', 'pAriWP7lXc', 'o5WiZ9FVCK', 'zmyieWBMLr', 'l5piKyCQ1B', 'Fu2iCXbeLP'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, Vd9pFr3dyrKFhc0FTEf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ExjCmJyfQx', 'WKWCfpxhwa', 'rJ1CxOe4wB', 'BlQCPlHyTc', 'cXhCI6v7u3', 'BTNCONyjNw', 'g0WCt8Wfxp'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, TEe4hMMB43E5tw1PaQ.cs	High entropy of concatenated method names: 'vX2eJVwk4C', 'zAte16ZSFF', 'vNSeinspWN', 'x5ieVOeFD2', 'U3SeM9LWbE', 'owLe8RFV2F', 'QFyebyoPlJ', 'CFsecwtqU9', 'mwIe3cCUMC', 'OyyeqSelFr'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, Dxgl03ctXyn07SAmmH.cs	High entropy of concatenated method names: 'tuc46qv60U', 'JyK4aACb7k', 'Owr4mgCS42', 'l694f7TWsu', 'ObA4T5XxuB', 'JJe4AV0boA', 'eSy4lKtUtJ', 'Wuf40TpHO6', 'ssL49V7t3U', 'YBG4ng6N78'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, WcK5ZwvvWKvNsa3Aub.cs	High entropy of concatenated method names: 'VOvKYlKc66', 'uMvKhhI5Wm', 'CKMKd5qTCD', 'aCxKJY7tLv', 'D0CK1D8qAO', 'b9UKVL2Hua', 'fHxKMSjf1Q', 'sPhet7IMI0', 'HVheU2c8f3', 'rhXeHTJpte'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, dDQSxhVD9kXbPF8MmU.cs	High entropy of concatenated method names: 'Dispose', 'z9nYHKSe4h', 'woXNTdrQjV', 'QtijjjIlGm', 'VokYShEDS4', 'QGEYzUA4Ex', 'ProcessDialogKey', 'DRsN2ZLCjC', 'UfHNY2ur3P', 'JDlNN2ydcs'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, uyK1WwGMfcWSqQflgQ.cs	High entropy of concatenated method names: 'YwHhowlmZc', 'T5DhJ9aj34', 'CRgh1ycAyJ', 'E5uhiCQHvv', 'pb5hVwmLfT', 'UCrhMWRgYH', 'xeNh8oVDgL', 'LXkhb22X1a', 'Kekhc3mPjy', 'IEKh33dc5x'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, NCxtIEODogvXdXdW3v.cs	High entropy of concatenated method names: 'yJY4tbK7TT', 'rBt4UJLINu', 'LY84Heq8vG', 'O6d4SWhyjK', 'HZMMfX5bGbMIp1uoPLq', 'IlETwO5iSigx6BqWpDk', 'ae9ALq5sCOXtC5rWHw7'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, kBBGMbJqa9vcwLf0Ye.cs	High entropy of concatenated method names: 'V3fwQLbiw', 'p5Op2e48J', 'SIGyPRLKl', 'tPekAcRrC', 'yI9D54O9V', 'zMsvEJx1l', 'NqDbq4d6eIlVGwKRN4', 'XOvu9egnaZBeCnLLeY', 'sNweGUOT0', 'IB4ChvNUU'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, aSVla14Vjle8v5RVC6.cs	High entropy of concatenated method names: 'KSYY8vrnsg', 'pNVYbhRO06', 'NWFY3SmfNh', 'O8nYqcreTS', 'THUY4yy3Jc', 'pgsYWUl1wC', 'Q1EtGJaj9Dhhmc2MIA', 'VP0hdQZtVE45M3jPZO', 'bPsYYgwLAH', 'zOHYhj3qsU'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, yYIsrngYJoLmkm4uHU.cs	High entropy of concatenated method names: 'AjmZ3xQv7O', 'OYvZqiGb2u', 'ToString', 'tSuZJk9ZFV', 'PLTZ1JmxX0', 'ecwZicN2l8', 'JLdZVOqHPs', 'V9bZMITSgt', 'EUTZ8iDdyI', 'GLZZbSLKiK'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, fZjjLS8rBJd637hSUC.cs	High entropy of concatenated method names: 'VN4Mo831Ul', 'iIAM15byxo', 'f8YMVbUDAs', 'TkmM8u7VKW', 'IW4MbO6Cl6', 'fKUVI2Y3rT', 'oX0VOKnBq1', 'wxMVtd0iV0', 'RbqVUQUDBA', 'WTUVHWp3RE'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, EuSdkS3YXPmAULTSjF1.cs	High entropy of concatenated method names: 'eV9Kgh7LKt', 'OnvK7Alt1Q', 'qgrKw1rWEI', 'dFYKp5bLHg', 'XgsKu6pdTF', 'g3hKyrYkrl', 'ixhKkpXXcL', 'vOnKBqpuT5', 'MSyKD6K5AB', 'XSHKvt1arp'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, SwxenDzNWdRYCNKgTj.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HYjKsvqMgb', 'QxEK4bScLU', 'pdKKWcK2X7', 'UHAKZuaX3X', 'EsfKeHLYTM', 'wkyKKX0jm9', 'wsQKCXYEUZ'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, zWGqxwycZ09tq4rIEJ.cs	High entropy of concatenated method names: 'nD1sBmnxWV', 'GVgsDTQgw6', 'vDksGZM4YV', 'tqLsTyC461', 'kpAslHAro3', 'TBRs0mXYG3', 'XaosnCCvjw', 'V95s5X9mQo', 'sgys6mdxaY', 'ANssFDv9uj'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, AQMVsEnn3la4EhpHVC.cs	High entropy of concatenated method names: 'ToString', 'vlSWFHCBCP', 'pGwWTYLYwI', 'B4AWACCybk', 'dExWl7CQqQ', 'B27W0dauPg', 'LHRW9bsw8G', 'kfHWnhU15L', 'CeVW5i1JJa', 'yGQWQVgl6J'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, cehbQI9lhi7h2Uj9ar.cs	High entropy of concatenated method names: 'm6xVu4W7f6', 'Ed0VkRoYTB', 'MPViAbmbyL', 'CvuilT4JiZ', 'zdgi0dPatO', 'f7hi957cex', 'CKWinCgGSR', 'DS4i5Y3fai', 'R14iQkgBVV', 'sD7i6pQeDE'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, Anb0cYArpoKo1yhtyt.cs	High entropy of concatenated method names: 'AQZ1mmPlTu', 'DC21fdCJxA', 'HBy1xIMr4q', 'ruG1PgBDN4', 'x5p1IQ8xOe', 'Vxp1O4dokC', 'YCs1tFhHeB', 'sBZ1USMed7', 'XJK1H1CmPR', 'PCC1S0YJCQ'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, E8UpcgHPWpknOxWxSY.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fFANHyPAKy', 'rPvNSr3HJ2', 'Up4NzUmJCw', 'qjIh2bXA7Q', 'IP1hYYioJm', 'PArhN1C0tm', 'vFFhhrdc1n', 'creMYPcjLkgm5HpBya1'
Source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3bcebf0.3.raw.unpack, EIZ2dcf53pP09rW20m.cs	High entropy of concatenated method names: 'uZ88gTJ5yj', 'aPi87QVUsv', 'nLT8wsJemP', 'P5Q8pl0GSS', 'Od58uv5yqS', 'xXe8yAT0oR', 'pBd8kmE8nR', 'VCD8Bfokfi', 'IIL8DGpWpl', 'jDw8vD9B2v'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe"
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe"			Jump to behavior

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 1864, type: MEMORYSTR

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Memory allocated: 29A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Memory allocated: 49A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Memory allocated: 77B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Memory allocated: 87B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Memory allocated: 8960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Memory allocated: 9960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Memory allocated: 1390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Memory allocated: 3070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Memory allocated: 5070000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 599075	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 598285	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 598157	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 597911	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 596747	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 596637	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 595816	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 595701	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 595278	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 595157	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 595032	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 594907	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 594187	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 594078	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7449	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2247	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Window / User API: threadDelayed 2598	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Window / User API: threadDelayed 7228	Jump to behavior

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 5420	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1812	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 3920	Thread sleep count: 2598 > 30	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 3920	Thread sleep count: 7228 > 30	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -599075s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -598285s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -598157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -598032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -597911s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -597782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -597344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -596747s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -596637s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -595816s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -595701s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -595278s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -595157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -595032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -594907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -594782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -594657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -594532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -594407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -594297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -594187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe TID: 2924	Thread sleep time: -594078s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 599075	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 598285	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 598157	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 597911	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 596747	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 596637	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 595816	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 595701	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 595278	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 595157	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 595032	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 594907	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 594187	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Thread delayed: delay time: 594078	Jump to behavior

Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000000.00000002.2124190860.0000000000B76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000000.00000002.2124190860.0000000000B76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334332741.00000000013E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllme="

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe"
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Memory written: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe"	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process created: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe"	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Queries volume information: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Queries volume information: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.5440000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.5440000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2126706265.0000000005440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2333395480.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2334935296.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 1864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 5996, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.5440000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.5440000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2126706265.0000000005440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a3dc98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.3a5e0b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.39be790.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2333395480.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2334935296.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 1864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe PID: 5996, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	12 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	73%	Virustotal		Browse
#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
reallyfreegeoip.org	0%	Virustotal		Browse
checkip.dyndns.org	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/155.94.241.188	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.0000000003178000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031C8000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000322C000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000321E000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.0000000003135000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031C8000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000322C000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000321E000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031FE000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.0000000003135000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031C8000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000322C000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000321E000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.0000000003135000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/155.94.241.188$	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.0000000003178000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031C8000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000322C000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000321E000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000000.00000002.2125321098.00000000029E6000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://checkip.dyndns.org/q	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2333395480.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://reallyfreegeoip.org	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000314D000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031C8000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000322C000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.000000000321E000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2333395480.0000000000402000.00000040.00000400.00020000.00000000.sdmp, #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, 00000004.00000002.2334935296.0000000003135000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true
193.122.6.168	unknown	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543585
Start date and time:	2024-10-28 07:29:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe (renamed file extension from exe_ to exe, renamed because original name is a hash value)
Original Sample Name:	.exe_
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/6@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 75 Number of non-executed functions: 10

