Edit tour

Windows Analysis Report
gZIZ5eyCtS.exe

Overview

General Information

Sample name:	gZIZ5eyCtS.exe renamed because original name is a hash value
Original sample name:	82437d591c16fcea83cd315465f5a67babb899186a4f8d464a7609ef8ae88468.exe
Analysis ID:	1422377
MD5:	9b7a1803cad3e79cb6449558d5ce938f
SHA1:	736f009ef8e35886fe5b0445e41dd4e6446352a7
SHA256:	82437d591c16fcea83cd315465f5a67babb899186a4f8d464a7609ef8ae88468
Tags:	exe
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses dynamic DNS services

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

gZIZ5eyCtS.exe (PID: 2580 cmdline: "C:\Users\user\Desktop\gZIZ5eyCtS.exe" MD5: 9B7A1803CAD3E79CB6449558D5CE938F)

gZIZ5eyCtS.exe (PID: 764 cmdline: "C:\Users\user\Desktop\gZIZ5eyCtS.exe" MD5: 9B7A1803CAD3E79CB6449558D5CE938F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "contabilidad@daipro.com.mx", "Password": "DAIpro123**", "Host": "mail.daipro.com.mx", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2097654328.00000000059B0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4a46b:$x1: In$J$ct0r
00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ab9:$a1: get_encryptedPassword 0x14f69:$a2: get_encryptedUsername 0x14819:$a3: get_timePasswordChanged 0x14925:$a4: get_passwordField 0x14acf:$a5: set_encryptedPassword 0x168fe:$a6: get_passwords 0x16c58:$a7: get_logins 0x168ea:$a8: GetOutlookPasswords 0x16510:$a9: StartKeylogger 0x16bb1:$a10: KeyLoggerEventArgs 0x16588:$a11: KeyLoggerEventArgsEventHandler 0x14aa9:$a12: GetDataPassword
00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1625d:$s8: GrabbedClp 0x16510:$s9: StartKeylogger 0x17947:$x1: $%SMTPDV$ 0x179ab:$x2: $#TheHashHere%& 0x1902e:$x3: %FTPDV$ 0x19122:$x4: $%TelegramDv$ 0x16588:$x5: KeyLoggerEventArgs 0x16bb1:$x5: KeyLoggerEventArgs 0x19052:$m2: Clipboard Logs ID 0x1921e:$m2: Screenshot Logs ID 0x192ea:$m2: keystroke Logs ID 0x191f6:$m4: \SnakeKeylogger\
00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x556e9:$a1: get_encryptedPassword 0x75919:$a1: get_encryptedPassword 0x95939:$a1: get_encryptedPassword 0x55b99:$a2: get_encryptedUsername 0x75dc9:$a2: get_encryptedUsername 0x95de9:$a2: get_encryptedUsername 0x55449:$a3: get_timePasswordChanged 0x75679:$a3: get_timePasswordChanged 0x95699:$a3: get_timePasswordChanged 0x55555:$a4: get_passwordField 0x75785:$a4: get_passwordField 0x957a5:$a4: get_passwordField 0x556ff:$a5: set_encryptedPassword 0x7592f:$a5: set_encryptedPassword 0x9594f:$a5: set_encryptedPassword 0x5752e:$a6: get_passwords 0x7775e:$a6: get_passwords 0x9777e:$a6: get_passwords 0x57888:$a7: get_logins 0x77ab8:$a7: get_logins 0x97ad8:$a7: get_logins
00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x56e8d:$s8: GrabbedClp 0x770bd:$s8: GrabbedClp 0x970dd:$s8: GrabbedClp 0x57140:$s9: StartKeylogger 0x77370:$s9: StartKeylogger 0x97390:$s9: StartKeylogger 0x58577:$x1: $%SMTPDV$ 0x787a7:$x1: $%SMTPDV$ 0x987c7:$x1: $%SMTPDV$ 0x585db:$x2: $#TheHashHere%& 0x7880b:$x2: $#TheHashHere%& 0x9882b:$x2: $#TheHashHere%& 0x59c5e:$x3: %FTPDV$ 0x79e8e:$x3: %FTPDV$ 0x99eae:$x3: %FTPDV$ 0x59d52:$x4: $%TelegramDv$ 0x79f82:$x4: $%TelegramDv$ 0x99fa2:$x4: $%TelegramDv$ 0x571b8:$x5: KeyLoggerEventArgs 0x577e1:$x5: KeyLoggerEventArgs 0x773e8:$x5: KeyLoggerEventArgs
00000002.00000002.4559102503.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: gZIZ5eyCtS.exe PID: 2580	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: gZIZ5eyCtS.exe PID: 2580	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: gZIZ5eyCtS.exe PID: 2580	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: gZIZ5eyCtS.exe PID: 2580	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x674e8:$a1: get_encryptedPassword 0x6798e:$a2: get_encryptedUsername 0x6725c:$a3: get_timePasswordChanged 0x67368:$a4: get_passwordField 0x674fe:$a5: set_encryptedPassword 0x692cf:$a6: get_passwords 0x69629:$a7: get_logins 0x692bb:$a8: GetOutlookPasswords 0x68ee1:$a9: StartKeylogger 0x69582:$a10: KeyLoggerEventArgs 0x68f59:$a11: KeyLoggerEventArgsEventHandler 0x674d8:$a12: GetDataPassword
Process Memory Space: gZIZ5eyCtS.exe PID: 2580	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x68c2e:$s8: GrabbedClp 0x68ee1:$s9: StartKeylogger 0x68f59:$x5: KeyLoggerEventArgs 0x69582:$x5: KeyLoggerEventArgs 0x6c4b1:$x5: KeyLoggerEventArgs 0x6ca77:$x5: KeyLoggerEventArgs 0x735b9:$x5: KeyLoggerEventArgs 0x73b7f:$x5: KeyLoggerEventArgs 0x7727c:$x5: KeyLoggerEventArgs 0x77842:$x5: KeyLoggerEventArgs 0x6e1a9:$m2: Clipboard Logs ID 0x6e289:$m2: Screenshot Logs ID 0x6e2bd:$m2: keystroke Logs ID 0x6e275:$m4: \SnakeKeylogger\
Process Memory Space: gZIZ5eyCtS.exe PID: 764	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: gZIZ5eyCtS.exe PID: 764	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: gZIZ5eyCtS.exe PID: 764	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5f578:$a1: get_encryptedPassword 0x5fa1e:$a2: get_encryptedUsername 0x5f2ec:$a3: get_timePasswordChanged 0x5f3f8:$a4: get_passwordField 0x5f58e:$a5: set_encryptedPassword 0x6135f:$a6: get_passwords 0x616b9:$a7: get_logins 0x6134b:$a8: GetOutlookPasswords 0x60f71:$a9: StartKeylogger 0x61612:$a10: KeyLoggerEventArgs 0x60fe9:$a11: KeyLoggerEventArgsEventHandler 0x5f568:$a12: GetDataPassword
Process Memory Space: gZIZ5eyCtS.exe PID: 764	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x60cbe:$s8: GrabbedClp 0x60f71:$s9: StartKeylogger 0x60fe9:$x5: KeyLoggerEventArgs 0x61612:$x5: KeyLoggerEventArgs 0x64541:$x5: KeyLoggerEventArgs 0x64b07:$x5: KeyLoggerEventArgs 0x66239:$m2: Clipboard Logs ID 0x66319:$m2: Screenshot Logs ID 0x6634d:$m2: keystroke Logs ID 0x66305:$m4: \SnakeKeylogger\
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.gZIZ5eyCtS.exe.46115d0.3.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4a46b:$x1: In$J$ct0r
0.2.gZIZ5eyCtS.exe.45c35a0.4.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4866b:$x1: In$J$ct0r
0.2.gZIZ5eyCtS.exe.59b0000.6.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4866b:$x1: In$J$ct0r
0.2.gZIZ5eyCtS.exe.46115d0.3.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4866b:$x1: In$J$ct0r
0.2.gZIZ5eyCtS.exe.59b0000.6.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4a46b:$x1: In$J$ct0r
0.2.gZIZ5eyCtS.exe.46c3c60.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.gZIZ5eyCtS.exe.46c3c60.5.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.gZIZ5eyCtS.exe.46c3c60.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12eb9:$a1: get_encryptedPassword 0x13369:$a2: get_encryptedUsername 0x12c19:$a3: get_timePasswordChanged 0x12d25:$a4: get_passwordField 0x12ecf:$a5: set_encryptedPassword 0x14cfe:$a6: get_passwords 0x15058:$a7: get_logins 0x14cea:$a8: GetOutlookPasswords 0x14910:$a9: StartKeylogger 0x14fb1:$a10: KeyLoggerEventArgs 0x14988:$a11: KeyLoggerEventArgsEventHandler 0x12ea9:$a12: GetDataPassword
0.2.gZIZ5eyCtS.exe.46c3c60.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19d32:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x18f64:$a3: \Google\Chrome\User Data\Default\Login Data 0x19397:$a4: \Orbitum\User Data\Default\Login Data 0x1a3d6:$a5: \Kometa\User Data\Default\Login Data
0.2.gZIZ5eyCtS.exe.46c3c60.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13df8:$s1: UnHook 0x13dff:$s2: SetHook 0x13e07:$s3: CallNextHook 0x13e14:$s4: _hook
0.2.gZIZ5eyCtS.exe.46c3c60.5.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1465d:$s8: GrabbedClp 0x14910:$s9: StartKeylogger 0x15d47:$x1: $%SMTPDV$ 0x15dab:$x2: $#TheHashHere%& 0x1742e:$x3: %FTPDV$ 0x17522:$x4: $%TelegramDv$ 0x14988:$x5: KeyLoggerEventArgs 0x14fb1:$x5: KeyLoggerEventArgs 0x17452:$m2: Clipboard Logs ID 0x1761e:$m2: Screenshot Logs ID 0x176ea:$m2: keystroke Logs ID 0x175f6:$m4: \SnakeKeylogger\
0.2.gZIZ5eyCtS.exe.46a3a30.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.gZIZ5eyCtS.exe.46a3a30.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.gZIZ5eyCtS.exe.46a3a30.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12eb9:$a1: get_encryptedPassword 0x13369:$a2: get_encryptedUsername 0x12c19:$a3: get_timePasswordChanged 0x12d25:$a4: get_passwordField 0x12ecf:$a5: set_encryptedPassword 0x14cfe:$a6: get_passwords 0x15058:$a7: get_logins 0x14cea:$a8: GetOutlookPasswords 0x14910:$a9: StartKeylogger 0x14fb1:$a10: KeyLoggerEventArgs 0x14988:$a11: KeyLoggerEventArgsEventHandler 0x12ea9:$a12: GetDataPassword
0.2.gZIZ5eyCtS.exe.46a3a30.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19d32:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x18f64:$a3: \Google\Chrome\User Data\Default\Login Data 0x19397:$a4: \Orbitum\User Data\Default\Login Data 0x1a3d6:$a5: \Kometa\User Data\Default\Login Data
0.2.gZIZ5eyCtS.exe.46a3a30.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13df8:$s1: UnHook 0x13dff:$s2: SetHook 0x13e07:$s3: CallNextHook 0x13e14:$s4: _hook
0.2.gZIZ5eyCtS.exe.46a3a30.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1465d:$s8: GrabbedClp 0x14910:$s9: StartKeylogger 0x15d47:$x1: $%SMTPDV$ 0x15dab:$x2: $#TheHashHere%& 0x1742e:$x3: %FTPDV$ 0x17522:$x4: $%TelegramDv$ 0x14988:$x5: KeyLoggerEventArgs 0x14fb1:$x5: KeyLoggerEventArgs 0x17452:$m2: Clipboard Logs ID 0x1761e:$m2: Screenshot Logs ID 0x176ea:$m2: keystroke Logs ID 0x175f6:$m4: \SnakeKeylogger\
2.2.gZIZ5eyCtS.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.gZIZ5eyCtS.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.gZIZ5eyCtS.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.gZIZ5eyCtS.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14cb9:$a1: get_encryptedPassword 0x15169:$a2: get_encryptedUsername 0x14a19:$a3: get_timePasswordChanged 0x14b25:$a4: get_passwordField 0x14ccf:$a5: set_encryptedPassword 0x16afe:$a6: get_passwords 0x16e58:$a7: get_logins 0x16aea:$a8: GetOutlookPasswords 0x16710:$a9: StartKeylogger 0x16db1:$a10: KeyLoggerEventArgs 0x16788:$a11: KeyLoggerEventArgsEventHandler 0x14ca9:$a12: GetDataPassword
2.2.gZIZ5eyCtS.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bb32:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1ad64:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b197:$a4: \Orbitum\User Data\Default\Login Data 0x1c1d6:$a5: \Kometa\User Data\Default\Login Data
2.2.gZIZ5eyCtS.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15bf8:$s1: UnHook 0x15bff:$s2: SetHook 0x15c07:$s3: CallNextHook 0x15c14:$s4: _hook
2.2.gZIZ5eyCtS.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1645d:$s8: GrabbedClp 0x16710:$s9: StartKeylogger 0x17b47:$x1: $%SMTPDV$ 0x17bab:$x2: $#TheHashHere%& 0x1922e:$x3: %FTPDV$ 0x19322:$x4: $%TelegramDv$ 0x16788:$x5: KeyLoggerEventArgs 0x16db1:$x5: KeyLoggerEventArgs 0x19252:$m2: Clipboard Logs ID 0x1941e:$m2: Screenshot Logs ID 0x194ea:$m2: keystroke Logs ID 0x193f6:$m4: \SnakeKeylogger\
0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14cb9:$a1: get_encryptedPassword 0x34cd9:$a1: get_encryptedPassword 0x15169:$a2: get_encryptedUsername 0x35189:$a2: get_encryptedUsername 0x14a19:$a3: get_timePasswordChanged 0x34a39:$a3: get_timePasswordChanged 0x14b25:$a4: get_passwordField 0x34b45:$a4: get_passwordField 0x14ccf:$a5: set_encryptedPassword 0x34cef:$a5: set_encryptedPassword 0x16afe:$a6: get_passwords 0x36b1e:$a6: get_passwords 0x16e58:$a7: get_logins 0x36e78:$a7: get_logins 0x16aea:$a8: GetOutlookPasswords 0x36b0a:$a8: GetOutlookPasswords 0x16710:$a9: StartKeylogger 0x36730:$a9: StartKeylogger 0x16db1:$a10: KeyLoggerEventArgs 0x36dd1:$a10: KeyLoggerEventArgs 0x16788:$a11: KeyLoggerEventArgsEventHandler
0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bb32:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bb52:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1ad64:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ad84:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b197:$a4: \Orbitum\User Data\Default\Login Data 0x3b1b7:$a4: \Orbitum\User Data\Default\Login Data 0x1c1d6:$a5: \Kometa\User Data\Default\Login Data 0x3c1f6:$a5: \Kometa\User Data\Default\Login Data
0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15bf8:$s1: UnHook 0x35c18:$s1: UnHook 0x15bff:$s2: SetHook 0x35c1f:$s2: SetHook 0x15c07:$s3: CallNextHook 0x35c27:$s3: CallNextHook 0x15c14:$s4: _hook 0x35c34:$s4: _hook
0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1645d:$s8: GrabbedClp 0x3647d:$s8: GrabbedClp 0x16710:$s9: StartKeylogger 0x36730:$s9: StartKeylogger 0x17b47:$x1: $%SMTPDV$ 0x37b67:$x1: $%SMTPDV$ 0x17bab:$x2: $#TheHashHere%& 0x37bcb:$x2: $#TheHashHere%& 0x1922e:$x3: %FTPDV$ 0x3924e:$x3: %FTPDV$ 0x19322:$x4: $%TelegramDv$ 0x39342:$x4: $%TelegramDv$ 0x16788:$x5: KeyLoggerEventArgs 0x16db1:$x5: KeyLoggerEventArgs 0x367a8:$x5: KeyLoggerEventArgs 0x36dd1:$x5: KeyLoggerEventArgs 0x19252:$m2: Clipboard Logs ID 0x1941e:$m2: Screenshot Logs ID 0x194ea:$m2: keystroke Logs ID 0x39272:$m2: Clipboard Logs ID 0x3943e:$m2: Screenshot Logs ID
0.2.gZIZ5eyCtS.exe.45c35a0.4.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4a46b:$x1: In$J$ct0r 0x9849b:$x1: In$J$ct0r
0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14cb9:$a1: get_encryptedPassword 0x34ee9:$a1: get_encryptedPassword 0x54f09:$a1: get_encryptedPassword 0x15169:$a2: get_encryptedUsername 0x35399:$a2: get_encryptedUsername 0x553b9:$a2: get_encryptedUsername 0x14a19:$a3: get_timePasswordChanged 0x34c49:$a3: get_timePasswordChanged 0x54c69:$a3: get_timePasswordChanged 0x14b25:$a4: get_passwordField 0x34d55:$a4: get_passwordField 0x54d75:$a4: get_passwordField 0x14ccf:$a5: set_encryptedPassword 0x34eff:$a5: set_encryptedPassword 0x54f1f:$a5: set_encryptedPassword 0x16afe:$a6: get_passwords 0x36d2e:$a6: get_passwords 0x56d4e:$a6: get_passwords 0x16e58:$a7: get_logins 0x37088:$a7: get_logins 0x570a8:$a7: get_logins
0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bb32:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bd62:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5bd82:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1ad64:$a3: \Google\Chrome\User Data\Default\Login Data 0x3af94:$a3: \Google\Chrome\User Data\Default\Login Data 0x5afb4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b197:$a4: \Orbitum\User Data\Default\Login Data 0x3b3c7:$a4: \Orbitum\User Data\Default\Login Data 0x5b3e7:$a4: \Orbitum\User Data\Default\Login Data 0x1c1d6:$a5: \Kometa\User Data\Default\Login Data 0x3c406:$a5: \Kometa\User Data\Default\Login Data 0x5c426:$a5: \Kometa\User Data\Default\Login Data
0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15bf8:$s1: UnHook 0x35e28:$s1: UnHook 0x55e48:$s1: UnHook 0x15bff:$s2: SetHook 0x35e2f:$s2: SetHook 0x55e4f:$s2: SetHook 0x15c07:$s3: CallNextHook 0x35e37:$s3: CallNextHook 0x55e57:$s3: CallNextHook 0x15c14:$s4: _hook 0x35e44:$s4: _hook 0x55e64:$s4: _hook
0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1645d:$s8: GrabbedClp 0x3668d:$s8: GrabbedClp 0x566ad:$s8: GrabbedClp 0x16710:$s9: StartKeylogger 0x36940:$s9: StartKeylogger 0x56960:$s9: StartKeylogger 0x17b47:$x1: $%SMTPDV$ 0x37d77:$x1: $%SMTPDV$ 0x57d97:$x1: $%SMTPDV$ 0x17bab:$x2: $#TheHashHere%& 0x37ddb:$x2: $#TheHashHere%& 0x57dfb:$x2: $#TheHashHere%& 0x1922e:$x3: %FTPDV$ 0x3945e:$x3: %FTPDV$ 0x5947e:$x3: %FTPDV$ 0x19322:$x4: $%TelegramDv$ 0x39552:$x4: $%TelegramDv$ 0x59572:$x4: $%TelegramDv$ 0x16788:$x5: KeyLoggerEventArgs 0x16db1:$x5: KeyLoggerEventArgs 0x369b8:$x5: KeyLoggerEventArgs
0.2.gZIZ5eyCtS.exe.3583bfc.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xc7e28:$x1: In$J$ct0r 0xc9afc:$a1: WriteProcessMemory 0xc9b88:$a1: WriteProcessMemory 0xc9c5c:$a4: VirtualAllocEx 0xc9e80:$a4: VirtualAllocEx 0xc9f00:$a4: VirtualAllocEx 0xca30:$s3: net.pipe 0xc80d8:$s3: net.pipe 0xc80f8:$s4: vsmacros
0.2.gZIZ5eyCtS.exe.35813d4.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xca650:$x1: In$J$ct0r 0xcc324:$a1: WriteProcessMemory 0xcc3b0:$a1: WriteProcessMemory 0xcc484:$a4: VirtualAllocEx 0xcc6a8:$a4: VirtualAllocEx 0xcc728:$a4: VirtualAllocEx 0xf258:$s3: net.pipe 0xca900:$s3: net.pipe 0xca920:$s4: vsmacros
Click to see the 36 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.4559102503.00000000029A1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "contabilidad@daipro.com.mx", "Password": "DAIpro123**", "Host": "mail.daipro.com.mx", "Port": "587"}

Multi AV Scanner detection for submitted file

Source: gZIZ5eyCtS.exe

ReversingLabs: Detection: 63%

Machine Learning detection for sample

Source: gZIZ5eyCtS.exe

Joe Sandbox ML: detected

Source: gZIZ5eyCtS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49711 version: TLS 1.0

Source: gZIZ5eyCtS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: gZIZ5eyCtS.exe, 00000000.00000002.2097776825.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, gZIZ5eyCtS.exe, 00000000.00000002.2097295389.0000000003571000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 00CEECFDh	2_2_00CEEB10
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 00CEF687h	2_2_00CEEB10
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 00CEFDF9h	2_2_00CEFB39
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_00CEDED8
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 06696FA9h	2_2_06696D00
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 06697D45h	2_2_06697A08
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 06695119h	2_2_06694E70
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 066959C9h	2_2_06695720
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 06696279h	2_2_06695FD0
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_066927AA
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_066927B8
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 066966FAh	2_2_06696450
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 06690741h	2_2_06690498
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 06697859h	2_2_066975B0
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 06694841h	2_2_06694598
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 06694CC1h	2_2_06694A18
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 06695571h	2_2_066952C8
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_06692ACE
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 06695E21h	2_2_06695B78
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 066902E9h	2_2_06690040
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 06690B99h	2_2_066908F0
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 06696B51h	2_2_066968A8
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 4x nop then jmp 06697401h	2_2_06697158

Networking

Uses dynamic DNS services

Source: unknown

DNS query: name: aborters.duckdns.org

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.gZIZ5eyCtS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.6:49726 -> 51.38.247.67:8081

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 51.38.247.67 51.38.247.67
Source: Joe Sandbox View	IP Address: 51.38.247.67 51.38.247.67

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49711 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org
Source: gZIZ5eyCtS.exe, 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081/_send_.php?TS
Source: gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081t-
Source: gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081/_send_.php?TS
Source: gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081t-
Source: gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B5B000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002A63000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: gZIZ5eyCtS.exe, 00000002.00000002.4559102503.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: gZIZ5eyCtS.exe, 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B5B000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002A7B000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: gZIZ5eyCtS.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/http
Source: gZIZ5eyCtS.exe, 00000002.00000002.4559102503.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com
Source: gZIZ5eyCtS.exe, 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081/_send_.php?TS
Source: gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081t-
Source: gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B5B000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002A63000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: gZIZ5eyCtS.exe, 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002A63000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231
Source: gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B5B000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.gZIZ5eyCtS.exe.46115d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.gZIZ5eyCtS.exe.45c35a0.4.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.gZIZ5eyCtS.exe.59b0000.6.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.gZIZ5eyCtS.exe.46115d0.3.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.gZIZ5eyCtS.exe.59b0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.gZIZ5eyCtS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.gZIZ5eyCtS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.gZIZ5eyCtS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.gZIZ5eyCtS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.gZIZ5eyCtS.exe.45c35a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.gZIZ5eyCtS.exe.3583bfc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.gZIZ5eyCtS.exe.35813d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.2097654328.00000000059B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: gZIZ5eyCtS.exe PID: 2580, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: gZIZ5eyCtS.exe PID: 2580, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: gZIZ5eyCtS.exe PID: 764, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: gZIZ5eyCtS.exe PID: 764, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 0_2_0175AC18	0_2_0175AC18
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_00CEC1F0	2_2_00CEC1F0
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_00CE6168	2_2_00CE6168
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_00CEB388	2_2_00CEB388
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_00CEC4D0	2_2_00CEC4D0
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_00CE6790	2_2_00CE6790
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_00CEC7B1	2_2_00CEC7B1
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_00CE98B8	2_2_00CE98B8
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_00CECA91	2_2_00CECA91
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_00CEEB10	2_2_00CEEB10
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_00CEFB39	2_2_00CEFB39
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_00CE4B31	2_2_00CE4B31
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_00CEBC32	2_2_00CEBC32
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_00CEBF10	2_2_00CEBF10
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_00CE35C8	2_2_00CE35C8
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_00CEB552	2_2_00CEB552
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_00CEDEC7	2_2_00CEDEC7
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_00CEDED8	2_2_00CEDED8
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06699E58	2_2_06699E58
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06697F58	2_2_06697F58
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_0669B788	2_2_0669B788
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_0669C428	2_2_0669C428
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_0669A4A0	2_2_0669A4A0
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06690D48	2_2_06690D48
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06696D00	2_2_06696D00
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_0669BDD8	2_2_0669BDD8
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_0669CA70	2_2_0669CA70
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06697A08	2_2_06697A08
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_0669AAE8	2_2_0669AAE8
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06699808	2_2_06699808
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_0669B138	2_2_0669B138
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06694E62	2_2_06694E62
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06694E70	2_2_06694E70
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06699E48	2_2_06699E48
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06695720	2_2_06695720
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06695710	2_2_06695710
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_066997F8	2_2_066997F8
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06695FC0	2_2_06695FC0
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06695FD0	2_2_06695FD0
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_066927AA	2_2_066927AA
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_066927B8	2_2_066927B8
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_0669B780	2_2_0669B780
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06696440	2_2_06696440
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06696450	2_2_06696450
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_0669C418	2_2_0669C418
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06696CF0	2_2_06696CF0
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06691CB0	2_2_06691CB0
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06690488	2_2_06690488
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_0669A48F	2_2_0669A48F
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06690498	2_2_06690498
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06690D39	2_2_06690D39
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_0669BDC8	2_2_0669BDC8
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_066975A2	2_2_066975A2
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_066975B0	2_2_066975B0
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_0669458A	2_2_0669458A
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06694598	2_2_06694598
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_0669CA60	2_2_0669CA60
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06694A08	2_2_06694A08
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06694A18	2_2_06694A18
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_066952C8	2_2_066952C8
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_0669AAD8	2_2_0669AAD8
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_066952B8	2_2_066952B8
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06695B68	2_2_06695B68
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06695B78	2_2_06695B78
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06692B30	2_2_06692B30
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06691BD0	2_2_06691BD0
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06690040	2_2_06690040
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06693830	2_2_06693830
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06690006	2_2_06690006
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_066908E1	2_2_066908E1
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_066908F0	2_2_066908F0
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_066968A8	2_2_066968A8
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06696897	2_2_06696897
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06697149	2_2_06697149
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_06697158	2_2_06697158
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_0669B128	2_2_0669B128
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Code function: 2_2_066979F8	2_2_066979F8