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe, PID 5996 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:30:00	API Interceptor	108x Sleep call for process: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe modified
02:30:02	API Interceptor	12x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	windowsxp.top/ExternaltoPhppollcpuupdateTrafficpublic.php
	SR3JZpolPo.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	5Z1WFRMTOXRH6X21Z8NU8.exe	Get hash	malicious	Unknown	Browse	artvisions-autoinsider.com/8bkjdSdfjCe/index.php
	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/4hfb/
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/cDXpxO66/download
	Instruction_1928.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	WBCDZ4Z3M2667YBDZ5K4.bin.exe	Get hash	malicious	Unknown	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.rs-ag.com/
	https://is.gd/6NgVrQ	Get hash	malicious	HTMLPhisher	Browse	aa.opencompanies.co.uk/vEXJm/
	Comprobante de pago.xlam.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/KXy1F
193.122.6.168	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	mnobizxv.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Factura 1-014685.pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	EKSTRE_1022.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Purchase Order.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	PAYMENT ADVISE MT107647545.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	RFQ_64182MR_PDF.R00.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	RFQ_List.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	na.doc	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	mnobizxv.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	RFQ_List.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	na.doc	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	mnobizxv.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	130.61.64.122
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.95.91
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	162.159.234.76
	RFQ_List.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	XWe8H4gRPb.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.170.64
	XWe8H4gRPb.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.170.64
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.170.64
	file.exe	Get hash	malicious	LummaC	Browse	172.67.170.64

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	RFQ_List.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	JOSXXL1.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	8m9f0jVE2G.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	8m9f0jVE2G.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://docs.google.com/drawings/d/1igp9x84Q_2r8qSa1YDSk9dpVvjHGWjRjQMSbSGGfj2M/preview?pli=1VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv	Get hash	malicious	Unknown	Browse	188.114.97.3

Process:	C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
MD5:	97AD91F1C1F572C945DA12233082171D
SHA1:	D5E33DDAB37E32E416FC40419FB26B3C0563519D
SHA-256:	3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
SHA-512:	8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379460230152629
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:fLHyIFKL3IZ2KRH9Oug8s
MD5:	4DC84D28CF28EAE82806A5390E5721C8
SHA1:	66B6385EB104A782AD3737F2C302DEC0231ADEA2
SHA-256:	1B89BFB0F44C267035B5BC9B2A8692FF29440C0FEE71C636B377751DAF6911C0
SHA-512:	E8F45669D27975B41401419B8438E8F6219AF4D864C46B8E19DC5ECD50BD6CA589BDEEE600A73DDB27F8A8B4FF7318000641B6A59E0A5CDD7BE0C82D969A68DE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5yynygse.zfg.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gljjiien.hsp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n50tx1ur.3ua.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ou1lcgr4.bk3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.958991147204555
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe
File size:	573'440 bytes
MD5:	80b56ae302fea7f0f9e00b63f7ad598b
SHA1:	6411184877abfdd8b7743c27ef94e0f257ce1f1d
SHA256:	82c8e9440da130cb3c991bfd2b98afbf11fff2be9acd3e56b3107096a11a69e6
SHA512:	b08b31671c258ad4d9be77f88e91cecc80ed5e8d0331b8cc4f3cb2af0e130a2b937d74a628d6681125d48581c6743a1d852b5a1143c66c298d54c8e88a369528
SSDEEP:	12288:/fATXkhMOoltiJVsxIojON7X4ETsCh/YvMLPVycMnt+giaS1P:Ckh5oDiJexpirB5ybt+8SB
TLSH:	D3C4232633BC4712EABF8BF6D57194A457F25801281AFA08CFC690DE14E3F454E85E9B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	070b2365ecc8682b

Static PE Info

General

Entrypoint:	0x48beea
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6715A71A [Mon Oct 21 00:58:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add eax, dword ptr [eax]
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add eax, 06000000h
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8be97	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8c000	0x1aac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8a554	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x89f10	0x8a000	91efab204863440172887ae1305c7c8a	False	0.9687517691349637	data	7.967958121672599	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8c000	0x1aac	0x1c00	c11cce486d6307586d86645b9f94e347	False	0.8445870535714286	data	7.147715775372023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8e000	0xc	0x200	edf4f92115fd90506ec8c926edaa9e52	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x8c0c8	0x16a5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9608418147317578
RT_GROUP_ICON	0x8d780	0x14	data	1.05
RT_VERSION	0x8d7a4	0x304	data	0.44559585492227977

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-28T07:30:11.020266+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	56866	193.122.6.168	80	TCP
2024-10-28T07:30:12.614019+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	56866	193.122.6.168	80	TCP
2024-10-28T07:30:13.352944+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	56870	188.114.97.3	443	TCP
2024-10-28T07:30:14.254629+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	56873	193.122.6.168	80	TCP
2024-10-28T07:30:14.963024+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	56875	188.114.97.3	443	TCP
2024-10-28T07:30:17.575204+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	56895	188.114.97.3	443	TCP
2024-10-28T07:30:23.415584+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	56936	188.114.97.3	443	TCP
2024-10-28T07:30:25.028845+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	56948	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 07:30:03.247257948 CET	56866	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:03.252645016 CET	80	56866	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:03.252922058 CET	56866	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:03.253052950 CET	56866	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:03.258346081 CET	80	56866	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:09.415404081 CET	80	56866	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:09.419895887 CET	56866	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:09.425532103 CET	80	56866	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:10.967892885 CET	80	56866	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:11.009510040 CET	56868	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:11.009597063 CET	443	56868	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:11.009676933 CET	56868	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:11.014184952 CET	56868	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:11.014210939 CET	443	56868	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:11.020266056 CET	56866	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:11.634753942 CET	443	56868	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:11.635090113 CET	56868	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:11.639791965 CET	56868	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:11.639810085 CET	443	56868	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:11.640244007 CET	443	56868	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:11.688798904 CET	56868	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:11.731354952 CET	443	56868	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:11.829355955 CET	443	56868	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:11.829528093 CET	443	56868	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:11.829587936 CET	56868	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:11.839171886 CET	56868	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:11.842793941 CET	56866	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:11.848150969 CET	80	56866	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:12.567457914 CET	80	56866	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:12.570240021 CET	56870	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:12.570322037 CET	443	56870	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:12.570398092 CET	56870	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:12.570652008 CET	56870	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:12.570676088 CET	443	56870	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:12.614018917 CET	56866	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:13.208652020 CET	443	56870	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:13.211438894 CET	56870	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:13.211505890 CET	443	56870	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:13.353033066 CET	443	56870	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:13.353178024 CET	443	56870	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:13.353270054 CET	56870	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:13.353656054 CET	56870	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:13.357667923 CET	56866	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:13.358956099 CET	56873	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:13.363477945 CET	80	56866	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:13.363543987 CET	56866	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:13.364358902 CET	80	56873	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:13.364434958 CET	56873	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:13.364583015 CET	56873	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:13.370908976 CET	80	56873	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:14.210161924 CET	80	56873	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:14.212241888 CET	56875	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:14.212280989 CET	443	56875	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:14.212342024 CET	56875	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:14.212600946 CET	56875	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:14.212615013 CET	443	56875	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:14.254628897 CET	56873	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:14.824104071 CET	443	56875	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:14.825643063 CET	56875	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:14.825661898 CET	443	56875	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:14.963085890 CET	443	56875	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:14.963222027 CET	443	56875	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:14.963385105 CET	56875	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:14.966907978 CET	56875	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:14.967916965 CET	56883	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:14.973360062 CET	80	56883	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:14.975162029 CET	56883	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:14.975303888 CET	56883	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:14.980806112 CET	80	56883	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:16.810992002 CET	80	56883	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:16.813545942 CET	56895	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:16.813570023 CET	443	56895	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:16.814132929 CET	56895	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:16.814132929 CET	56895	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:16.814167023 CET	443	56895	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:16.864021063 CET	56883	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:17.427474976 CET	443	56895	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:17.437006950 CET	56895	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:17.437079906 CET	443	56895	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:17.575227976 CET	443	56895	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:17.575309038 CET	443	56895	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:17.575391054 CET	56895	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:17.575932980 CET	56895	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:17.579144001 CET	56883	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:17.580240011 CET	56901	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:17.585022926 CET	80	56883	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:17.585623980 CET	80	56901	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:17.585717916 CET	56883	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:17.585745096 CET	56901	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:17.585860014 CET	56901	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:17.591152906 CET	80	56901	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:18.420578003 CET	80	56901	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:18.421952963 CET	56907	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:18.421999931 CET	443	56907	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:18.422120094 CET	56907	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:18.422421932 CET	56907	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:18.422440052 CET	443	56907	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:18.473381996 CET	56901	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:19.045747042 CET	443	56907	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:19.047537088 CET	56907	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:19.047580004 CET	443	56907	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:19.187762022 CET	443	56907	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:19.187855005 CET	443	56907	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:19.187942982 CET	56907	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:19.188391924 CET	56907	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:19.191581011 CET	56901	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:19.193494081 CET	56913	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:19.197380066 CET	80	56901	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:19.197462082 CET	56901	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:19.198879004 CET	80	56913	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:19.198967934 CET	56913	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:19.199096918 CET	56913	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:19.204375029 CET	80	56913	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:20.033785105 CET	80	56913	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:20.035373926 CET	56919	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:20.035454988 CET	443	56919	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:20.035562038 CET	56919	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:20.035937071 CET	56919	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:20.035969973 CET	443	56919	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:20.082886934 CET	56913	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:20.659950972 CET	443	56919	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:20.661474943 CET	56919	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:20.661521912 CET	443	56919	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:20.803713083 CET	443	56919	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:20.803880930 CET	443	56919	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:20.804049969 CET	56919	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:20.804414988 CET	56919	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:20.807780027 CET	56913	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:20.809103966 CET	56925	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:20.813621044 CET	80	56913	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:20.813693047 CET	56913	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:20.814568996 CET	80	56925	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:20.814634085 CET	56925	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:20.814726114 CET	56925	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:20.820055962 CET	80	56925	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:22.656483889 CET	80	56925	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:22.658185005 CET	56936	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:22.658250093 CET	443	56936	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:22.658339977 CET	56936	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:22.658571005 CET	56936	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:22.658597946 CET	443	56936	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:22.707884073 CET	56925	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:23.265063047 CET	443	56936	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:23.266674042 CET	56936	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:23.266712904 CET	443	56936	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:23.415621996 CET	443	56936	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:23.415685892 CET	443	56936	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:23.416049957 CET	56936	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:23.416136026 CET	56936	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:23.420001984 CET	56925	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:23.421418905 CET	56942	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:23.425626993 CET	80	56925	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:23.425690889 CET	56925	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:23.426784992 CET	80	56942	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:23.426852942 CET	56942	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:23.427040100 CET	56942	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:23.432343006 CET	80	56942	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:24.263092041 CET	80	56942	193.122.6.168	192.168.2.5
Oct 28, 2024 07:30:24.264573097 CET	56948	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:24.264606953 CET	443	56948	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:24.264693975 CET	56948	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:24.264945984 CET	56948	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:24.264971018 CET	443	56948	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:24.317150116 CET	56942	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:24.875551939 CET	443	56948	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:24.877116919 CET	56948	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:24.877192020 CET	443	56948	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:25.028897047 CET	443	56948	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:25.028974056 CET	443	56948	188.114.97.3	192.168.2.5
Oct 28, 2024 07:30:25.029066086 CET	56948	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:25.029567957 CET	56948	443	192.168.2.5	188.114.97.3
Oct 28, 2024 07:30:25.189330101 CET	56942	80	192.168.2.5	193.122.6.168
Oct 28, 2024 07:30:25.189455032 CET	56873	80	192.168.2.5	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 07:30:02.608231068 CET	55383	53	192.168.2.5	1.1.1.1
Oct 28, 2024 07:30:02.616682053 CET	53	55383	1.1.1.1	192.168.2.5
Oct 28, 2024 07:30:11.000403881 CET	54767	53	192.168.2.5	1.1.1.1
Oct 28, 2024 07:30:11.008773088 CET	53	54767	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 28, 2024 07:30:02.608231068 CET	192.168.2.5	1.1.1.1	0x6419	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:30:11.000403881 CET	192.168.2.5	1.1.1.1	0x640e	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 28, 2024 07:30:11.008773088 CET	1.1.1.1	192.168.2.5	0x640e	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:30:11.008773088 CET	1.1.1.1	192.168.2.5	0x640e	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	56866	193.122.6.168	80	5996	C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 07:30:03.253052950 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 07:30:09.415404081 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 06:30:09 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: abe9db6e521c12970029e0826d1c0115 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>
Oct 28, 2024 07:30:09.419895887 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 28, 2024 07:30:10.967892885 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 06:30:10 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0da0fee076234125d1fcd94158f651bc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>
Oct 28, 2024 07:30:11.842793941 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 28, 2024 07:30:12.567457914 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 06:30:12 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 91c358275ad0e94ab4b51bf06bca90b7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	56873	193.122.6.168	80	5996	C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 07:30:13.364583015 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 28, 2024 07:30:14.210161924 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 06:30:14 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b67eac9a0205bf13a2ef878fab945931 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	56883	193.122.6.168	80	5996	C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 07:30:14.975303888 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 07:30:16.810992002 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 06:30:16 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f272ea4021c98f415c6bec287680d2bd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	56901	193.122.6.168	80	5996	C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 07:30:17.585860014 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 07:30:18.420578003 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 06:30:18 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: af5574c4d2c25206c2d72356cd9bef1f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	56913	193.122.6.168	80	5996	C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 07:30:19.199096918 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 07:30:20.033785105 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 06:30:19 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d9286b8e9543aa392932ba62e3ba2d09 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	56925	193.122.6.168	80	5996	C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 07:30:20.814726114 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 07:30:22.656483889 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 06:30:22 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: da7172f63203ce9b803fc0e91f5cfce2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	56942	193.122.6.168	80	5996	C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 07:30:23.427040100 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 07:30:24.263092041 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 06:30:24 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2e29ff672152214c8591db7742898563 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	56868	188.114.97.3	443	5996	C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 06:30:11 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 06:30:11 UTC	884	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 06:30:11 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 19642 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FqPbw%2FnMCuq1zv24SzCVKpvh5JBMCYXayJLsCqeRJKO9gMMua50uDqnc9apwC0DWsMHrnE5X6PjZR5Xb3%2FaFSp4ed3KJBECFIiCANziw9ASQnazvqkHYDCxr%2BU5ETmtNc9v6kRKu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d98e0337c273ab9-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1123&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2441821&cwnd=251&unsent_bytes=0&cid=12bd385ded6777a9&ts=212&x=0"
2024-10-28 06:30:11 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	56870	188.114.97.3	443	5996	C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 06:30:13 UTC	63	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-28 06:30:13 UTC	882	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 06:30:13 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 19644 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eKJe4rMPwVttBVRmTFWP8a5dUt3pOZD%2FEqwEKaALaaR6Rv%2FgnMEeSLroVm3mjYwg5FkqxnZvg3v8hcnIUmlnU7QvtGCGxmZVfuIx3kioofaQxbl2cOrjjKNcuCTJ8SFeQ5JhBx%2BV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d98e03d0e2c6b59-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1154&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2383539&cwnd=251&unsent_bytes=0&cid=ab541b91be8d620a&ts=155&x=0"
2024-10-28 06:30:13 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	56875	188.114.97.3	443	5996	C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 06:30:14 UTC	63	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-28 06:30:14 UTC	888	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 06:30:14 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 19645 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qG%2B2MCd49Ccx9dS2ZyRWoE6k6UbZLNORLHna5HmTOzqEMO3%2BwAbakcOLJSHUfL9VO%2BubYl%2BT5KILP9taiM5SLdLVta85jAqUcRTjFchA2JKwVnyfJ9JnDMPku71xD%2FpFxO%2Fqkm6j"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d98e0471eb8ddad-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1178&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2341147&cwnd=252&unsent_bytes=0&cid=61b02f4194826d8e&ts=148&x=0"
2024-10-28 06:30:14 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	56895	188.114.97.3	443	5996	C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 06:30:17 UTC	63	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-28 06:30:17 UTC	890	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 06:30:17 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 19648 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wsYEjR%2B9oX%2FaAojlUBq3q7bgRlRyJ5UDjSGUovP%2BvkIR6d%2Fo6cvgdjmc8ZVz%2BOA7RMfyVzYrcczUNOnHNt7iXO%2FQEv6oegbV8jRQImUGTFVJtqPRCPma8Iga2vW5uV%2FOq8c8h8Uv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d98e05769f1e7f3-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1639&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=1684700&cwnd=247&unsent_bytes=0&cid=6b92b6f311c9c704&ts=153&x=0"
2024-10-28 06:30:17 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	56907	188.114.97.3	443	5996	C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 06:30:19 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 06:30:19 UTC	888	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 06:30:19 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 19650 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cbGZDgXVBr3%2FMwCDVGTk1gBGZ%2BUehrhGQs6drHEWGnw1pHOur3bKOQwtxeiOY5F%2BdMrklb8tF5j2V%2FCTuqVgEhSylHOWbOQGi0E4tWSJYoKioySkE%2FzvEcZxmh3j7otdy7p%2FHKqd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d98e06178826b2c-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1096&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2592658&cwnd=251&unsent_bytes=0&cid=d6cd4155ef093600&ts=151&x=0"
2024-10-28 06:30:19 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	56919	188.114.97.3	443	5996	C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 06:30:20 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 06:30:20 UTC	886	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 06:30:20 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 19651 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T%2B6fT5VKzCl36ZxvoUj%2FsWyQXjVeAS8PsUKfZuyL3HXD6%2BFsPOIyORhcpMasnqtmA1XEWxNcZBarHfBAnpYhyY%2BOpTBxPk0yGFeZoFfKoVrrz56dQN0i9QpgdPL16%2Bdw3oW3VtrK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d98e06b9bb72cb6-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1551&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1882964&cwnd=247&unsent_bytes=0&cid=3e43d1254d3b925b&ts=149&x=0"
2024-10-28 06:30:20 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	56936	188.114.97.3	443	5996	C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 06:30:23 UTC	63	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-28 06:30:23 UTC	890	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 06:30:23 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 19654 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9Zq1dxQrLs%2F1rqQwT%2FmaV%2B%2FT91L5%2BQkf86qm9IhjUilk%2Ffo0PIbypIDLvvxloAVUC0kxLRLDsO2FXUAGHbU0aekfHrxCEOs12hi9L9JNo0x%2F1nmxUwcnoiAeOW43tOig0rt49xrZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d98e07bd8874659-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1124&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2768642&cwnd=250&unsent_bytes=0&cid=71952e8b9061f191&ts=156&x=0"
2024-10-28 06:30:23 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	56948	188.114.97.3	443	5996	C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 06:30:24 UTC	63	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-28 06:30:25 UTC	882	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 06:30:24 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 19655 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fOJElyTDcM2n6Pwh7qWQQ%2FcPwTFBspPlnkW6ypsyWEL%2B2bz6vbrZQrMCt8Cc2pKcdoth%2By0iZJy1nzDnp9dgJPZE6H0GtwysHaVI8cvIaMWhQxfALE2yaChYeac8aAqx6CesUJ4f"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d98e085e8a32d3b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1379&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2061209&cwnd=249&unsent_bytes=0&cid=3aefcfa24e145cf7&ts=163&x=0"
2024-10-28 06:30:25 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Target ID:	0
Start time:	02:29:56
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe"
Imagebase:	0x5e0000
File size:	573'440 bytes
MD5 hash:	80B56AE302FEA7F0F9E00B63F7AD598B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2126706265.0000000005440000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2125630362.00000000039A1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:30:01
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe"
Imagebase:	0x910000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:30:01
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe"
Imagebase:	0xdf0000
File size:	573'440 bytes
MD5 hash:	80B56AE302FEA7F0F9E00B63F7AD598B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2333395480.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2333395480.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.2333395480.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2334935296.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:30:01
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:30:03
Start date:	28/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:30:24
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:30:24
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:30:24
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0xec0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	211
Total number of Limit Nodes:	12