Source: gZIZ5eyCtS.exe, 00000000.00000002.2097410768.0000000004571000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs gZIZ5eyCtS.exe
Source: gZIZ5eyCtS.exe, 00000000.00000002.2097654328.00000000059B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs gZIZ5eyCtS.exe
Source: gZIZ5eyCtS.exe, 00000000.00000002.2095227268.00000000017AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs gZIZ5eyCtS.exe
Source: gZIZ5eyCtS.exe, 00000000.00000002.2097776825.0000000005A40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs gZIZ5eyCtS.exe
Source: gZIZ5eyCtS.exe, 00000000.00000000.2090963309.0000000000FF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFlows.exe( vs gZIZ5eyCtS.exe
Source: gZIZ5eyCtS.exe, 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs gZIZ5eyCtS.exe
Source: gZIZ5eyCtS.exe, 00000000.00000002.2097295389.0000000003571000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs gZIZ5eyCtS.exe
Source: gZIZ5eyCtS.exe, 00000000.00000002.2097295389.0000000003571000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs gZIZ5eyCtS.exe
Source: gZIZ5eyCtS.exe, 00000002.00000002.4558027995.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs gZIZ5eyCtS.exe
Source: gZIZ5eyCtS.exe, 00000002.00000002.4557870685.0000000000422000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs gZIZ5eyCtS.exe
Source: gZIZ5eyCtS.exe	Binary or memory string: OriginalFilenameFlows.exe( vs gZIZ5eyCtS.exe

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Section loaded: dpapi.dll	Jump to behavior

Source: gZIZ5eyCtS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.gZIZ5eyCtS.exe.46115d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.gZIZ5eyCtS.exe.45c35a0.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.gZIZ5eyCtS.exe.59b0000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.gZIZ5eyCtS.exe.46115d0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.gZIZ5eyCtS.exe.59b0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.gZIZ5eyCtS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.gZIZ5eyCtS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.gZIZ5eyCtS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.gZIZ5eyCtS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.gZIZ5eyCtS.exe.45c35a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.gZIZ5eyCtS.exe.3583bfc.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.gZIZ5eyCtS.exe.35813d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.2097654328.00000000059B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: gZIZ5eyCtS.exe PID: 2580, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: gZIZ5eyCtS.exe PID: 2580, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: gZIZ5eyCtS.exe PID: 764, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: gZIZ5eyCtS.exe PID: 764, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.gZIZ5eyCtS.exe.45c35a0.4.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.gZIZ5eyCtS.exe.46115d0.3.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.gZIZ5eyCtS.exe.59b0000.6.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.gZIZ5eyCtS.exe.45c35a0.4.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.gZIZ5eyCtS.exe.46115d0.3.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.gZIZ5eyCtS.exe.59b0000.6.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@5/3

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gZIZ5eyCtS.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe

Mutant created: NULL

Source: gZIZ5eyCtS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: gZIZ5eyCtS.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gZIZ5eyCtS.exe, 00000002.00000002.4560338604.0000000003A2C000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: gZIZ5eyCtS.exe

ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\gZIZ5eyCtS.exe "C:\Users\user\Desktop\gZIZ5eyCtS.exe"
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process created: C:\Users\user\Desktop\gZIZ5eyCtS.exe "C:\Users\user\Desktop\gZIZ5eyCtS.exe"
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process created: C:\Users\user\Desktop\gZIZ5eyCtS.exe "C:\Users\user\Desktop\gZIZ5eyCtS.exe"	Jump to behavior

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: gZIZ5eyCtS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: gZIZ5eyCtS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: gZIZ5eyCtS.exe, --.cs

.Net Code: Shlyber System.AppDomain.Load(byte[])

Source: gZIZ5eyCtS.exe

Static PE information: 0xC9B7AA41 [Mon Mar 29 15:24:49 2077 UTC]

Source: gZIZ5eyCtS.exe

Static PE information: section name: .text entropy: 7.194237788024208

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: gZIZ5eyCtS.exe PID: 2580, type: MEMORYSTR

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Memory allocated: 1710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Memory allocated: 3570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Memory allocated: 19A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Memory allocated: CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Memory allocated: 29A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Memory allocated: 49A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 599114	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598436	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 597124	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 597010	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 594593	Jump to behavior

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Window / User API: threadDelayed 1169			Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Window / User API: threadDelayed 8681			Jump to behavior

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 6716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 6452	Thread sleep count: 1169 > 30	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 6452	Thread sleep count: 8681 > 30	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -599452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -599114s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -598546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -598436s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -597671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -597124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -597010s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -596343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -595468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -594921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe TID: 5892	Thread sleep time: -594593s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 599114	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598436	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 597124	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 597010	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Thread delayed: delay time: 594593	Jump to behavior

Source: gZIZ5eyCtS.exe, 00000002.00000002.4558575688.0000000000F11000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.gZIZ5eyCtS.exe.3583bfc.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.gZIZ5eyCtS.exe.3583bfc.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.gZIZ5eyCtS.exe.3583bfc.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe

Memory written: C:\Users\user\Desktop\gZIZ5eyCtS.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe

Process created: C:\Users\user\Desktop\gZIZ5eyCtS.exe "C:\Users\user\Desktop\gZIZ5eyCtS.exe"

Jump to behavior

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Queries volume information: C:\Users\user\Desktop\gZIZ5eyCtS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Queries volume information: C:\Users\user\Desktop\gZIZ5eyCtS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.gZIZ5eyCtS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4559102503.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gZIZ5eyCtS.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gZIZ5eyCtS.exe PID: 764, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\gZIZ5eyCtS.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.gZIZ5eyCtS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gZIZ5eyCtS.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gZIZ5eyCtS.exe PID: 764, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.gZIZ5eyCtS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gZIZ5eyCtS.exe.46c3c60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gZIZ5eyCtS.exe.46a3a30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4559102503.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gZIZ5eyCtS.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gZIZ5eyCtS.exe PID: 764, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	13 System Information Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	1 Query Registry	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	21 Obfuscated Files or Information	Security Account Manager	1 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Email Collection	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	1 Input Capture	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
gZIZ5eyCtS.exe	63%	ReversingLabs	Win32.Trojan.GenSteal
gZIZ5eyCtS.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://aborters.duckdns.org:8081	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://aborters.duckdns.org	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081/_send_.php?TS	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://aborters.duckdns.org:8081/_send_.php?TS	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://varders.kozow.com	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://varders.kozow.com:8081/_send_.php?TS	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
http://varders.kozow.com:8081t-	0%	Avira URL Cloud	safe
http://anotherarmy.dns.army:8081t-	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/102.129.152.231$	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/102.129.152.231	0%	Avira URL Cloud	safe
http://aborters.duckdns.org:8081t-	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	172.67.177.134	true	false	unknown
varders.kozow.com	51.38.247.67	true	false	unknown
checkip.dyndns.com	193.122.6.168	true	false	unknown
aborters.duckdns.org	51.38.247.67	true	true	unknown
anotherarmy.dns.army	unknown	unknown	true	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/102.129.152.231	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://aborters.duckdns.org:8081	gZIZ5eyCtS.exe, 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/http	gZIZ5eyCtS.exe	false		high
http://anotherarmy.dns.army:8081t-	gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://varders.kozow.com:8081t-	gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://aborters.duckdns.org	gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anotherarmy.dns.army:8081	gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anotherarmy.dns.army:8081/_send_.php?TS	gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	gZIZ5eyCtS.exe, 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://reallyfreegeoip.org	gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B5B000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002A7B000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B5B000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002A63000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://aborters.duckdns.org:8081/_send_.php?TS	gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://aborters.duckdns.org:8081t-	gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://checkip.dyndns.com	gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B5B000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002A63000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com	gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	gZIZ5eyCtS.exe, 00000002.00000002.4559102503.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	gZIZ5eyCtS.exe, 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/102.129.152.231$	gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B5B000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B1F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://varders.kozow.com:8081/_send_.php?TS	gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	gZIZ5eyCtS.exe, 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4559102503.0000000002A63000.00000004.00000800.00020000.00000000.sdmp, gZIZ5eyCtS.exe, 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
51.38.247.67	varders.kozow.com	France	16276	OVHFR	true
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1422377
Start date and time:	2024-04-08 16:07:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	gZIZ5eyCtS.exe renamed because original name is a hash value
Original Sample Name:	82437d591c16fcea83cd315465f5a67babb899186a4f8d464a7609ef8ae88468.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@5/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 106 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target gZIZ5eyCtS.exe, PID 764 because it is empty
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: gZIZ5eyCtS.exe

Simulations

Behavior and APIs

Time	Type	Description
16:07:58	API Interceptor	11044432x Sleep call for process: gZIZ5eyCtS.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.6.168	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	checkip.dyndns.org/
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	sipari#U015f formu_831512.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PROFORMA FATURA.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	proforma_Invoice_0009300_74885959969_9876.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.PackedNET.2725.8730.30889.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.PackedNET.2725.27231.18654.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
51.38.247.67	NbN47VasP7.exe	Get hash	malicious	Snake Keylogger	Browse	anotherarmy.dns.army:8081/_send_.php?TS
	KSA-PDA_17122023.exe	Get hash	malicious	Snake Keylogger	Browse	anotherarmy.dns.army:8081/_send_.php?TS
	08A256D6-6GC4-6C43-9A49-3DC23673T744.pdf.exe	Get hash	malicious	Snake Keylogger, zgRAT	Browse	anotherarmy.dns.army:8081/_send_.php?TS
	cargo_details.exe	Get hash	malicious	Snake Keylogger	Browse	anotherarmy.dns.army:8081/_send_.php?TS
	SecuriteInfo.com.Trojan.Inject4.59820.16180.17265.exe	Get hash	malicious	Snake Keylogger, zgRAT	Browse	anotherarmy.dns.army:8081/_send_.php?TS
	SecuriteInfo.com.Win32.PWSX-gen.29210.19083.exe	Get hash	malicious	Snake Keylogger, zgRAT	Browse	anotherarmy.dns.army:8081/_send_.php?TS
	payment_.pdf.z.exe	Get hash	malicious	Snake Keylogger, zgRAT	Browse	anotherarmy.dns.army:8081/_send_.php?TS
	Maersk_MRKU8781602.exe	Get hash	malicious	Snake Keylogger, zgRAT	Browse	51.38.247.67:8081/_send_.php?L
	SecuriteInfo.com.Win32.PWSX-gen.21665.13004.exe	Get hash	malicious	Snake Keylogger, zgRAT	Browse	anotherarmy.dns.army:8081/_send_.php?TS
	Maersk_MRKU8781602.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67:8081/_send_.php?L