Executed Functions

Function 027DD380 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 027DD3FE
GetCurrentThread.KERNEL32 ref: 027DD43B
GetCurrentProcess.KERNEL32 ref: 027DD478
GetCurrentThreadId.KERNEL32 ref: 027DD4D1

Memory Dump Source

Source File: 00000000.00000002.2124965218.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1e4006ebb25dc413e96b9d048b823ffad621c599a02d77e250238fb8531c5186
Instruction ID: c4dce60705de144d4535340ae182819a852dfc70406bc211a4e8198d56d0d75d
Opcode Fuzzy Hash: 1e4006ebb25dc413e96b9d048b823ffad621c599a02d77e250238fb8531c5186
Instruction Fuzzy Hash: 795158B09003098FDB18DFA9D548BAEBBF5FF88314F20C469D409A7350D734A944CB65

Function 071096D0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07109906

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 412f5e2f74a9017072d72d586041744c8c5e19f0f257482c3e09be1b54c78488
Instruction ID: cd508a4083dc079230f14ef7299a66b256b804cd1f1e3809ed4d8e8a1d144886
Opcode Fuzzy Hash: 412f5e2f74a9017072d72d586041744c8c5e19f0f257482c3e09be1b54c78488
Instruction Fuzzy Hash: 40917FB1D0021ACFDB15CF69C855BDDBBB6FF48310F14856AD808A7280DBB4A985CF92

Function 071096CF Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07109906

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5e5cca1216f3c1405b2da9cf685370d443e3b59f44fa39d7d083cc3df7e616af
Instruction ID: 4db39c875c57a5a5bc34f5e4ebcd26a6d96133fb106cecbfe48e0430a795852f
Opcode Fuzzy Hash: 5e5cca1216f3c1405b2da9cf685370d443e3b59f44fa39d7d083cc3df7e616af
Instruction Fuzzy Hash: B2916FB1D0021ACFDB15CF69C8557EDBBB2FF48310F14856AD808A7281DBB4A985CF92

Function 027DB0E8 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 027DB33E

Memory Dump Source

Source File: 00000000.00000002.2124965218.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a957a3a2c51582368429f5fae217b924c5fa57c93b4a95f888f469ff9c877382
Instruction ID: 393f5495ed89ad19be0e422d0b6c5632631cff065099574ea0020d89cc0aa2ef
Opcode Fuzzy Hash: a957a3a2c51582368429f5fae217b924c5fa57c93b4a95f888f469ff9c877382
Instruction Fuzzy Hash: 14814670A00B058FDB24DF6AD54575ABBF1FF88308F008A2DD48AD7A50DB75E949CB90

Function 027D590C Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 027D59C9

Memory Dump Source

Source File: 00000000.00000002.2124965218.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ec2a7b819568a6099c1053ef514974cb1866795409e29ef52bfb4b93dc705a9b
Instruction ID: 6beb12211dae32ce7789a1f4a044764d46fdf1715c42b528816478d1c025984e
Opcode Fuzzy Hash: ec2a7b819568a6099c1053ef514974cb1866795409e29ef52bfb4b93dc705a9b
Instruction Fuzzy Hash: 6241F4B0C00719CFDB25CFA9C894BDDBBB5BF89304F20805AD409AB255DB756946CF90

Function 027D44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 027D59C9

Memory Dump Source

Source File: 00000000.00000002.2124965218.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 102f027d32ee6ab95e8907b4749dee3f7bc39fbe3fc860db97ad6e905a538b64
Instruction ID: d872fee97cf7acec00da7203c018c1a694126967e67905afbd737b6bdf780622
Opcode Fuzzy Hash: 102f027d32ee6ab95e8907b4749dee3f7bc39fbe3fc860db97ad6e905a538b64
Instruction Fuzzy Hash: 7D41B2B0C00719CBDB24DFA9C984B9EBBB5BF49304F60806AD409AB255DB756945CF90

Function 07109447 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 071094D8

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3db8dd714db17478175ce6dbb0847f9894f330db1d0d15dd09711b95cfca062d
Instruction ID: c8888be7fbc5de8c67cfe7d960b8bf112402e9b62b7e4134b6976b1914c26e32
Opcode Fuzzy Hash: 3db8dd714db17478175ce6dbb0847f9894f330db1d0d15dd09711b95cfca062d
Instruction Fuzzy Hash: 60212AB59003099FCB10DFA9C985BEEBBF5FF48310F10842AE519A7241C778A545CBA0

Function 07109448 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 071094D8

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ca97c7216201e78e12a004471811ae21844cf318e1505e33dbcbb97c5b13305e
Instruction ID: fda1af4f791326b81541701fd4366290af2bce923f8f8df5658585c0da5243da
Opcode Fuzzy Hash: ca97c7216201e78e12a004471811ae21844cf318e1505e33dbcbb97c5b13305e
Instruction Fuzzy Hash: 66214CB59003099FCB10DFAAC985BDEBBF5FF48310F108429E519A7241C778A544CBA0

Function 07108E70 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07108EF6

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7367cb5a9ec2b34c96dca2684569519b25f2b2518152031622119772086d43af
Instruction ID: 5e27cd421b4b90025465285774f1f08ef2ac1477ec9b24a2c31e6c6515a15053
Opcode Fuzzy Hash: 7367cb5a9ec2b34c96dca2684569519b25f2b2518152031622119772086d43af
Instruction Fuzzy Hash: 652125B1D042098FDB10DFAAC4857EEBBF4EF88314F14842AD419A7681C7789945CFA5

Function 07109537 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 071095B8

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: df9d253897b0dc0e6a67a49b27ede7c2433e0e14e82d5db1e1a5183eacb1c9f0
Instruction ID: e9100804f381a9d18ae6a981eb57563cf8816b1d228a8552eb0f4a6eb8d0a794
Opcode Fuzzy Hash: df9d253897b0dc0e6a67a49b27ede7c2433e0e14e82d5db1e1a5183eacb1c9f0
Instruction Fuzzy Hash: FB21F5B1C002599FDB10DFAAC985AEEFBF5FF48310F10842AE519A7250C778A945CFA0

Function 07109538 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 071095B8

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 54c7ef519a5650d21aeced0ee433554f47c8903a09757cfb8d0df2683dbeea5c
Instruction ID: 3372aab93c4d83fa8f3672c0267e2578b7e8a7ab50bc5da4d986278f482c61f8
Opcode Fuzzy Hash: 54c7ef519a5650d21aeced0ee433554f47c8903a09757cfb8d0df2683dbeea5c
Instruction Fuzzy Hash: 602107B1C003599FDB10DFAAC985AEEFBF5FF48310F50842AE519A7250C778A945CBA1

Function 07108E78 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07108EF6

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9c189d0978d7e935bd75b8bf3942a0e7a524103f10c2b0c9747b73c3ddbc6287
Instruction ID: e97b087b13befd335dd6c7a6dcacc647e508c4df5cbaf4b7ed1efca9b48e8b86
Opcode Fuzzy Hash: 9c189d0978d7e935bd75b8bf3942a0e7a524103f10c2b0c9747b73c3ddbc6287
Instruction Fuzzy Hash: C02147B1D003098FDB10DFAAC4857EEBBF4EF48310F10842AD419A7280CB78A945CFA5

Function 027DD5C2 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027DD64F

Memory Dump Source

Source File: 00000000.00000002.2124965218.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 76fda811f25f6b020fef5371ece8b87136727c9e25fc0ab38ed06af1810cafc9
Instruction ID: 62d7a3e55b96c7c5eea2e6dcf972e097ab25a87e98e203750aa64cda66c5d077
Opcode Fuzzy Hash: 76fda811f25f6b020fef5371ece8b87136727c9e25fc0ab38ed06af1810cafc9
Instruction Fuzzy Hash: 4C21E4B59002499FDB10CFAAD984ADEBFF4FF48310F14805AE918A7350D378A944CFA5

Function 027DD5C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027DD64F

Memory Dump Source

Source File: 00000000.00000002.2124965218.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 27c078786fc19185cb81c5864fb8af04e0de70ae7d8204df31cde436da2200b5
Instruction ID: 044969b2d6f7587b8785213873fa33f49cb3f2f814915907e17c00f89b3639c7
Opcode Fuzzy Hash: 27c078786fc19185cb81c5864fb8af04e0de70ae7d8204df31cde436da2200b5
Instruction Fuzzy Hash: E921C2B59002489FDB10CFAAD984ADEBBF9FB48310F14845AE918A3350D378A954CFA5

Function 07109380 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 071093F6

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e175b79460ad0681058a548f3c35e1c30ad909f344e2a42c72832d13ec32b6e9
Instruction ID: 96153bebc8b076a808524689f527d1fad1bf6a8412e3ab9fb9a749ca53882cf1
Opcode Fuzzy Hash: e175b79460ad0681058a548f3c35e1c30ad909f344e2a42c72832d13ec32b6e9
Instruction Fuzzy Hash: DF113AB28002499FDB10DFAAC945BEFBFF5EF48320F24841AE519A7250C779A545CFA0

Function 07109388 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 071093F6

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 89232d27ad9a5976b226b74606cb1997f63dcf3bf842980c22dcec3fffd3bfe8
Instruction ID: 29bb015468dd388f373e64c7455f1e7e5e2c97b03cd2ed672e0a5d15db893e42
Opcode Fuzzy Hash: 89232d27ad9a5976b226b74606cb1997f63dcf3bf842980c22dcec3fffd3bfe8
Instruction Fuzzy Hash: 641137B18002499FCB10DFAAC944AEFBFF5EF88310F108419E519A7250C779A540CFA0

Function 07108DC0 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 07108E2A

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f2d86200986a3081292200d0b36b66d1223065326a137b403ab27d3b914a1a6c
Instruction ID: fde369ceee70552735e90510ba926c50a0c85883a54c77f5fd6bc4d8e867afcd
Opcode Fuzzy Hash: f2d86200986a3081292200d0b36b66d1223065326a137b403ab27d3b914a1a6c
Instruction Fuzzy Hash: FE1137B19002488ECB20DFAAC4457EEFBF5EF88314F24842AC519A7250CB79A545CBA4

Function 07108DC8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 07108E2A

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 228549b98c91c8cd3587a128342929e7d2f7a6e1429c30c54fbefed671b7ae08
Instruction ID: 766395701535bd2a757765eb5b581ee0aeaffd9af03c2f4a22df34337ef192a8
Opcode Fuzzy Hash: 228549b98c91c8cd3587a128342929e7d2f7a6e1429c30c54fbefed671b7ae08
Instruction Fuzzy Hash: 14113AB1D002498FDB10DFAAC4457EEFBF5EF88314F208419D519A7240CB79A944CBA4

Function 07107B5C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0710C73D

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b7493d160e0f98c4e2a4e692e57745c31418bd3ce4a9d2769489ccc63d46d398
Instruction ID: ac83f3384593dcd164e31bc77937649a0eab863b92eb8e281716f9f7ccda09ca
Opcode Fuzzy Hash: b7493d160e0f98c4e2a4e692e57745c31418bd3ce4a9d2769489ccc63d46d398
Instruction Fuzzy Hash: B21103B58003499FDB10DF9AC989BDEBBF8EB48310F10845AE518A7350C3B9A944CFE5

Function 027DB2D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 027DB33E

Memory Dump Source

Source File: 00000000.00000002.2124965218.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 327bd9fdc0c732b54a7aca54ddd480e732586a52b044fe64cb6d72240088dd53
Instruction ID: c207e718a677335911f42fdbca9b553f136acc44dd4dba728be46522dd950dac
Opcode Fuzzy Hash: 327bd9fdc0c732b54a7aca54ddd480e732586a52b044fe64cb6d72240088dd53
Instruction Fuzzy Hash: C01110B6C002498FDB10CF9AC844ADEFBF4EF88314F11842AD419A7200C379A545CFA1

Function 0710C6D8 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0710C73D

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fc745b88fc46fbc1f8dd595316c67cdc7262ee9d87e2efc37f612e1c120a08bb
Instruction ID: 8596fbd57f0cdbc68c0370cf50615bc852dd7e922a7acb7b26426ed02337fd8f
Opcode Fuzzy Hash: fc745b88fc46fbc1f8dd595316c67cdc7262ee9d87e2efc37f612e1c120a08bb
Instruction Fuzzy Hash: FC11F2B58003499FDB10DF99D989BEEBFF8EB48310F20851AD518A7250C3B9A544CFA1

Function 00F4D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124549113.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4d000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44c7b40e816f3e264856e46bf91cb08c623abb2a9228d75bac3b5f58bb76425
Instruction ID: 1966405c9d8ec7a9e062da959651ca522fd67301f5a1387cb80e2b8f8978fc8a
Opcode Fuzzy Hash: f44c7b40e816f3e264856e46bf91cb08c623abb2a9228d75bac3b5f58bb76425
Instruction Fuzzy Hash: 0A212872900244DFDB05DF14D9C0F26BF65FB98328F24C569ED090B256C736D856E7A2

Function 00F5D0DC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124602291.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f5d000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f85ca47a4da78c23d57fff2d180b5d87276116f6f2a8e39d1df0cd177c81a207
Instruction ID: 0d97d02d1ea6830e9bcfe79d2ce5911404ce8c9e0433488e81fecdf605d9123b
Opcode Fuzzy Hash: f85ca47a4da78c23d57fff2d180b5d87276116f6f2a8e39d1df0cd177c81a207
Instruction Fuzzy Hash: F921F571505604DFEB14DF14D980B16BB65FB84325F20C569DE094B396C33AD84AEBA2

Function 00F5D0C5 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124602291.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f5d000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb53d687e6423dfbaa638d30690bd0a5b4d5188f20812bd737b55676b5e49fc
Instruction ID: 635da078cc7a5931eb1331930361a010448c2316e8c19287135b62fb6aaabfb1
Opcode Fuzzy Hash: 6fb53d687e6423dfbaa638d30690bd0a5b4d5188f20812bd737b55676b5e49fc
Instruction Fuzzy Hash: F021D471409780DFDB12CF10D984B11BFB1FB46324F24C5EAD9494B267C33A980ADB62

Function 00F4D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124549113.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4d000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: d6fc565cdc595ef8ecd8b635d11c93e93c297f9fb4c1607fac70f1a98b80e01f
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 5D112672904280CFCB06CF10D5C4B16BF71FB98328F28C6A9DC490B256C336D85ADBA2

Non-executed Functions

Function 0710DDA8 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5be967d45ce8707cc2311548b7adf5a4dcb50dc179416db4ed18bd9d8b468c
Instruction ID: be17a3f0a375ea60d36f1716aa446755fc311d095a634cba9563e83df8a8f7c0
Opcode Fuzzy Hash: bd5be967d45ce8707cc2311548b7adf5a4dcb50dc179416db4ed18bd9d8b468c
Instruction Fuzzy Hash: 94E19DB17007018FDB2AEBB6D4507AA7BF7AF89700F14886DD0498B2D5CB75D905CB91

Function 07106630 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 484e398ef41d538d2cd07e351f350c7d201603098156a97ca109e810dd077895
Instruction ID: b9dfc72d9d5320a23c86c3b0524f2075ba3da97dd77e473a00d2446fd5940d72
Opcode Fuzzy Hash: 484e398ef41d538d2cd07e351f350c7d201603098156a97ca109e810dd077895
Instruction Fuzzy Hash: 89E11CB4E046598FDB14DF98C5809AEFBB2FF89305F24C269D414AB396D770A941CFA0

Function 07108548 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da0f1198e9525bbf3fde989990dd372bf9e6dca5391d3f728666bea2aa70cb2
Instruction ID: d7f8686654c736f81e0ba3ab46ff8c3006ea901cab5ab612e6665cf9d5dd1493
Opcode Fuzzy Hash: 2da0f1198e9525bbf3fde989990dd372bf9e6dca5391d3f728666bea2aa70cb2
Instruction Fuzzy Hash: E3E11CB4E045198FDB14DFA8C5809AEFBB2FF89305F24C269D414AB396D770A941CFA1

Function 07108F50 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d16d9f7f4c032c7bf7ecb54ac716c2e25e37a947c34640a224b62fac6b08b39
Instruction ID: bdf9f1a824a2b9cd127baecfe2940af050a3be80d2d58728a273f8aa0f4542f2
Opcode Fuzzy Hash: 7d16d9f7f4c032c7bf7ecb54ac716c2e25e37a947c34640a224b62fac6b08b39
Instruction Fuzzy Hash: 52E12CB4E045198FDB14DFA8C5909AEFBB2FF49305F24C169D414AB396C770A941CFA0

Function 07106EA0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c444564dc032a8af8f30482d167f7bdff57fee02bdf5c5f6eef21503f3ea14
Instruction ID: 6ee9f70ac28b81f0a31630d302cc63d46caddd7a8885cb8d484c40d974585bc7
Opcode Fuzzy Hash: f5c444564dc032a8af8f30482d167f7bdff57fee02bdf5c5f6eef21503f3ea14
Instruction Fuzzy Hash: 88E11AB4E045198FDB14DFA8C5809AEFBB2FF89305F24C269D414AB396D771A941CFA0

Function 07106A68 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3390cdb6f39ad277e9d262449b0dc8857ba9bdcb76c375ceb59c1658bf6032c
Instruction ID: a16fa664a10063ebbb48e18ddd04fbad0c2a2f6ea5cb5732e5ac784b2b5d9fe3
Opcode Fuzzy Hash: f3390cdb6f39ad277e9d262449b0dc8857ba9bdcb76c375ceb59c1658bf6032c
Instruction Fuzzy Hash: 75E12AB4E045598FDB14DFA8C5809AEFBB2FF89305F24C269D404AB396C771A941CFA1

Function 027DDE8C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124965218.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7240617c856fd2d71352a8810d3c1dc196ec917af6ce7381a43562245a7c7425
Instruction ID: 93772e68741b1763b964c56751c1c6c8a876ecff62aa3d031ce8aa86302d8473
Opcode Fuzzy Hash: 7240617c856fd2d71352a8810d3c1dc196ec917af6ce7381a43562245a7c7425
Instruction Fuzzy Hash: 4AA17D32E002198FCF15DFB4C9845EEB7B6FF89304B15856AE906AB265DB31E916CF40

Function 07108538 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf3957dc55f65698195198c2c80b894d2ff917e007dfdb3da527274fe987785
Instruction ID: eb346a6d24cf2f8973aeee42ba62ea2ee8cdcd41a929960bfe6c44a79214029a
Opcode Fuzzy Hash: 1cf3957dc55f65698195198c2c80b894d2ff917e007dfdb3da527274fe987785
Instruction Fuzzy Hash: F95129B4E046198FDB14DFA9C5809AEFBF2BF89305F24C169D418AB356D7309941CFA1

Function 07106A62 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127229038.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ae06b09b44d5eaff194abc17022692df396bb17913cb41397b9a88939731c3
Instruction ID: a3300b836acc8b6ad26d3265b04b07b47098cb2499a5f29711dda6cd6c39c79a
Opcode Fuzzy Hash: 49ae06b09b44d5eaff194abc17022692df396bb17913cb41397b9a88939731c3
Instruction Fuzzy Hash: FD511AB4E042198FDB14DFA9C5805AEFBF2BF89305F24C169D418A7256D7319A41CFA1

Analysis Process: #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exePID: 5996, Parent PID: 1864COMMON

Executed Functions

Function 01396730 Relevance: 6.7, Strings: 5, Instructions: 443COMMON

Download Yara Rule

Strings

(o]q, xrefs: 0139697A
,aq, xrefs: 013969F2
(o]q, xrefs: 01396CA5
,aq, xrefs: 01396A00
(o]q, xrefs: 01396988