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
varders.kozow.com	xdd6BRIg0O.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	51.38.247.67
	lO6Cysph34.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
	Bq4jHI36wz.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
	z16O865459999HY.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
	fatura.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
	Vessel Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
	Vessel Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
	MT Ramona Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
	SecuriteInfo.com.Win32.TrojanX-gen.9014.19757.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
	SecuriteInfo.com.Win32.TrojanX-gen.12091.2695.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
checkip.dyndns.com	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	PsBygexGwH.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	VI3 Operation Guide_tech Info versionfdp.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	132.226.8.169
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	158.101.44.242
	request-2.doc.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	132.226.8.169
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
aborters.duckdns.org	xdd6BRIg0O.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	51.38.247.67
	lO6Cysph34.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
	Bq4jHI36wz.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
	z16O865459999HY.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
	fatura.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
	Vessel Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
	Vessel Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
	MT Ramona Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
	SecuriteInfo.com.Win32.TrojanX-gen.9014.19757.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
	SecuriteInfo.com.Win32.TrojanX-gen.12091.2695.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
reallyfreegeoip.org	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PsBygexGwH.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	PsBygexGwH.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	acZPG2kRsL.elf	Get hash	malicious	Mirai	Browse	132.145.48.205
	kIUmnxfdLQ.elf	Get hash	malicious	Mirai	Browse	193.123.7.164
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	https://letg.pages.dev/account/js-reporting/?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=%2Faccount%2Fchallenge%2Fpassword	Get hash	malicious	HTMLPhisher	Browse	150.136.26.45
	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	158.101.44.242
	https://objectstorage.sa-saopaulo-1.oraclecloud.com/n/grnf1myuo7lg/b/bucket-20240402-0423/o/indexsmoke.html	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	134.70.84.3
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
OVHFR	qv6iQAjcHe.exe	Get hash	malicious	AgentTesla	Browse	51.79.231.44
	4N8BNeFRkZ.exe	Get hash	malicious	AgentTesla	Browse	51.79.229.7
	kIUmnxfdLQ.elf	Get hash	malicious	Mirai	Browse	51.81.150.87
	n3R8WBIjhz.exe	Get hash	malicious	FormBook	Browse	213.186.33.5
	CA8nLhW9fA.exe	Get hash	malicious	FormBook	Browse	213.186.33.5
	http://www.sushi-idea.com	Get hash	malicious	Unknown	Browse	51.83.143.92
	1ltD6ZweFp.exe	Get hash	malicious	Njrat	Browse	5.39.43.60
	1ptg18pvgv.exe	Get hash	malicious	CryptOne, Neshta	Browse	51.81.194.202
	http://verified.asia/	Get hash	malicious	Unknown	Browse	54.38.209.89
	ZJgGk9RNIE.elf	Get hash	malicious	Mirai, Moobot	Browse	54.39.106.41
CLOUDFLARENETUS	https://www.tb-parts.ru/	Get hash	malicious	Unknown	Browse	104.21.64.161
	https://pub-012b29564c1d4e4aa83369f56b44927c.r2.dev/onedrives.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	sWG1yOQ2eU.exe	Get hash	malicious	GuLoader	Browse	104.26.13.205
	https://clt1673167.benchurl.com/c/l?u=10ED75D9&e=17DC577&c=1987CF&t=1&l=F3D10E22&email=O%2F%2F%2BXUHXhKADQfLHuzfZBZmzr2pp0X63TI8GHOplciAElwBPzESuqA%3D%3D&seq=1#YWRzYWxlc0BiZWluc3BvcnRzLm5ldA==	Get hash	malicious	HTMLPhisher	Browse	104.17.64.14
	QMrtQYunxY.exe	Get hash	malicious	FormBook	Browse	172.67.195.73
	msaeteGWA0.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	hj3YCvtlg7.exe	Get hash	malicious	FormBook	Browse	104.21.56.10
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	2iRj6Q8fkh.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PsBygexGwH.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	VI3 Operation Guide_tech Info versionfdp.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.177.134
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	file.exe	Get hash	malicious	SmokeLoader, Xehook Stealer	Browse	172.67.177.134
	request-2.doc.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.177.134
	https://my.visme.co/view/w46vn911-northshore-tractor-ltd	Get hash	malicious	Unknown	Browse	172.67.177.134