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-615190528
Opcode ID: 2c2a65ebe92bec01ffac36adc72a595c7866ce865bae47770c9b8561a9c1c0e6
Instruction ID: 2b250fc32fb948f6eda2a56d3e38bfbb29eaf31b18d73120490dab10ff1b1dfb
Opcode Fuzzy Hash: 2c2a65ebe92bec01ffac36adc72a595c7866ce865bae47770c9b8561a9c1c0e6
Instruction Fuzzy Hash: 82025BB0A01209DFDF15CF69C985AAEBBF6FF88348F158469E905AB261D734EC41CB50

Function 01399858 Relevance: 3.4, Strings: 2, Instructions: 862COMMON

Download Yara Rule

Strings

(o]q, xrefs: 01399C78
4']q, xrefs: 0139A273

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: (o]q$4']q
API String ID: 0-176817397
Opcode ID: 2de2807e07abd89af59d4777db43213907c0f50cad14884898ad25c96e01ed16
Instruction ID: ac2d110fc86e9c558aa4c0ff41e63b9484373f58843812f68fa84eef0e73e127
Opcode Fuzzy Hash: 2de2807e07abd89af59d4777db43213907c0f50cad14884898ad25c96e01ed16
Instruction Fuzzy Hash: 0C727E71A00209DFCF15CF68C984AAEBBF6FF88318F158659E905AB2A1D734E941CB51

Function 01396108 Relevance: 3.0, Strings: 2, Instructions: 514COMMON

Download Yara Rule

Strings

(o]q, xrefs: 01396642
Haq, xrefs: 0139650E

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: (o]q$Haq
API String ID: 0-903699183
Opcode ID: ff19b2600dcc9469ae63b2593d5e45504ca0ec3a1f56684f5f287d5eb9e9c6ba
Instruction ID: 5ad13cb11ed2884167aed02eddd5f6bfdba9237235581802794f50e3b0c6fcdf
Opcode Fuzzy Hash: ff19b2600dcc9469ae63b2593d5e45504ca0ec3a1f56684f5f287d5eb9e9c6ba
Instruction Fuzzy Hash: BC12B3B0A002199FDB14DFA9C854AAEBBF6FF88304F148569E805EB395DF349D41CB90

Function 0139B328 Relevance: 2.9, Strings: 2, Instructions: 351COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0139B758
PH]q, xrefs: 0139B747

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: d7e6d9bf0d88faa3fff1691465cea1a183be1efd6d333e55828f84fdf001d314
Instruction ID: e54f69a86de382f221bc07edc880763ce98d921dfb5ac83cc6355ce4b147ea95
Opcode Fuzzy Hash: d7e6d9bf0d88faa3fff1691465cea1a183be1efd6d333e55828f84fdf001d314
Instruction Fuzzy Hash: DEE1F575E00218CFDB14CFA9D984A9DFBB2FF88314F158069E909AB366DB30A841CF51

Function 0139C470 Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0139C6D8
PH]q, xrefs: 0139C6C7

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 7cd76cf6bc3bbc371e9d96a3d2e89a7bd2d1537ad7fa5f80ba119aec4bb3edff
Instruction ID: 615e537e2fb1428f61729d73b8f2962f8f0ed686fba3d5762601dba77f199fd7
Opcode Fuzzy Hash: 7cd76cf6bc3bbc371e9d96a3d2e89a7bd2d1537ad7fa5f80ba119aec4bb3edff
Instruction Fuzzy Hash: 4991D174E00248CFDB18DFAAD984A9DBBF2FF89314F14D069E409AB265DB34A941CF51

Function 0139C190 Relevance: 2.7, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0139C3E7
PH]q, xrefs: 0139C3F8

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 51acf8a6a7afef0163c40b002b6151fc247c1c7b3d2e53f696da0830822a08dc
Instruction ID: 67d0d99018b779ce9d544e0d2e99a49479399689bf1331868c59e490986a3949
Opcode Fuzzy Hash: 51acf8a6a7afef0163c40b002b6151fc247c1c7b3d2e53f696da0830822a08dc
Instruction Fuzzy Hash: 9681BE74E002188FDB18DFAAD984A9DBBF2FF89304F14D069E819AB365DB349941CF51

Function 0139C753 Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0139C9A7
PH]q, xrefs: 0139C9B8

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: b77ee38211111fa103cb49e687b260ac8812f855f61a665619209bfcc12c5b4b
Instruction ID: fd1dadbd00d7933ddc7a685935c3dce6691c832800ffaa379aa670916e266750
Opcode Fuzzy Hash: b77ee38211111fa103cb49e687b260ac8812f855f61a665619209bfcc12c5b4b
Instruction Fuzzy Hash: CB81B174E00218CFDB18DFAAD994A9DBBF2BF89314F14D069E809AB365DB349941CF11

Function 0139BEB0 Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0139C107
PH]q, xrefs: 0139C118

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: b8635015d99233252a97cb7b8c762f8e83194f6f61fd91c6f55ccfbafe59609a
Instruction ID: a6bdb10d37e84eec7f21c7406675ab5ed1bc3309c18cd1410e3d851419f26ba4
Opcode Fuzzy Hash: b8635015d99233252a97cb7b8c762f8e83194f6f61fd91c6f55ccfbafe59609a
Instruction Fuzzy Hash: BD81B174E00208CFDB18DFAAD984A9DBBF2BF89304F14D069E809AB365DB359945CF51

Function 01394AD9 Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

PH]q, xrefs: 01394D30
PH]q, xrefs: 01394D41

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: ade2c335be9b4c68c1dafa9c9b915dd0e6f4d3c2b2fba2afb9803e75357679d3
Instruction ID: ef914de71109c02175235884d23c3f35030e21110f43d9d1d960aba61f211f74
Opcode Fuzzy Hash: ade2c335be9b4c68c1dafa9c9b915dd0e6f4d3c2b2fba2afb9803e75357679d3
Instruction Fuzzy Hash: 1781B374E002589FDF18DFA9D984A9DBBF2BF88304F14C069E819AB365DB349942CF51

Function 0139CA33 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0139CC87
PH]q, xrefs: 0139CC98

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: e25b6047f766d9182bbe37937fe99c8f2a9fc47264c53d33903fd5ebe6b7444f
Instruction ID: b07deadc9a64d714f287bc0c6c2d10038b8cf340561dcfef17dd1d4e5a22e7dc
Opcode Fuzzy Hash: e25b6047f766d9182bbe37937fe99c8f2a9fc47264c53d33903fd5ebe6b7444f
Instruction Fuzzy Hash: 7D81BF74E002588FDF18DFAAD994A9DBBF2BF88304F14D069E809AB365DB349941CF11

Function 0139BBD3 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0139BE38
PH]q, xrefs: 0139BE27

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: fe93146fcd5da3576eb04384d5c97506e330bc6b97efd32598205bd7c628e0f1
Instruction ID: fd254a3919de614e13d13b91b6fc787279b1e2c1866327aa3aad5b5356d54598
Opcode Fuzzy Hash: fe93146fcd5da3576eb04384d5c97506e330bc6b97efd32598205bd7c628e0f1
Instruction Fuzzy Hash: 1E81AD74E00258CFDB18DFAAD984A9DFBF2BF89304F148069E809AB365DB349945CF51

Function 0139B4F3 Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0139B758
PH]q, xrefs: 0139B747

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: d85d6c666d6e8cfe7ddf96cc8e1d4929934699970b2de7b6b1586fb18c863329
Instruction ID: 5fa73a6005ecf27f24b93f26df8da74eb8231e76a79efbe375f7064078a6b82d
Opcode Fuzzy Hash: d85d6c666d6e8cfe7ddf96cc8e1d4929934699970b2de7b6b1586fb18c863329
Instruction Fuzzy Hash: BE61AF74E006089FDB18DFAAD984A9DFBF2BF89304F14C069E419AB365DB349941CF51

Function 0139CD10 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e1034a2d071e89ab3925699c15af63e84d08ae956105444525cb0b6649c9f9
Instruction ID: ac1bf696ad2a0d9556979e9234b8e8725e4fc3af2d8ab6c6fa288c253a21e90c
Opcode Fuzzy Hash: c9e1034a2d071e89ab3925699c15af63e84d08ae956105444525cb0b6649c9f9
Instruction Fuzzy Hash: FC518174E01208DFDB54DFA9D58499DBBF2FF89300F249169E819AB365DB31A801CF50

Function 01396E58 Relevance: 10.5, Strings: 8, Instructions: 498COMMON

Download Yara Rule

Strings

,aq, xrefs: 013972F8
,aq, xrefs: 01397308
(o]q, xrefs: 01396F51
(o]q, xrefs: 01397377
(o]q, xrefs: 0139701A
(o]q, xrefs: 01397367
(o]q, xrefs: 01396E96
(o]q, xrefs: 01396F7D

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-1435242062
Opcode ID: f6ec8f958a42b6458744f8653d06fed68d99c34a0013be8951c770bf28e57eed
Instruction ID: f37e806c08c090a40dcc95ea9d83d8750278500f0bb9183367816617d10edd64
Opcode Fuzzy Hash: f6ec8f958a42b6458744f8653d06fed68d99c34a0013be8951c770bf28e57eed
Instruction Fuzzy Hash: 81224830A106098FCB15DF69D984A9EBBF6FF88318F1585A9E949DB2A1D730EC41CF50

Function 013987E9 Relevance: 4.3, Strings: 3, Instructions: 509COMMON

Download Yara Rule

Strings

4']q, xrefs: 01398811
4']q, xrefs: 01398837
;]q, xrefs: 01398C2C

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: 4']q$4']q$;]q
API String ID: 0-1096896373
Opcode ID: 3fa508895567f8498eb07bf40039f81c6f3ea8a59e759800218b7e3d78941a2d
Instruction ID: a8f847e5ca2aa712f3b6f8050445a60ae6f67aa448158e760366e21f17f7291b
Opcode Fuzzy Hash: 3fa508895567f8498eb07bf40039f81c6f3ea8a59e759800218b7e3d78941a2d
Instruction Fuzzy Hash: 5EF17E713042098FEF259A3DC954B797A9AAFC7708F1844EAE506CF3B2EA69CC41C751

Function 013977F0 Relevance: 3.2, Strings: 2, Instructions: 700COMMON

Download Yara Rule

Strings

$]q, xrefs: 01398337
$]q, xrefs: 01398314

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 2f6bea940e87157b75a8c12f2fc13e371b36dfee68e023895224d23d40968e50
Instruction ID: d6168bd2840d770047720b448ce2243c11298bc054bcfa1d9cd6497a58f30d0c
Opcode Fuzzy Hash: 2f6bea940e87157b75a8c12f2fc13e371b36dfee68e023895224d23d40968e50
Instruction Fuzzy Hash: 77523F74A0021CCFEB159FA8C960B9EBB76FF84300F1080A9C54AAB3A5DB395D45DF95

Function 013956A8 Relevance: 2.8, Strings: 2, Instructions: 324COMMON

Download Yara Rule

Strings

Haq, xrefs: 01395793
Haq, xrefs: 013957C6

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: c69aabe6859c38cecda67a24b6ac3996db70380cae4676fe3dbe630c6f3e03b2
Instruction ID: 8402958d5df9c774d14260d153de2695adaa0f23607f3308a7e60fc39b9e68d9
Opcode Fuzzy Hash: c69aabe6859c38cecda67a24b6ac3996db70380cae4676fe3dbe630c6f3e03b2
Instruction Fuzzy Hash: C7B1CE317042158FDF269F69D894B3E7BA6BF88318F14856AE906CB395DF38C881C791

Function 01395C08 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

,aq, xrefs: 01395CDE
,aq, xrefs: 01395CE8

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: 716ccf7cae245af66ee41355a1c6747faca87106f61e9b23694480e2fd4c9710
Instruction ID: 4c0c1885a183e114fc71e2fbd27743b8c90669e605b434c2f6ae7190be418c3d
Opcode Fuzzy Hash: 716ccf7cae245af66ee41355a1c6747faca87106f61e9b23694480e2fd4c9710
Instruction Fuzzy Hash: DA819035A00109CFDF16DF6DC8889AABBB6FF89208B14856AD509E7765D731EC82CF50

Function 01393428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xaq, xrefs: 0139345E
Xaq, xrefs: 01393435

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: Xaq$Xaq
API String ID: 0-1488805882
Opcode ID: 61cad35d439ef56566730f5222ea8e2547bc17bf7fe8edb6533853d1f639b7c9
Instruction ID: ab1d1217db2e7f036c963bf97c3a1204533fae45088d969a0435cd13e5b278f0
Opcode Fuzzy Hash: 61cad35d439ef56566730f5222ea8e2547bc17bf7fe8edb6533853d1f639b7c9
Instruction Fuzzy Hash: FD3104B9B003198BEF2D997E499427EA5DEBFC4318F040439D906E3394DF78CC458291

Function 01390C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

LR]q, xrefs: 01390E5E

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 20614c36b3e23c29afddbd7132de6e38e129493d0ce363b143ba3717e05f03a3
Instruction ID: c89b37117135cbd764a02b23ee196b0338b0e454945bbad4330dca58bc6e5ed2
Opcode Fuzzy Hash: 20614c36b3e23c29afddbd7132de6e38e129493d0ce363b143ba3717e05f03a3
Instruction Fuzzy Hash: 9C226F74E0121A8FCB54DF64E984A9DBBB6FF88301F1085A9D809B7368DB386D45CF42

Function 01390CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR]q, xrefs: 01390E5E

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 16ad434073b139bf03c09f2a2f7af3fceedc7328617a29ff3e667490e0a96f46
Instruction ID: a8e9ab55bffbbdb6f03060a355a72c8af24d4c8d715ab40dc83fae9541e0595d
Opcode Fuzzy Hash: 16ad434073b139bf03c09f2a2f7af3fceedc7328617a29ff3e667490e0a96f46
Instruction Fuzzy Hash: E7226F74E0121A8FCB54DF64E994A9DBBB5FF88301F1085A9D809B7368DB386D45CF42

Function 0139A650 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

(o]q, xrefs: 0139A7D9

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: 94010adf995c84450d69ef821d63be70e1ad51c3aac8056bbea08f81e1a71917
Instruction ID: c20ef9f661456c17853c316b9932ec1269600837c294981152e36f01f06fb5dc
Opcode Fuzzy Hash: 94010adf995c84450d69ef821d63be70e1ad51c3aac8056bbea08f81e1a71917
Instruction Fuzzy Hash: 0B41D1357002089FCB149BB8DD546AE7BF6BBC8315F148569D916E73A5CE309C02CB90

Function 0139A818 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 517a31e383a8351c53cd2958640a1296b247bba569e447972d800045cbe0bbc7
Instruction ID: af51ef9ce80ee10ec2451d2e8c072140f7e258776f73f4738959951c5108c1c3
Opcode Fuzzy Hash: 517a31e383a8351c53cd2958640a1296b247bba569e447972d800045cbe0bbc7
Instruction Fuzzy Hash: 51F12B75A002158FCF14DFADC8889ADBBF6BF88314B1A8569E515EB361CB35EC41CB50

Function 01397438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec703ad23acf9c0cf2224c933f25a340117d9dd8316b86e7c14ac1b4735e5c47
Instruction ID: e28b21a34dec00dbf5e926fa8143cd257461013bfc479ff72b606ae4e1832bd2
Opcode Fuzzy Hash: ec703ad23acf9c0cf2224c933f25a340117d9dd8316b86e7c14ac1b4735e5c47
Instruction Fuzzy Hash: A2710534710245CFDF65DF2CC898AAA7BEAAF49618B1500A9E906CB3B1DB70DC41CF90

Function 0139CEC7 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb4fa5708b417c31bdf113bb6b8b008ff4e1d877569d7bcae07dae14dfe8a07
Instruction ID: a8f11b4f37f5d73a5b4482ee7d20a7361b433ba742b1568899d447f5804016fc
Opcode Fuzzy Hash: edb4fa5708b417c31bdf113bb6b8b008ff4e1d877569d7bcae07dae14dfe8a07
Instruction Fuzzy Hash: 9351B2346213569FD3202FA1ADAC16A7FA8FB5F327B05BD00E18ED5029DF706865CB61

Function 0139CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11dc21b5a8aa9892049997023c7778ee9977deef622fb7238bffc5087bd20395
Instruction ID: abcd323e0aec72a52c683cad1cf3d6018f89e74221c18228fcd7cb16c133b547
Opcode Fuzzy Hash: 11dc21b5a8aa9892049997023c7778ee9977deef622fb7238bffc5087bd20395
Instruction Fuzzy Hash: FF51A2346212578FD3202FA1ADAC16E7FA8FB5F327B05BC00E18ED5029CF3068648B50

Function 013938F9 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17934a931c5879a8e08017a37883badd643da866cd8fdfaa9878e919692ff178
Instruction ID: c9b94a6162d44735c997e125b69e87f8d087e6d0c764b7eaeb8239e1681e8fd3
Opcode Fuzzy Hash: 17934a931c5879a8e08017a37883badd643da866cd8fdfaa9878e919692ff178
Instruction Fuzzy Hash: B551A475E01209DFCB08DFA9D59099DBBB2FF89314B209069E809BB364DB35AD42CF51

Function 01393908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b59e8f4b6e2546c77402c984c793240ad2618a3bc573c7b6219df3dd18a72b
Instruction ID: 1c4273d9b2bc72273c04d3eb5b51b78093f64e873d86a839e08766339ddaa27c
Opcode Fuzzy Hash: f4b59e8f4b6e2546c77402c984c793240ad2618a3bc573c7b6219df3dd18a72b
Instruction Fuzzy Hash: 7B51A374E01209CFCB08DFA9D59099DBBB2FF89314B209469E809BB364DB35AD42CF41

Function 01399A63 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74238da768cbd79669a19f806715d464a04b30f092d4081079c10308646588b6
Instruction ID: c10531a5f4dbacb267e62ed24b39df56f540f8832a0e7bc6256a822d665a70aa
Opcode Fuzzy Hash: 74238da768cbd79669a19f806715d464a04b30f092d4081079c10308646588b6
Instruction Fuzzy Hash: 6B418231A04249DFDF12CFA8CC44B9EBFB6EF49318F048559E9159B2A2D334E950CBA1

Function 01394DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38679a7ee38cee0b4caed42475f35e47fe825e67a286d5314482fce9c22041f4
Instruction ID: 632839d5de1c4c9c1588435296567b277f178c9f54e31c379939883f1b5dea26
Opcode Fuzzy Hash: 38679a7ee38cee0b4caed42475f35e47fe825e67a286d5314482fce9c22041f4
Instruction Fuzzy Hash: 7D319631B0410A9FCF159FA8DD54AAF3BA6FF88319F108424F9199B255CB38DC66CB91

Function 013976D0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e52b9d22f759d6c19aad0c22b9e92a5c53498780022f21a54cfb922ca0d592
Instruction ID: 7c2ac94beefdd30afc547ee0b751e7f44d3968bff880ac177473d402516289b8
Opcode Fuzzy Hash: 69e52b9d22f759d6c19aad0c22b9e92a5c53498780022f21a54cfb922ca0d592
Instruction Fuzzy Hash: 1E21F9353242055BEF26173D8C5493D369BAFC565CB184079D506CB7EAEE35CC42DB82

Function 0139A809 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eab6e3ec52afb6fe4b91c0cedb7b4d5b74f28ecbe02bf09273fe05111368e65
Instruction ID: fce4a3aeedb8283b19dc892c7b538252488665bf1c880b610c03bdccca9e3d75
Opcode Fuzzy Hash: 2eab6e3ec52afb6fe4b91c0cedb7b4d5b74f28ecbe02bf09273fe05111368e65
Instruction Fuzzy Hash: 5031A170A005198FCF04CF6DC8889AEBFB6FF88754B158669E516DB3A1CB349C02CB90