Process:	C:\Users\user\Desktop\gZIZ5eyCtS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	706
Entropy (8bit):	5.349842958726647
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKharkvoDLI4MWuCq1KDLI4Mq92n4M6:ML9E4KlKDE4KhKiKhIE4Kx1qE4x84j
MD5:	A29F1F0983CFE0767B56BD3F32906196
SHA1:	A38543CAD5E151383FA945FF880856DC502A1224
SHA-256:	B892C3A6D2059FF69822E3A0003923BE0C0B2259C0E4904E30BB10C3D6E575F6
SHA-512:	FF52BC638E135EB070B6291808FE57FE8F2A37BB9F32DF2D6A885B30CC37268237A110E419975F19FB08878544787FA9D6A0AA07DC6911E08FBF52155F64DE42
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.186031706217504
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	gZIZ5eyCtS.exe
File size:	819'712 bytes
MD5:	9b7a1803cad3e79cb6449558d5ce938f
SHA1:	736f009ef8e35886fe5b0445e41dd4e6446352a7
SHA256:	82437d591c16fcea83cd315465f5a67babb899186a4f8d464a7609ef8ae88468
SHA512:	ddd19913a03d77b8abf58e5b351c5e24d887f8f769977a2cd69180353eb24d9c79b95ed4a4270a9f74f37a4badf4fcdddcc33b8d95bca267e2d0fae42d07a524
SSDEEP:	12288:wIXp2Ser4ask2HB+zF9TjnMbvafmszcTL13Ziw0GNERbbIp7h:4PskpPnU3ZiBGNERbbI9h
TLSH:	9005AE6033F84319E5FF07337839545087BEBE66760AD62E2D9461AD0DA2B428F527B3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A.................0..x............... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4c972e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC9B7AA41 [Mon Mar 29 15:24:49 2077 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc96dc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xca000	0x57e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xcc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc7734	0xc7800	a4628f30f2e9e19f700004d337f3d863	False	0.5910724075814536	data	7.194237788024208	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xca000	0x57e	0x600	4eb6ea372b4b8480e01d834c24011789	False	0.4153645833333333	data	4.010970781876839	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xcc000	0xc	0x200	80b042be20a7269f2b451d608fad6572	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xca0a0	0x2f4	data			0.43783068783068785
RT_MANIFEST	0xca394	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2024 16:07:56.644407988 CEST	49710	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:07:56.886462927 CEST	80	49710	193.122.6.168	192.168.2.6
Apr 8, 2024 16:07:56.886945963 CEST	49710	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:07:56.887234926 CEST	49710	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:07:57.129061937 CEST	80	49710	193.122.6.168	192.168.2.6
Apr 8, 2024 16:07:57.130732059 CEST	80	49710	193.122.6.168	192.168.2.6
Apr 8, 2024 16:07:57.138295889 CEST	49710	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:07:57.411587954 CEST	80	49710	193.122.6.168	192.168.2.6
Apr 8, 2024 16:07:57.452164888 CEST	49710	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:07:57.621017933 CEST	49711	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:07:57.621052027 CEST	443	49711	172.67.177.134	192.168.2.6
Apr 8, 2024 16:07:57.621141911 CEST	49711	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:07:57.628947020 CEST	49711	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:07:57.628969908 CEST	443	49711	172.67.177.134	192.168.2.6
Apr 8, 2024 16:07:57.892625093 CEST	443	49711	172.67.177.134	192.168.2.6
Apr 8, 2024 16:07:57.892774105 CEST	49711	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:07:57.897130013 CEST	49711	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:07:57.897140026 CEST	443	49711	172.67.177.134	192.168.2.6
Apr 8, 2024 16:07:57.897620916 CEST	443	49711	172.67.177.134	192.168.2.6
Apr 8, 2024 16:07:57.952214956 CEST	49711	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:07:57.971992016 CEST	49711	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:07:58.012240887 CEST	443	49711	172.67.177.134	192.168.2.6
Apr 8, 2024 16:07:58.513772011 CEST	443	49711	172.67.177.134	192.168.2.6
Apr 8, 2024 16:07:58.513885021 CEST	443	49711	172.67.177.134	192.168.2.6
Apr 8, 2024 16:07:58.513976097 CEST	49711	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:07:58.519901037 CEST	49711	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:07:58.523303032 CEST	49710	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:07:58.765980959 CEST	80	49710	193.122.6.168	192.168.2.6
Apr 8, 2024 16:07:58.769099951 CEST	49712	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:07:58.769129038 CEST	443	49712	172.67.177.134	192.168.2.6
Apr 8, 2024 16:07:58.769220114 CEST	49712	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:07:58.769546986 CEST	49712	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:07:58.769561052 CEST	443	49712	172.67.177.134	192.168.2.6
Apr 8, 2024 16:07:58.811542034 CEST	49710	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:07:59.027206898 CEST	443	49712	172.67.177.134	192.168.2.6
Apr 8, 2024 16:07:59.029783964 CEST	49712	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:07:59.029808044 CEST	443	49712	172.67.177.134	192.168.2.6
Apr 8, 2024 16:07:59.327853918 CEST	443	49712	172.67.177.134	192.168.2.6
Apr 8, 2024 16:07:59.327959061 CEST	443	49712	172.67.177.134	192.168.2.6
Apr 8, 2024 16:07:59.328010082 CEST	49712	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:07:59.343487024 CEST	49712	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:07:59.347520113 CEST	49710	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:07:59.348571062 CEST	49713	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:07:59.589363098 CEST	80	49710	193.122.6.168	192.168.2.6
Apr 8, 2024 16:07:59.589468002 CEST	49710	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:07:59.589869022 CEST	80	49713	193.122.6.168	192.168.2.6
Apr 8, 2024 16:07:59.589955091 CEST	49713	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:07:59.590156078 CEST	49713	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:07:59.831453085 CEST	80	49713	193.122.6.168	192.168.2.6
Apr 8, 2024 16:07:59.832609892 CEST	80	49713	193.122.6.168	192.168.2.6
Apr 8, 2024 16:07:59.833909988 CEST	49714	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:07:59.833939075 CEST	443	49714	172.67.177.134	192.168.2.6
Apr 8, 2024 16:07:59.834033966 CEST	49714	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:07:59.834274054 CEST	49714	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:07:59.834287882 CEST	443	49714	172.67.177.134	192.168.2.6
Apr 8, 2024 16:07:59.874135971 CEST	49713	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:00.091480970 CEST	443	49714	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:00.093432903 CEST	49714	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:00.093451023 CEST	443	49714	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:00.397155046 CEST	443	49714	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:00.397313118 CEST	443	49714	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:00.397373915 CEST	49714	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:00.397907972 CEST	49714	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:00.402425051 CEST	49715	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:00.639702082 CEST	80	49715	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:00.639794111 CEST	49715	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:00.639930964 CEST	49715	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:00.877109051 CEST	80	49715	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:01.502917051 CEST	80	49715	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:01.504419088 CEST	49716	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:01.504455090 CEST	443	49716	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:01.504549980 CEST	49716	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:01.504812956 CEST	49716	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:01.504827023 CEST	443	49716	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:01.545936108 CEST	49715	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:01.764131069 CEST	443	49716	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:01.771385908 CEST	49716	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:01.771404028 CEST	443	49716	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:02.070281982 CEST	443	49716	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:02.070414066 CEST	443	49716	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:02.070517063 CEST	49716	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:02.071095943 CEST	49716	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:02.074565887 CEST	49715	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:02.075679064 CEST	49717	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:02.312818050 CEST	80	49717	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:02.312917948 CEST	49717	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:02.313057899 CEST	49717	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:02.318649054 CEST	80	49715	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:02.318722963 CEST	49715	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:02.550211906 CEST	80	49717	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:02.753751993 CEST	80	49717	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:02.762828112 CEST	49719	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:02.762877941 CEST	443	49719	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:02.762940884 CEST	49719	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:02.763171911 CEST	49719	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:02.763184071 CEST	443	49719	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:02.795964003 CEST	49717	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:03.019365072 CEST	443	49719	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:03.021224022 CEST	49719	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:03.021254063 CEST	443	49719	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:03.316792011 CEST	443	49719	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:03.316895962 CEST	443	49719	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:03.316941023 CEST	49719	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:03.317403078 CEST	49719	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:03.320727110 CEST	49717	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:03.321367979 CEST	49720	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:03.557871103 CEST	80	49717	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:03.557959080 CEST	49717	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:03.562244892 CEST	80	49720	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:03.562314034 CEST	49720	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:03.562478065 CEST	49720	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:03.803461075 CEST	80	49720	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:03.821022987 CEST	80	49720	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:03.822534084 CEST	49721	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:03.822563887 CEST	443	49721	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:03.822776079 CEST	49721	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:03.823081017 CEST	49721	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:03.823092937 CEST	443	49721	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:03.874089003 CEST	49720	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:04.079900026 CEST	443	49721	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:04.081703901 CEST	49721	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:04.081729889 CEST	443	49721	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:04.382451057 CEST	443	49721	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:04.382565975 CEST	443	49721	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:04.382638931 CEST	49721	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:04.383296013 CEST	49721	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:04.387114048 CEST	49720	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:04.388237953 CEST	49722	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:04.624855995 CEST	80	49722	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:04.624999046 CEST	49722	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:04.625252962 CEST	49722	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:04.627947092 CEST	80	49720	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:04.628125906 CEST	49720	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:04.861742973 CEST	80	49722	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:04.862956047 CEST	80	49722	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:04.867122889 CEST	49723	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:04.867160082 CEST	443	49723	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:04.867222071 CEST	49723	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:04.867505074 CEST	49723	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:04.867516994 CEST	443	49723	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:04.920923948 CEST	49722	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:05.126039028 CEST	443	49723	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:05.131544113 CEST	49723	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:05.131572008 CEST	443	49723	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:05.432225943 CEST	443	49723	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:05.432337046 CEST	443	49723	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:05.432404995 CEST	49723	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:05.433058977 CEST	49723	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:05.436551094 CEST	49722	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:05.437860966 CEST	49724	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:05.673741102 CEST	80	49722	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:05.673973083 CEST	49722	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:05.675637960 CEST	80	49724	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:05.675720930 CEST	49724	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:05.675950050 CEST	49724	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:05.913074970 CEST	80	49724	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:05.917434931 CEST	80	49724	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:05.919037104 CEST	49725	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:05.919090986 CEST	443	49725	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:05.919193029 CEST	49725	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:05.919440031 CEST	49725	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:05.919455051 CEST	443	49725	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:05.967823982 CEST	49724	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:06.178411007 CEST	443	49725	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:06.184798002 CEST	49725	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:06.184830904 CEST	443	49725	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:06.483278036 CEST	443	49725	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:06.483371019 CEST	443	49725	172.67.177.134	192.168.2.6
Apr 8, 2024 16:08:06.483516932 CEST	49725	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:06.484209061 CEST	49725	443	192.168.2.6	172.67.177.134
Apr 8, 2024 16:08:06.522234917 CEST	49724	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:06.712009907 CEST	49726	8081	192.168.2.6	51.38.247.67
Apr 8, 2024 16:08:06.759377003 CEST	80	49724	193.122.6.168	192.168.2.6
Apr 8, 2024 16:08:06.759548903 CEST	49724	80	192.168.2.6	193.122.6.168
Apr 8, 2024 16:08:07.717837095 CEST	49726	8081	192.168.2.6	51.38.247.67
Apr 8, 2024 16:08:09.733475924 CEST	49726	8081	192.168.2.6	51.38.247.67
Apr 8, 2024 16:08:13.749125004 CEST	49726	8081	192.168.2.6	51.38.247.67
Apr 8, 2024 16:08:21.764683962 CEST	49726	8081	192.168.2.6	51.38.247.67
Apr 8, 2024 16:08:27.998253107 CEST	49733	8081	192.168.2.6	51.38.247.67
Apr 8, 2024 16:08:28.999066114 CEST	49733	8081	192.168.2.6	51.38.247.67
Apr 8, 2024 16:08:31.014698982 CEST	49733	8081	192.168.2.6	51.38.247.67
Apr 8, 2024 16:08:35.030333042 CEST	49733	8081	192.168.2.6	51.38.247.67
Apr 8, 2024 16:08:43.030373096 CEST	49733	8081	192.168.2.6	51.38.247.67
Apr 8, 2024 16:09:04.831989050 CEST	80	49713	193.122.6.168	192.168.2.6
Apr 8, 2024 16:09:04.832106113 CEST	49713	80	192.168.2.6	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2024 16:07:56.513348103 CEST	52171	53	192.168.2.6	1.1.1.1
Apr 8, 2024 16:07:56.638402939 CEST	53	52171	1.1.1.1	192.168.2.6
Apr 8, 2024 16:07:57.494131088 CEST	57758	53	192.168.2.6	1.1.1.1
Apr 8, 2024 16:07:57.620210886 CEST	53	57758	1.1.1.1	192.168.2.6
Apr 8, 2024 16:08:06.522144079 CEST	62593	53	192.168.2.6	1.1.1.1
Apr 8, 2024 16:08:06.710994959 CEST	53	62593	1.1.1.1	192.168.2.6
Apr 8, 2024 16:08:27.811566114 CEST	56934	53	192.168.2.6	1.1.1.1
Apr 8, 2024 16:08:27.987905025 CEST	53	56934	1.1.1.1	192.168.2.6
Apr 8, 2024 16:08:49.031647921 CEST	52510	53	192.168.2.6	1.1.1.1
Apr 8, 2024 16:08:49.283858061 CEST	53	52510	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 8, 2024 16:07:56.513348103 CEST	192.168.2.6	1.1.1.1	0xcf0c	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Apr 8, 2024 16:07:57.494131088 CEST	192.168.2.6	1.1.1.1	0xfbe4	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Apr 8, 2024 16:08:06.522144079 CEST	192.168.2.6	1.1.1.1	0x229b	Standard query (0)	varders.kozow.com	A (IP address)	IN (0x0001)	false
Apr 8, 2024 16:08:27.811566114 CEST	192.168.2.6	1.1.1.1	0xbb26	Standard query (0)	aborters.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 8, 2024 16:08:49.031647921 CEST	192.168.2.6	1.1.1.1	0xb97c	Standard query (0)	anotherarmy.dns.army	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 8, 2024 16:07:56.638402939 CEST	1.1.1.1	192.168.2.6	0xcf0c	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 8, 2024 16:07:56.638402939 CEST	1.1.1.1	192.168.2.6	0xcf0c	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Apr 8, 2024 16:07:56.638402939 CEST	1.1.1.1	192.168.2.6	0xcf0c	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Apr 8, 2024 16:07:56.638402939 CEST	1.1.1.1	192.168.2.6	0xcf0c	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Apr 8, 2024 16:07:56.638402939 CEST	1.1.1.1	192.168.2.6	0xcf0c	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Apr 8, 2024 16:07:56.638402939 CEST	1.1.1.1	192.168.2.6	0xcf0c	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Apr 8, 2024 16:07:57.620210886 CEST	1.1.1.1	192.168.2.6	0xfbe4	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Apr 8, 2024 16:07:57.620210886 CEST	1.1.1.1	192.168.2.6	0xfbe4	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Apr 8, 2024 16:08:06.710994959 CEST	1.1.1.1	192.168.2.6	0x229b	No error (0)	varders.kozow.com		51.38.247.67	A (IP address)	IN (0x0001)	false
Apr 8, 2024 16:08:27.987905025 CEST	1.1.1.1	192.168.2.6	0xbb26	No error (0)	aborters.duckdns.org		51.38.247.67	A (IP address)	IN (0x0001)	false
Apr 8, 2024 16:08:49.283858061 CEST	1.1.1.1	192.168.2.6	0xb97c	Name error (3)	anotherarmy.dns.army	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	193.122.6.168	80	764	C:\Users\user\Desktop\gZIZ5eyCtS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 16:07:56.887234926 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 16:07:57.130732059 CEST	324	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 14:07:57 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0c0be3e52d0626d3a18a66a686e346b8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>
Apr 8, 2024 16:07:57.138295889 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 8, 2024 16:07:57.411587954 CEST	324	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 14:07:57 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9670d1dc8215b8b960dc3aef1a14f2af Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>
Apr 8, 2024 16:07:58.523303032 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 8, 2024 16:07:58.765980959 CEST	324	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 14:07:58 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f3a35a9538334c69493494337005863d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49713	193.122.6.168	80	764	C:\Users\user\Desktop\gZIZ5eyCtS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 16:07:59.590156078 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 8, 2024 16:07:59.832609892 CEST	324	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 14:07:59 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f1c2e8f2858308249c1ab9aad2708894 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49715	193.122.6.168	80	764	C:\Users\user\Desktop\gZIZ5eyCtS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 16:08:00.639930964 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 16:08:01.502917051 CEST	324	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 14:08:01 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e4ff741da7a2ee52f689a0084f270dfe Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49717	193.122.6.168	80	764	C:\Users\user\Desktop\gZIZ5eyCtS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 16:08:02.313057899 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 16:08:02.753751993 CEST	324	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 14:08:02 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 41cd7cde98e5965219cb440a342d7a37 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49720	193.122.6.168	80	764	C:\Users\user\Desktop\gZIZ5eyCtS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 16:08:03.562478065 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 16:08:03.821022987 CEST	324	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 14:08:03 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2fffa8b4dd09de5ae96621e1dfc97fc0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49722	193.122.6.168	80	764	C:\Users\user\Desktop\gZIZ5eyCtS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 16:08:04.625252962 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 16:08:04.862956047 CEST	324	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 14:08:04 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5b15ffb9e4629e82b714cd326c27273b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49724	193.122.6.168	80	764	C:\Users\user\Desktop\gZIZ5eyCtS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 16:08:05.675950050 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 16:08:05.917434931 CEST	324	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 14:08:05 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 549cb458b6e4ce41e4341973e5c4bf6f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49711	172.67.177.134	443	764	C:\Users\user\Desktop\gZIZ5eyCtS.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 14:07:57 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 14:07:58 UTC	702	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 14:07:58 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: EXPIRED Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PiVNCe1drPZwxjKshmo5JQnRftcK1U9qxk4zUCsEi9nAoGvTDfC9ElePjN3ZHIG7BN0GlkCGisWSns0%2BMx71DS%2BQGT%2FJ6zoi6XpvAtcboBPX3vzmVx0EQoGq0Wx3h7bl%2F9jsNim%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8712d3a429f13dcd-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 14:07:58 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 14:07:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49712	172.67.177.134	443	764	C:\Users\user\Desktop\gZIZ5eyCtS.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 14:07:59 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-08 14:07:59 UTC	704	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 14:07:59 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1 Last-Modified: Mon, 08 Apr 2024 14:07:58 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nLL3k1N6CxY7zqL1kkUsXwCVeysbN3g2vOgukOU0qyDVpoLX4JHmoB2RkPZdNK2mf75Z9AuhW8unzPkj8w%2BECwaSTqWZEH%2F7pHLUE%2FmWJiQ4qmQVm8VegcZRXOA77k9%2Fi9s4Q38v"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8712d3ab5c0bda13-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 14:07:59 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 14:07:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49714	172.67.177.134	443	764	C:\Users\user\Desktop\gZIZ5eyCtS.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 14:08:00 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 14:08:00 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 14:08:00 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2 Last-Modified: Mon, 08 Apr 2024 14:07:58 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g3NAI3ACoNAuAnkVOsB%2BcOuaGU3kE1RZTZZSuDMLWJsD%2F%2F%2B5c8qDBiFbTbtFviqOfDXbi8SaJAj2Dw88Nr2FVWpL1ZMfEwvKzMLbYV9Rpin8Q1cN7%2FBoAyHCsMetrbNCuQQJSApl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8712d3b1fcdb67bc-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 14:08:00 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 14:08:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49716	172.67.177.134	443	764	C:\Users\user\Desktop\gZIZ5eyCtS.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 14:08:01 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 14:08:02 UTC	712	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 14:08:02 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4 Last-Modified: Mon, 08 Apr 2024 14:07:58 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EiWSTvfNws5Nn%2BJ6Iy%2F8lJTle4ic3MaJlV2CJO%2Fxb0BtLbfBxIZJ%2B%2F3qT%2Bph4h8Kd2FTkA6%2BTwsdtYVaYunPU5wDWCaSJOsmY6fapCPIS%2BnL31XoPKxomjS7Fm9JWRPZfGopdUsv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8712d3bc6f85d9fd-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 14:08:02 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 14:08:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49719	172.67.177.134	443	764	C:\Users\user\Desktop\gZIZ5eyCtS.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 14:08:03 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 14:08:03 UTC	702	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 14:08:03 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 5 Last-Modified: Mon, 08 Apr 2024 14:07:58 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cQ8%2Fz52ZXNqldLYVWT82BLs1v9lyAf2xQ9V1KuklFEhFJAL2zRPMV5A5fvHfHjKEx6n8faUEEClFWMVQsqlcUiwYcErf0dAB1%2B0VK%2FcYRYi8L5h16bJFt8oZgMBmv14kwbuIEFwj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8712d3c449a331f2-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 14:08:03 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 14:08:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49721	172.67.177.134	443	764	C:\Users\user\Desktop\gZIZ5eyCtS.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 14:08:04 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 14:08:04 UTC	702	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 14:08:04 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 6 Last-Modified: Mon, 08 Apr 2024 14:07:58 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ker9pSneeiVd4Uu3GvFVJTDA2qdcsBFDn4rt6bWhzayfOmpJyNMaG1MXT9ddgbMQc8u4A4Nh6%2F9Njh%2B8AhiwtsqfdC0L9Vs%2BkS7hZs5WUDLL4SRIPwkx0NkWE1ow8q2VNjpNMcQ1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8712d3caee45dacd-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 14:08:04 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 14:08:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49723	172.67.177.134	443	764	C:\Users\user\Desktop\gZIZ5eyCtS.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 14:08:05 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 14:08:05 UTC	704	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 14:08:05 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 7 Last-Modified: Mon, 08 Apr 2024 14:07:58 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EbZPUkjpQmAxQrZD0NyYtpyjmfx0Z1A7mlDKG8GGkgpyheBjzMMfLMN8zGyGDCNAMHkKPjDk2zPnS%2Fq%2FhrhXm2a4yAUGYCVDEKN6q%2BdhDqE6IbeABA5EwsA3pCa1ud6MQGCo%2Bcca"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8712d3d17ba25c7c-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 14:08:05 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 14:08:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49725	172.67.177.134	443	764	C:\Users\user\Desktop\gZIZ5eyCtS.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 14:08:06 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 14:08:06 UTC	708	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 14:08:06 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 8 Last-Modified: Mon, 08 Apr 2024 14:07:58 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pGlfDo28bkHzjPQbWdaA78mEv4rOMApb7GF0LkDmxO2vx46wm%2Bhssvqluk1hzE%2FWjYY54hkyTEwf3bRsfE5gEF7ERQO%2FLLKaL%2BuCy%2FSapmRXnPr6yXM9iitFNrCyHqxR0iEoWcn%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8712d3d80f6c749c-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 14:08:06 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 14:08:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:07:55
Start date:	08/04/2024
Path:	C:\Users\user\Desktop\gZIZ5eyCtS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\gZIZ5eyCtS.exe"
Imagebase:	0xff0000
File size:	819'712 bytes
MD5 hash:	9B7A1803CAD3E79CB6449558D5CE938F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.2097654328.00000000059B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2097410768.0000000004663000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:07:55
Start date:	08/04/2024
Path:	C:\Users\user\Desktop\gZIZ5eyCtS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\gZIZ5eyCtS.exe"
Imagebase:	0x600000
File size:	819'712 bytes
MD5 hash:	9B7A1803CAD3E79CB6449558D5CE938F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4559102503.0000000002B69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.4557870685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4559102503.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	76%
Total number of Nodes:	25
Total number of Limit Nodes:	1

Executed Functions

Function 0175AC18 Relevance: 1.9, Strings: 1, Instructions: 615
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 0175B3C8

Memory Dump Source

Source File: 00000000.00000002.2095106636.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: fba6b43274875cd272c0ab9fb9ae3a7fc6ec5855e7139716b0f551314b2483f9
Instruction ID: 9718a862b3195b87a6dfbecd5c890a530dcdaaa04da34dfb424a79d2b7006cc0
Opcode Fuzzy Hash: fba6b43274875cd272c0ab9fb9ae3a7fc6ec5855e7139716b0f551314b2483f9
Instruction Fuzzy Hash: CB52CE70E012298FEB64DF65C984BEDBBB2BF89300F1081EAD509A7295DB745E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01759F6C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0175B919

Memory Dump Source

Source File: 00000000.00000002.2095106636.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_gZIZ5eyCtS.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6db6b6faca7036890b350f31fe1cd5012499963ebe4b7c5c68f9df36a89f759e
Instruction ID: 81c802e30c294fe98adca0331713bee7e334b6920c301bfeb242bb62b032eb14
Opcode Fuzzy Hash: 6db6b6faca7036890b350f31fe1cd5012499963ebe4b7c5c68f9df36a89f759e
Instruction Fuzzy Hash: 2D81B274C0022DDFDB61CFA9C980BEDBBF5AB49300F1491AAE509B7250D7709A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0175A7F0 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0175A8C3

Memory Dump Source

Source File: 00000000.00000002.2095106636.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_gZIZ5eyCtS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 55ed4a714f65892e40643b20c206f53824f9fa805a37a97dd9d8d41fde06f106
Instruction ID: 84255f79c85a5df674c8c2a5c0299cfac3c3f8153f360e85588651669b8dbd58
Opcode Fuzzy Hash: 55ed4a714f65892e40643b20c206f53824f9fa805a37a97dd9d8d41fde06f106
Instruction Fuzzy Hash: 654199B5D012589FDF00CFA9D984AEEFBF1BB49310F24902AE818B7210D775AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 01759F90 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0175BC25

Memory Dump Source

Source File: 00000000.00000002.2095106636.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_gZIZ5eyCtS.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f42f2fdaa66efb5c6125e563bada0f0c4ce548e156ea792ca40f1cd5533d9155
Instruction ID: 811eb773a3ea8b7d53f69dd29801b31e48b8ff3bd9abd5013b06208cfd4ae45c
Opcode Fuzzy Hash: f42f2fdaa66efb5c6125e563bada0f0c4ce548e156ea792ca40f1cd5533d9155
Instruction Fuzzy Hash: 724179B9D04258DFCF10CFAAD984AEEFBB1BB19310F10906AE914B7210D375A945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0175A948 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0175A9F2

Memory Dump Source

Source File: 00000000.00000002.2095106636.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_gZIZ5eyCtS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2b5e928a7addf18f11d93a03b2efd03588ee0e9001a568f54b0ee1de02f9e2a3
Instruction ID: 31c1e9bed599adcbb2316b6d1e9d70a9c26ca874cc15f4f046c51b943c6878ec
Opcode Fuzzy Hash: 2b5e928a7addf18f11d93a03b2efd03588ee0e9001a568f54b0ee1de02f9e2a3
Instruction Fuzzy Hash: E031A6B9D042599FDF10CFA9D980AEEFBB1BB49310F10942AE815B7210D735A941CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0175A6C8 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0175A777

Memory Dump Source

Source File: 00000000.00000002.2095106636.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_gZIZ5eyCtS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: cce3dd335b52881caca3e3eb8053583145fd4571f1e86618b730218dd6310cbc
Instruction ID: 38c9a015f024e633dfb742730466fa5e755508dda829ecdfb8fc32ec29d82cc2
Opcode Fuzzy Hash: cce3dd335b52881caca3e3eb8053583145fd4571f1e86618b730218dd6310cbc
Instruction Fuzzy Hash: 6E31BBB5D012589FDB10CFAAD984AEEFBF1BF48310F24842AE419B7240D779A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01759F78 Relevance: 1.6, APIs: 1, Instructions: 91
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,?), ref: 0175BB12

Memory Dump Source

Source File: 00000000.00000002.2095106636.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_gZIZ5eyCtS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 64380dc4a9689bfdc153994525184e7a3fdd48bf2f1d71ae1e836b54f3f1cd63
Instruction ID: 4520f1927578b097cf0eb7074e66bd78d8128f20435e579538ff96348e9bf92d
Opcode Fuzzy Hash: 64380dc4a9689bfdc153994525184e7a3fdd48bf2f1d71ae1e836b54f3f1cd63
Instruction Fuzzy Hash: 6E31ABB5D012589FDB10CFA9D584AEEFBF1BB48314F24806AE814B7210D379AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0175AA68 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 0175AAE6

Memory Dump Source

Source File: 00000000.00000002.2095106636.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_gZIZ5eyCtS.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7d063b59404ad576b040a3c85744ae6269ae5020839d3cf20d8aa14246db8904
Instruction ID: 6a613ec2707b37641cd8b46d8c867080ef7461ac6af88dcd9e462f46cde0d2f2
Opcode Fuzzy Hash: 7d063b59404ad576b040a3c85744ae6269ae5020839d3cf20d8aa14246db8904
Instruction Fuzzy Hash: B031CAB4D012599FDB14CFAAD980A9EFBB4BF48310F14942AE815B7300C775A901CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0166D5B8 Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2094880793.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_166d000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ce778dd74cb62713b03ddb171f6aea477a4e52e1b7d059d56bdd5e165ee7d2
Instruction ID: 57edb0436e418c70a8aa1fcf3e2d1249634a2e9f3baf578dfff3f1ba1c2003da
Opcode Fuzzy Hash: 69ce778dd74cb62713b03ddb171f6aea477a4e52e1b7d059d56bdd5e165ee7d2
Instruction Fuzzy Hash: 35212571604244EFDB05DF54DDC0F16BF69FB88314F20856DE9498B256C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0166D5B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2094880793.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_166d000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction ID: cea7b2d512cc7bd4b233b64d4a41e7ff29582df384b66a707ee580c66cc24346
Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction Fuzzy Hash: 9C11BE76504284DFCB16CF54D9C4B16BF72FB88324F2486A9D8494B257C33AD85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: gZIZ5eyCtS.exePID: 764, Parent PID: 2580COMMON

Executed Functions

Function 00CE98B8 Relevance: .9, Instructions: 862COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1df3aa7a32e5d1e6561df224de40758fb8f082272f66d0ebc67162d04ea674f
Instruction ID: 5c31ca483800cd68bc1b31088f96b45d3d87cf691ace26c0e71af8745090dbbb
Opcode Fuzzy Hash: d1df3aa7a32e5d1e6561df224de40758fb8f082272f66d0ebc67162d04ea674f
Instruction Fuzzy Hash: CB729F70A00249DFCB15CFAAC884AAEBBF2FF89300F158559E919AB361D731ED45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06690D48 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca8d3a70b2099cf6bd11f7ee697e7462c045417d4f33a347a570e102a6fc9b4
Instruction ID: 459c4e5efc7af837a65d266234c0e25abc1b3df92b991e3490bd082f448b8d68
Opcode Fuzzy Hash: dca8d3a70b2099cf6bd11f7ee697e7462c045417d4f33a347a570e102a6fc9b4
Instruction Fuzzy Hash: 7F827C74E012698FDB64DF69C898BDDBBB2BF89300F1081E9980DA7265DB305E85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CEEB10 Relevance: .7, Instructions: 718COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b4b1daf63ff5650594c0ffa443c7f6bf6de77dc94d0750ab0d682a6894127c
Instruction ID: 6209158f26337067613d353bfae489607fbe43ea3dcedad5a4ca0d91b7770792
Opcode Fuzzy Hash: 39b4b1daf63ff5650594c0ffa443c7f6bf6de77dc94d0750ab0d682a6894127c
Instruction Fuzzy Hash: F672AE74E052698FDB64DF6AC884BEDBBB2BB49300F1481E9D44DA7255DB309E82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CE6168 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0696b03a8ca14b955b2123511a4a414e76da8fbd74a69e0a0787ec6562227e
Instruction ID: 26eb51202c58cb9d84030a3ec722725392fbdabf8d1d1a6de68b2d3981eb2be8
Opcode Fuzzy Hash: 4b0696b03a8ca14b955b2123511a4a414e76da8fbd74a69e0a0787ec6562227e
Instruction Fuzzy Hash: A7128C70B002598FDB14DF6AC854AAEBBF6BF88340F248529E459DB395DB30DD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CE6790 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a0c3d9025632a728049e9d481bf53cdcf588a42c7ccfdc4ee78469bde0d075
Instruction ID: 3720622c58655b3248007c6413e9ba2ed9292ed054ec53656b66ad28e33cadad
Opcode Fuzzy Hash: 39a0c3d9025632a728049e9d481bf53cdcf588a42c7ccfdc4ee78469bde0d075
Instruction Fuzzy Hash: 62128030A10259DFDB14CFAAC984AADBBF2FF98384F248069E455EB2A1D730DD45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CE35C8 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8d4ab51f4a41569580f1caa4564194fbb3d398c2203f683fbeb5ef524c0cc9
Instruction ID: c73f5b01931f503e39e20dca9ab178011736d122043e465c7b67ab1ff6184269
Opcode Fuzzy Hash: db8d4ab51f4a41569580f1caa4564194fbb3d398c2203f683fbeb5ef524c0cc9
Instruction Fuzzy Hash: 87F17575F042888FDB18DFB6D8546ADBBB3BF88700B64856EE406A7354DF349902CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00CEB388 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97895a4c211fae11037e5fe2865331bd9aa465df56dbae826004126a408ffefa
Instruction ID: 3fb715aad484a31e61ca1861d83f56781dfd5376b50666d433ed9f9ced294e31
Opcode Fuzzy Hash: 97895a4c211fae11037e5fe2865331bd9aa465df56dbae826004126a408ffefa
Instruction Fuzzy Hash: 8CE1DB75E00659CFDB14DFAAD984AAEBBF1BF48310F158069E419AB362D730AD41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06697A08 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa1316587c2cc187555f643500f5904ec9a0b099a101907c60e3e16fb3d1e2b
Instruction ID: 087ada6f0973f4e0041e77d2c463fb3cf49a4cceb00627c7582789f51c4382e7
Opcode Fuzzy Hash: baa1316587c2cc187555f643500f5904ec9a0b099a101907c60e3e16fb3d1e2b
Instruction Fuzzy Hash: E9E1A274E01218CFEB54DFA5C984B9DBBB2BF89304F2081A9D809AB395DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CEFB39 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b704fd9bae65dbb28b5c7457f019141ba6a96ce684108e69bd90996fc9b6ba20
Instruction ID: 845cc0382d2ddaa48a7f6f514afcade8406ec10616a34d82ad0d750472898c63
Opcode Fuzzy Hash: b704fd9bae65dbb28b5c7457f019141ba6a96ce684108e69bd90996fc9b6ba20
Instruction Fuzzy Hash: B3D1A174E01258CFDB14DFA5D984BADBBB2FF89300F2081A9D809AB355DB355A86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06696D00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adadacbf09d98699f78bab0e3f88844c84393311c33b9d047c99ed08669f81b2
Instruction ID: d993bd391e2ddb3395c3a77ece9990986fa2891dc1579b2c6531f4230dd0d0b6
Opcode Fuzzy Hash: adadacbf09d98699f78bab0e3f88844c84393311c33b9d047c99ed08669f81b2
Instruction Fuzzy Hash: 3AC1A174E00218CFDB54DFA5C984BADBBB2BF89304F1081A9D809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06697F58 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5b8d2a91ad59d1d4f66200b84f1aa5a46d98efcc1dc477ae43e64de68abf01
Instruction ID: 57c9c9e03905d6c8aaba8b4a088ec830e392be2c8e99fc6d3ffa2fdc42d5567d
Opcode Fuzzy Hash: ad5b8d2a91ad59d1d4f66200b84f1aa5a46d98efcc1dc477ae43e64de68abf01
Instruction Fuzzy Hash: 8DB13970D052588FDF64DFA9C8447EDBBB6BF8A300F20846AD849AB255D7315946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0669B788 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c4aad8228c62e15e2ce8ff7399a56ec6d11fee592b3e5b199d094979344038
Instruction ID: db7bc28da1012b11d0281892f091656b31d1af2d9ec716cc35b532a490ce5993
Opcode Fuzzy Hash: 26c4aad8228c62e15e2ce8ff7399a56ec6d11fee592b3e5b199d094979344038
Instruction Fuzzy Hash: 94A18675E016288FEB64CF6AD944B9EBBF2AF89300F14C0AAD40DA7255DB705A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0669BDD8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6daa875717bf75e09ce457e33fdd870a4b1a544c6853309c335511ae558c8b9
Instruction ID: 42e0cbe998a09aa3f7f25926cdcc8bfab7da81c4e310c18829dd1e1dd806c4d3
Opcode Fuzzy Hash: d6daa875717bf75e09ce457e33fdd870a4b1a544c6853309c335511ae558c8b9
Instruction Fuzzy Hash: 10A1A475E01218CFEB68CF6AD944B9DBBF2AF89300F14C0AAD40DA7255DB705A85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0669CA70 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 054774db2fd9439da8a5605d71aa0330df042170df635935c37305822e8fb7e3
Instruction ID: 05619892c181ec529c4f7ec7b67bc7ef6f90e7b64663e4476d6a3c2bb43baf5a
Opcode Fuzzy Hash: 054774db2fd9439da8a5605d71aa0330df042170df635935c37305822e8fb7e3
Instruction Fuzzy Hash: 23A18475E01618CFEB68CF6AD944B9DBBF2AF89300F14C0AAD40DA7255DB705A85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0669AAE8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f8773867b6b0f89a8e05502bc8d94897cbfa0d90a28bd2a2220516108827f2
Instruction ID: 36c9401931f6bfd8382c8d9fe68c52339844db594f16c636374c59ef690bc0ae
Opcode Fuzzy Hash: 33f8773867b6b0f89a8e05502bc8d94897cbfa0d90a28bd2a2220516108827f2
Instruction Fuzzy Hash: ABA18575E01218CFEB64CF6AD944B9DBBF2AF89300F14C0AAD80DA7255DB705A85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06699808 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af549322e499e13d86f5775115c8327706c9e9c9249e1bb8d063d8203d1b39e9
Instruction ID: 8679a702ac00b7e78fa678d7082027af4efe3e131d9723b5feaae83ce0327108
Opcode Fuzzy Hash: af549322e499e13d86f5775115c8327706c9e9c9249e1bb8d063d8203d1b39e9
Instruction Fuzzy Hash: 71A1A275E012188FEB68CF6AD944B9DBBF2BF89300F14C1AAD40CA7255DB345A85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0669B138 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44d80a59ebece6e31f5ebcf945621acca11bd0e726d524e9a417b0e09337b45
Instruction ID: 9e0385c8f1931240fd0a0e78783c273258b0b03f4212579aa5466071164fadd6
Opcode Fuzzy Hash: f44d80a59ebece6e31f5ebcf945621acca11bd0e726d524e9a417b0e09337b45
Instruction Fuzzy Hash: 7EA19475E01218CFEB64CF6AD944B9EBBF2AF89300F14C0AAD40DA7255DB705A85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06699E58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52157859074adc77c6b1aeeff1466307a9ccb7ea38d1173cb9d1f735e9cf5cec
Instruction ID: 383fe3648eb233b6ba660c346f55be07c9b07fba436463740c3440a21ccf1ed7
Opcode Fuzzy Hash: 52157859074adc77c6b1aeeff1466307a9ccb7ea38d1173cb9d1f735e9cf5cec
Instruction Fuzzy Hash: 5AA1A575E012188FEB68CF6AD944B9DFBF2AF89300F14C1AAD40CA7255DB705A85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0669C428 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2613399c5e5994d22ea5315c5f7e3e2c15d2f14d5494bbb5266729f5ec75bc58
Instruction ID: ce99c682c00e3d3a464a6be632d094522b965acec7b6aa7daa27069f11ee36a2
Opcode Fuzzy Hash: 2613399c5e5994d22ea5315c5f7e3e2c15d2f14d5494bbb5266729f5ec75bc58
Instruction Fuzzy Hash: 67A19475E012188FEB68CF6AD944B9DFBF2AF89300F14D0AAD40DA7255DB705A85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0669A4A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001bf70420d7a8e6e5cfaf0812bad8ac6a1ed7023e994888d1b425c101299d3f
Instruction ID: 5c3f138913c427867090dedbb336c00b48460e9e87601840c3dc174e3bd21d33
Opcode Fuzzy Hash: 001bf70420d7a8e6e5cfaf0812bad8ac6a1ed7023e994888d1b425c101299d3f
Instruction Fuzzy Hash: 16A19475E012188FEB68CF6AD944B9DFBF2AF89300F14C0AAD40DA7255DB705A85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00CEBF10 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7477f23969d66409b954ca60bb9790c5240a7c36d0b497b2b2398f3bccee2fa
Instruction ID: f181b49ecb5a6b455366fb47ba0dfd11b390edeeb228b81b1501845ca7076d69
Opcode Fuzzy Hash: b7477f23969d66409b954ca60bb9790c5240a7c36d0b497b2b2398f3bccee2fa
Instruction Fuzzy Hash: 2D819574E00658CFDB14DFAAD984AADBBF2BF88300F14D069E419AB365DB345982DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CEC1F0 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846c449a03d183bdd6d06cc75f5e76a5aae4674e606491cb0665a5067c500626
Instruction ID: ac06b3cf24697b7ccb5928d2dc19263a5281dcacdaf2d8f2342da5b32c945ec3
Opcode Fuzzy Hash: 846c449a03d183bdd6d06cc75f5e76a5aae4674e606491cb0665a5067c500626
Instruction Fuzzy Hash: 5081B574E00658CFDB14DFAAD894AADBBF2BF88300F14C069E419AB365DB349942DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CEBC32 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f23650ff37c4f92407cf1f920c9651a6c1b71444613a00911fb453cadfadbc1
Instruction ID: f9d2e0bfca9a10a6b36047796bc1f725d54bcba34771bb295c3f91782c6b8db6
Opcode Fuzzy Hash: 8f23650ff37c4f92407cf1f920c9651a6c1b71444613a00911fb453cadfadbc1
Instruction Fuzzy Hash: AC81A674E00658CFDB14DFAAD984AAEBBF2BF88300F148069D519AB365DB349D81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CEC7B1 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9bc3b5f9db06c46a43ac93d93ac10d4184e0a66f8615d12c64aa671c6a36d5
Instruction ID: b9e9e051711d01fe83c7d050fa7c604917ae648814e0efef0a350c47881a0461
Opcode Fuzzy Hash: ae9bc3b5f9db06c46a43ac93d93ac10d4184e0a66f8615d12c64aa671c6a36d5
Instruction Fuzzy Hash: 5981B774E00658CFDB14DFAAD984A9DBBF2BF88300F14C069E419AB365DB349942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CEC4D0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9437a55574016df570bcbda04efbedd38686d5d81ec3013876e599ea2514c4e8
Instruction ID: b1dbdbfebfb3ac534dbd7646a56625eb34ba7fcbfcad6c94353ed34578f6b0ec
Opcode Fuzzy Hash: 9437a55574016df570bcbda04efbedd38686d5d81ec3013876e599ea2514c4e8
Instruction Fuzzy Hash: 8F81A574E00658DFDB14DFAAD984A9DBBF2BF88300F24D069E419AB365DB345982CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CECA91 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17909ce7ada548b38ef664fe91d5ae35ad21557dad15df001f881714509357fc
Instruction ID: 1dd1739a21ecfa0032a116001812acd6149258864257678f3cc546063f1036e4
Opcode Fuzzy Hash: 17909ce7ada548b38ef664fe91d5ae35ad21557dad15df001f881714509357fc
Instruction Fuzzy Hash: 40819674E00658DFDB14DFAAD984A9DBBF2BF88300F24C069E819AB365DB345942DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CE4B31 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c412ec53c023bd5004f35998597b8f57b7e8cfec3819bdf744ccf5c95c427333
Instruction ID: 1771f2fa01b6494991627915364d8f888fe9869f598f43493dc1ab9589388440
Opcode Fuzzy Hash: c412ec53c023bd5004f35998597b8f57b7e8cfec3819bdf744ccf5c95c427333
Instruction Fuzzy Hash: 57819774E00258DFDB18DFAAD984A9DBBF2BF88300F24C069E419AB365DB349941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06690D39 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f12f7b5484250401b64bf2750654711108d5a91eeea319e3bcc95ee83ec94627
Instruction ID: c4851e0123fc33f439043371f4484207e8c1b98f38a35947689f93f293429460
Opcode Fuzzy Hash: f12f7b5484250401b64bf2750654711108d5a91eeea319e3bcc95ee83ec94627
Instruction Fuzzy Hash: 5381A274E412698FDBA4DF25D891BEDBBB2BF89300F1081EAD849A7254DB305E81CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0669C418 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a8142f979c5f771882a6c623562628a159057c6a307e8ec977a0f173f46e41
Instruction ID: 8f79fe24780159390467547c90e8a141a2e938d795bb525243167488859f2fe6
Opcode Fuzzy Hash: 75a8142f979c5f771882a6c623562628a159057c6a307e8ec977a0f173f46e41
Instruction Fuzzy Hash: 42717571E01628CFEB68CF6AC944B9DFAF2AF89300F14C1AAD50DA7254DB745A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06699E48 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ddc992a2cd026f3e14822941c693c5f4b732f89f805f33e87bb84b3340a81d
Instruction ID: a1870fd0cf95ac75fa3926e0fbc057e1f4a63e3111087563b2e8a3b449aa0b61
Opcode Fuzzy Hash: 21ddc992a2cd026f3e14822941c693c5f4b732f89f805f33e87bb84b3340a81d
Instruction Fuzzy Hash: 80719671E016188FEB68CF6AD944B9DFBF2AF89300F14C1AAD50DA7254DB704A85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0669A48F Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d46e1a8af94b0a3488ace7dc8f7d02acd0afb40d49f2585f706838c95c45a28
Instruction ID: 5567c846bba9b41e6c75f6663416e7f91d5f7aee736fbd485a024f00d4c7d316
Opcode Fuzzy Hash: 9d46e1a8af94b0a3488ace7dc8f7d02acd0afb40d49f2585f706838c95c45a28
Instruction Fuzzy Hash: 8971A771E016588FEB68CF6AC944B9DFBF2AF89300F14C0AAD40DA7255DB304A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CEB552 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb73acc30f9feaf8412602a3e893351405342edc2f5813ee792ce02650d93ae
Instruction ID: 38890ac1e129f22f3dc1ca91272a4642164163e4205d2242f5e4170ce81e371a
Opcode Fuzzy Hash: cdb73acc30f9feaf8412602a3e893351405342edc2f5813ee792ce02650d93ae
Instruction Fuzzy Hash: 6361C874E04648CFDB18DFAAD944AAEBBF2BF89300F14C069E418AB365DB345946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 066997F8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 468649e5758b77a689b7e10319eb6c6dd897706cbdd0a2c7f1a7b8708c5f31d6
Instruction ID: 60fe90e68cf5528fc4263586b96f742aa915f5f6c89194a202b4520b4eb9618a
Opcode Fuzzy Hash: 468649e5758b77a689b7e10319eb6c6dd897706cbdd0a2c7f1a7b8708c5f31d6
Instruction Fuzzy Hash: 5A5166B1E016188BEB58CF6BD945799FAF3AFC9304F14C1AAD44CA7264DB340A868F50

Uniqueness

Uniqueness Score: -1.00%

Function 066979F8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761faf9fa7a929360b3e2128642ea82a86a67e5ed3436fe1c3c02c9d629e1dae
Instruction ID: 2f75b2e98a7f11eedffc587e8f47090d76d37d64ccbdb78954313161e15ecabd
Opcode Fuzzy Hash: 761faf9fa7a929360b3e2128642ea82a86a67e5ed3436fe1c3c02c9d629e1dae
Instruction Fuzzy Hash: 1B41C4B0E002488BEB58DFAAC8547DEBBF6AF88304F24C069D418BB254DB355946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0669BDC8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5778a7b1948848c46261e30dcd0470b2a8bf98cdb23ade37a5f85bfd30706694
Instruction ID: 43ca2b5649645690a11a849353db74409aae0acd321133169bab238fa4f504fa
Opcode Fuzzy Hash: 5778a7b1948848c46261e30dcd0470b2a8bf98cdb23ade37a5f85bfd30706694
Instruction Fuzzy Hash: DF416AB1E016188BEB58CF6BDD457D9FAF3AFC9300F14C1AAD50CA6254DB7409868F51

Uniqueness

Uniqueness Score: -1.00%

Function 0669CA60 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1dc26f27c55ff363f88a413fab534ea886821470b1b15f0afad34c7b1a0b9c4
Instruction ID: 9842f2c55004108dee28c6b0f36b968e554d61ea85e002f269ace3c9d1cb9fab
Opcode Fuzzy Hash: f1dc26f27c55ff363f88a413fab534ea886821470b1b15f0afad34c7b1a0b9c4
Instruction Fuzzy Hash: 6C415BB1E016188BEB58CF6BCD457D9FAF3AFC9300F14C1AAD50CA6254EB7509868F50

Uniqueness

Uniqueness Score: -1.00%

Function 0669AAD8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd385f0f8da27be26b0a554a5d8b7402702f49f609a94c61cc61edce01d3b551
Instruction ID: 9af7a59c9d1406e7e56e0a5a0de4ad612de358bb685f590826f2ee02d2ac9454
Opcode Fuzzy Hash: bd385f0f8da27be26b0a554a5d8b7402702f49f609a94c61cc61edce01d3b551
Instruction Fuzzy Hash: 3D4159B1E016188BEB58CF6BDD557DAFAF3AFC9300F14C1AAD50CA6254DB740A868F50

Uniqueness

Uniqueness Score: -1.00%

Function 0669B128 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c0faa25cbb442841548f88d9a94111da63e671ea7d025f36025bd6b240c7a0
Instruction ID: 855402bc33ef4ba42b46ce752cbc84804ae429ee925259584c70266ee5f1701b
Opcode Fuzzy Hash: 50c0faa25cbb442841548f88d9a94111da63e671ea7d025f36025bd6b240c7a0
Instruction Fuzzy Hash: B0415C71D016188BEB58CF67DD457DAFAF3AFC9300F14C1AAD50CA6264DB740A868F51

Uniqueness

Uniqueness Score: -1.00%

Function 0669B780 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896d1a3f5e947419702c7fa91f3405ff4f7f3bf6ec1e17fa1d80c27e5ab23db9
Instruction ID: 9ffc824b749a415fcc9512d3a222d4fddadf2ebedc725918061039a2d9941402
Opcode Fuzzy Hash: 896d1a3f5e947419702c7fa91f3405ff4f7f3bf6ec1e17fa1d80c27e5ab23db9
Instruction Fuzzy Hash: CB4169B1E016188BEB58CF6BD9457DEFAF3AFC9300F04C1AAC50CA6254DB740A868F50

Uniqueness

Uniqueness Score: -1.00%

Function 06696CF0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 102b114e8b52c39b180e83b57c1025365fefae8b230ced75fc45c870d27a4bb1
Instruction ID: 71adf96af3cabf57bf193bc8337f7a2c88bed8e101ef77f92c3ad2641e348f68
Opcode Fuzzy Hash: 102b114e8b52c39b180e83b57c1025365fefae8b230ced75fc45c870d27a4bb1
Instruction Fuzzy Hash: D0410570E01248CFEB18DFA6D9446DEBBF2EF89300F24D129D418AB254DB355946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CE9634 Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

T, xrefs: 00CE9646

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID: T
API String ID: 0-3187964512
Opcode ID: d5783d371a14be66a4c0b97d97f09400b788d94d48a460e47a1ec0e5d8ee47c5
Instruction ID: 52b80eefb30624eb91353245f59335a0a0ec977a8332df4935c5395771171f3d
Opcode Fuzzy Hash: d5783d371a14be66a4c0b97d97f09400b788d94d48a460e47a1ec0e5d8ee47c5
Instruction Fuzzy Hash: A4511770B182C68FDB15DB7AC8906BE7BB9EF85300F1884AAE411CB292DA35CD468751

Uniqueness

Uniqueness Score: -1.00%

Function 00CE21A8 Relevance: .9, Instructions: 926COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df8c9ec1abd0d6353b724a4e9c67c4e126ced244e17bdd34e5d6aed39228456
Instruction ID: 880e17c95c3ae9b366bf8a7aa4c7849ad6659666be8dde76c19c45017d69c3d5
Opcode Fuzzy Hash: 8df8c9ec1abd0d6353b724a4e9c67c4e126ced244e17bdd34e5d6aed39228456
Instruction Fuzzy Hash: CF628C22A1CBE90FD7335631086F2A6BFA2CE42241B6D99FFD0C64B9A7D558550FC702

Uniqueness

Uniqueness Score: -1.00%

Function 00CE7850 Relevance: .7, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2103790770f8a62b86b7cab53b321c778d947a426f63dd0b7389878865f8a4
Instruction ID: 20ab841cf5720d6812d71fcba6bef43245d4535d6cd490f25699e5d4c16bbb3e
Opcode Fuzzy Hash: 8e2103790770f8a62b86b7cab53b321c778d947a426f63dd0b7389878865f8a4
Instruction Fuzzy Hash: BC524234A00258CFFB14DBA5C860BAEBB76EF84700F1091A9D10A6B396CF359E85DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00CE8849 Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af68a195cb97090a800a0f772601b267bdaa9ccc27db9344bbcc612e80e5bed8
Instruction ID: 1212febeb2a7085dac62d906208df2fb79f94c791873804bc586063a96f57c6f
Opcode Fuzzy Hash: af68a195cb97090a800a0f772601b267bdaa9ccc27db9344bbcc612e80e5bed8
Instruction Fuzzy Hash: F1F1B2307042818FDB155B3BC958B3937A6EF85740F2804AAE51ACF3A2DE25CD89D751

Uniqueness

Uniqueness Score: -1.00%

Function 00CE6EB8 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249336c995e5615adf45b37241aea6ba6f158a012801ae990498881a93a2935b
Instruction ID: 3fb705f19b8648921c3f4ebfb0aee67dd00835c208cf42422786b59b87898f9e
Opcode Fuzzy Hash: 249336c995e5615adf45b37241aea6ba6f158a012801ae990498881a93a2935b
Instruction Fuzzy Hash: F5123A30A04289DFCB15CF6AD884AAEBBF2FF48314F148659E959DB2A1D731ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CE0C8F Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2054ffd2f9e63727882a691ac6dadb81bf9f9e116577c13c04d2de42a5d4e75
Instruction ID: 6e92257ecf1a9314660268e4b1cc5b4a298097aa2588c34102a572cfe3d46849
Opcode Fuzzy Hash: a2054ffd2f9e63727882a691ac6dadb81bf9f9e116577c13c04d2de42a5d4e75
Instruction Fuzzy Hash: C922FA3490461ACFCB54EF64E889B9DBBB2FF49301F1086A9D549AB358DB706D85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00CEA878 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5b601fdc6455c761a1b9045b642374a2ae854c8c45af24586a06a890565103
Instruction ID: 8b5a61f9c5c11643dfc6197afc22ce6f2efbabe3614e2914ea7152d95f860512
Opcode Fuzzy Hash: 3b5b601fdc6455c761a1b9045b642374a2ae854c8c45af24586a06a890565103
Instruction Fuzzy Hash: 16F12E75A00655CFCB04CF69D584AADBBF2FF88310B268099E419EB362DB35ED41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00CE0CA0 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1e82d71a97e9cf4d90191c830af47b69443bb05ae926200792c8ced514a60e
Instruction ID: e01a6d6afbd9e832ff4aecf4c0abedb7b7c5a7b6f9e3155bc234f4dd3c49395d
Opcode Fuzzy Hash: 3f1e82d71a97e9cf4d90191c830af47b69443bb05ae926200792c8ced514a60e
Instruction Fuzzy Hash: 5F22EA7490461ACFCB54EF64E889B9DBBB2FF49301F1086A9D509AB358DB706D85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5700 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd4fbc923d51ece63e5cc477f3c366bf851ed28a08f1e9c0be10d01aa01886f
Instruction ID: a7ee7ffd92766e31f5895dd5864cc492dbc1380d98688e7459b5a2fa4c426810
Opcode Fuzzy Hash: 2fd4fbc923d51ece63e5cc477f3c366bf851ed28a08f1e9c0be10d01aa01886f
Instruction Fuzzy Hash: 68B1CF347046908FDB259F3AC894B7E7BA2AF88318F148929E856CB391DF34CD06D791

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5C60 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7c88b1a89f961c402cb54476ccf86f0b7aada13a7acb3a056f41a3c055016f
Instruction ID: 9f3cbd949525b00f647332861e39b630252efab13556dfb60e55e05c82c645e2
Opcode Fuzzy Hash: 5a7c88b1a89f961c402cb54476ccf86f0b7aada13a7acb3a056f41a3c055016f
Instruction Fuzzy Hash: B0818134B00985CFCB14CF6AC9889AEB7B2FF88318B658169D415DB365DB35EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06698910 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33f993595ad27e5ef9911f2fcfdb4095ab9de7b02aa5891d786ec1f764a664e
Instruction ID: 1d20d6bf1e6bb7a0a9fdb4a56833ee93af625f176961c3cc46261b4b8ffa2388
Opcode Fuzzy Hash: f33f993595ad27e5ef9911f2fcfdb4095ab9de7b02aa5891d786ec1f764a664e
Instruction Fuzzy Hash: 15718F31F002199BDB55DFB5C8546AEBBB6AFC9700F14852DE406AB380DF709D05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CE7498 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5999a4229793ebe3d54f2d0c91a0168ce356bffee9bf51510d04ce448c15522
Instruction ID: 48a061b2e2ef61f7ee0c152e2d32856218d1cbcbda06f30706e6e56e54745fd0
Opcode Fuzzy Hash: e5999a4229793ebe3d54f2d0c91a0168ce356bffee9bf51510d04ce448c15522
Instruction Fuzzy Hash: 2E713A347086858FCB14DF2AC898AAD7BE9AF49714F1505A9F816CB3B1DB70DD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CED3C2 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4835bc54fef61949c9d00fbc19f844f91edd6c6c2c30e40f7b6e83cc27fd9d5
Instruction ID: bc13df6afef1ee196ca34fdf78708aebe0dd3359b983b3448eb4294826f94e04
Opcode Fuzzy Hash: e4835bc54fef61949c9d00fbc19f844f91edd6c6c2c30e40f7b6e83cc27fd9d5
Instruction Fuzzy Hash: 5651BCB48AA742CFD3043B20A9AD27E7BB0FF4F723B456C05E01E950659B7100A9CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00CED3D0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8b950b4d69fb7f355302c11ef1ce2175e77e0d11a5383c4d83976657409856
Instruction ID: 39352c8c1d4e33a275f9a3dcd68e954a6f11fd33e7a3bfb8a09b2215604975bf
Opcode Fuzzy Hash: 2f8b950b4d69fb7f355302c11ef1ce2175e77e0d11a5383c4d83976657409856
Instruction Fuzzy Hash: CE51ADB48AA742CFD3043F20A9AD27E7BB0FF4F723B016C01E11E950649B701069CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00CEDC88 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a2ac2600675156d556aa193cc7e319815705e487c9a1013edc94c5755dc3b6
Instruction ID: 613c25c76357a9da2062e4ecf03734663c0d81e360de8277a905da3b07264d29
Opcode Fuzzy Hash: 80a2ac2600675156d556aa193cc7e319815705e487c9a1013edc94c5755dc3b6
Instruction Fuzzy Hash: 6B611574D01259CFDB15EFA5D884AEDBBB2FF88300F208569E805AB355DB355A86CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00CE93F0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2548e7ff8f1938c92e46d626aea896afdeaacd73f78535c026dfa5a91ecb8199
Instruction ID: a7e440f7e855efb07a7db21c3d431839c0728148f25b7d4ada77351c287dae4a
Opcode Fuzzy Hash: 2548e7ff8f1938c92e46d626aea896afdeaacd73f78535c026dfa5a91ecb8199
Instruction Fuzzy Hash: 98519D317002559FDB05DF6AC884BBE7BE6EB88350F148466E919CB391EB31CD46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CED719 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac66c265db5c99fd7e59b8e9b7e23559836cfc6e345abaa0f05860cddd4f8f7
Instruction ID: 208ce0b2186c97161202ded01b966b92a42e5dcaef6f5d68bdc74811211f29c3
Opcode Fuzzy Hash: 5ac66c265db5c99fd7e59b8e9b7e23559836cfc6e345abaa0f05860cddd4f8f7
Instruction Fuzzy Hash: E1512774E01249CFDB14EFAAD484AEDBBF2FF88300F249129D405AB299DB349946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00CECD70 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e9bb4ac5001241499f35d083554ef7591c71f5f8be51d50889c1e9232e37dc
Instruction ID: 67368199634734d76d6c64eb413acb5697e18734b08acaa61099d238c51a5970
Opcode Fuzzy Hash: 61e9bb4ac5001241499f35d083554ef7591c71f5f8