Function 013976E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9c0de47910de11f47a9102c5cd534232e0c49d6a25f28c708f58603a414a30
Instruction ID: adfe8e9cddb824132ffd52dae16b908aa0fa1a18c3d2ac09d0f259830c2d644c
Opcode Fuzzy Hash: ca9c0de47910de11f47a9102c5cd534232e0c49d6a25f28c708f58603a414a30
Instruction Fuzzy Hash: 0B2171353202055BEF291629CD94A7E369B9FC471CF144079D506CB7E9EE79CC42DB81

Function 01395A63 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74df44f8417f28d54414328a0401bd9465c5872791feca8dc426d08083837d3a
Instruction ID: 77b995c788f7a84ecf982c4e1ab70ef593034ba9aae64930af20fed6cbe0bddb
Opcode Fuzzy Hash: 74df44f8417f28d54414328a0401bd9465c5872791feca8dc426d08083837d3a
Instruction Fuzzy Hash: F321C2357016128FEB269B68C89462FB7A6FBC4759B14417AE906EB354CF38DC428BC4

Function 01392060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11266c667e083fd1bab68792eee1ccae89a8a6fdab3bda8a92bb5560785cf6a8
Instruction ID: f5b6a57a6fd88f4c5b25101dc8ed8784f32ad5922a10fdaa795a3a9bbd9b01be
Opcode Fuzzy Hash: 11266c667e083fd1bab68792eee1ccae89a8a6fdab3bda8a92bb5560785cf6a8
Instruction Fuzzy Hash: 4521C435A00505AFCF14DF68D8509AF77A6EB98258F10C05DD8099B380DB35EE46CBD2

Function 0133D404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334009120.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_133d000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845b0efeb5e76cadb8e12fac61c435e0cf8efc6474a80e047bffb2b842db832d
Instruction ID: e1b310110bf23072c0545070303e0500b8f95509de2fc24029feb96f4357bd4f
Opcode Fuzzy Hash: 845b0efeb5e76cadb8e12fac61c435e0cf8efc6474a80e047bffb2b842db832d
Instruction Fuzzy Hash: 9C213071500244EFDB05DF98D9C0F66BF69FBC8328F60C169E9091B656C73AE416CBA2

Function 0139D218 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f6144e4305355d025c7b3d151054f83008330811b99910b968cf31f4d2f3cb
Instruction ID: 20d509272daaf30a6256c54a5f91914d7adad0a2aeebf3ac8d2025b081ea3179
Opcode Fuzzy Hash: 08f6144e4305355d025c7b3d151054f83008330811b99910b968cf31f4d2f3cb
Instruction Fuzzy Hash: 3D213A349012489FDF08DFB4E841AEDB7B6FB8A315F10A468D45577350CB399801CF29

Function 0139D123 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c02c783e241c9b1fc2f00cf220fe310da7b07714867f74da2ba257b360c031
Instruction ID: c6c5068b2224de59eee732201195b5980c426e0cfc11e1d2a0a60c766e29b914
Opcode Fuzzy Hash: a8c02c783e241c9b1fc2f00cf220fe310da7b07714867f74da2ba257b360c031
Instruction Fuzzy Hash: 2721FF31C10219DEDB10EFE8D8046ECBBB4FF4A315F009629E50877254EB346A8ACB91

Function 0139215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd8015083e17b427b11038e8ce583b8381c3ebfcfcc3b399cbad59735550419
Instruction ID: 0667c1d186d2c29b57d7bf61f700958084a6e2ef28017a4900a86343d9009ce0
Opcode Fuzzy Hash: 3cd8015083e17b427b11038e8ce583b8381c3ebfcfcc3b399cbad59735550419
Instruction Fuzzy Hash: 19117232E082495FCF02DBB89C104DEBB34FF863107158397D526B7191EA352805C792

Function 0139D228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c6e5c9e1b53c8c5ed60f1d653e450a34efd8d82453827ed370b757ae64fd41
Instruction ID: b958e341e23be1bb44446f6731c241821857bc86248830e35cffb788b238a35d
Opcode Fuzzy Hash: b4c6e5c9e1b53c8c5ed60f1d653e450a34efd8d82453827ed370b757ae64fd41
Instruction Fuzzy Hash: 3B21C234A012089FCF08DFB4D850AEEB7B2FB8A305F10A469D405773A4DB39A941CF69

Function 01395A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac29175678e5c29597242361b0b808f2835e506e57bae5b303c7076f4a0971b7
Instruction ID: 7f6a922005ed3d33749f1ad79843896acef7735cb52ae9d17c98791c197d0047
Opcode Fuzzy Hash: ac29175678e5c29597242361b0b808f2835e506e57bae5b303c7076f4a0971b7
Instruction Fuzzy Hash: C511E5317016129FEB275A29CC9492FBBA6FFC46557154179E906DB364CF34DC028BC0

Function 0133D3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334009120.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_133d000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 56c3c332efa8cd761394178fcb00189e22f923dfebb10a204b46ec2c7f3fb5a0
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 1B110372404280DFCB12CF44D5C4B56BF71FB84328F24C5A9D9490B657C33AE45ACBA2

Function 01395607 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef13675e56375bace41e307e1d26184847e11c0b79beecfed9f8c9d1beec8b4
Instruction ID: 0591fe239cc237737ff5edac04ca8533bbc217dbb6c402786d450d8fbdcf167c
Opcode Fuzzy Hash: aef13675e56375bace41e307e1d26184847e11c0b79beecfed9f8c9d1beec8b4
Instruction Fuzzy Hash: 670149327041156FDF129E58AC006FF7FAAEFD9655B188027F505DB290CA30CC1287E1

Function 01391F61 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f6b360ffc71dc94fa06a90ed0fa741cef12a7948ae5e426d45a483b959232b
Instruction ID: 572cdff2f4b939298b8fa238166735f99be7310f35eeff2cef40d31051454a9e
Opcode Fuzzy Hash: 70f6b360ffc71dc94fa06a90ed0fa741cef12a7948ae5e426d45a483b959232b
Instruction Fuzzy Hash: D521B0B4D0160A8FCB50EFB8D8466EEBBF5FB49301F10916AD805B3254EB345A55CBA1

Function 01392010 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f73cc501417bcfabea3e19705dec0d3aee02fe1a4b88792df85ef9ab6685f2
Instruction ID: 7141192d44cb186a963ef4f5d44a92099d438c4f00f9dad5d10025cc85b1f77a
Opcode Fuzzy Hash: 31f73cc501417bcfabea3e19705dec0d3aee02fe1a4b88792df85ef9ab6685f2
Instruction Fuzzy Hash: E1E08633D1022A53CB1097A1DC056DFB73CEFA1254F444521D42437140FBB1275A82E1

Function 01392020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c5fb948d29f6c28a915fa8f69006f21af7cd777e5076521d4e36cb661e803d
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 67c5fb948d29f6c28a915fa8f69006f21af7cd777e5076521d4e36cb661e803d
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 01398258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: a5952539cd27a0228a7e095a9d22c1c0c65ef0e8dcf7e34212c87868c4d1324d
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 31C0123710D12C2ADB25104E7C409A3674CC2C22B891501B7F55C9320054425C4001A4

Function 0139A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86b2b7e2e61f0e0fbaf6b9f17f3c22c0ffc660398f05d7742fc2191bb991451
Instruction ID: 0164129719878f6efb33c63b2406438785f01cd92d3d81e6e6117896c202da74
Opcode Fuzzy Hash: e86b2b7e2e61f0e0fbaf6b9f17f3c22c0ffc660398f05d7742fc2191bb991451
Instruction Fuzzy Hash: 7CD0677AB410189FCB149F9CEC408DDBBB6FB9C221B049116E915A3265C6319921DB91

Function 01395EA8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11be6534651354fd286e2f0ff4dd2be9f3b999bcd0343071bc09baa400adcc5d
Instruction ID: a286015756a557027b958d21c2d74ff278126963f3d1c9ff5a629d9e8af3a761
Opcode Fuzzy Hash: 11be6534651354fd286e2f0ff4dd2be9f3b999bcd0343071bc09baa400adcc5d
Instruction Fuzzy Hash: A0D0C230A183454BC725EB74F9454583B3AAA90208B5041B5D8062642AEABC4C0A8751

Function 01395EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10160b1a6dd285b7d02d1eb503c16d96b3bafd9e2fbb6df059ba4f3a16022169
Instruction ID: 26f03e5bcb8dfdde5bcae8120b585e5caaabce80d37332eba026cc969f469fb8
Opcode Fuzzy Hash: 10160b1a6dd285b7d02d1eb503c16d96b3bafd9e2fbb6df059ba4f3a16022169
Instruction Fuzzy Hash: 19C01230A4430A4BC659FF75FE45915372EFAC0208F509570E10A2712DEF7C6C498795

Non-executed Functions

Function 01396088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 013960C6
\;]q, xrefs: 013960BA
\;]q, xrefs: 01396094
\;]q, xrefs: 0139609E

Memory Dump Source

Source File: 00000004.00000002.2334296232.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_#U304a#U898b#U7a4d#U308a#U4f9d#U983c.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: 1df649ee4c5d49598d4d1f05f43bb603b422856bdfc8b3f43c53c14c7ae91fc3
Instruction ID: 0042b61407af03d3355ced31e40fe1e307830c0f3a835c2bca8bbc5950dd1240
Opcode Fuzzy Hash: 1df649ee4c5d49598d4d1f05f43bb603b422856bdfc8b3f43c53c14c7ae91fc3
Instruction Fuzzy Hash: 1301D4B17091188FDF248E2CC4D59297BFEBF88668725417AE505CB3B5DA71DC41C740

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5yynygse.zfg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gljjiien.hsp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n50tx1ur.3ua.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ou1lcgr4.bk3.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe

Function 027DD380 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 071096D0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 071096CF Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 027DB0E8 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Function 027D590C Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Function 027D44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 07109447 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 07109448 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 07108E70 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Function 027DD5C2 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON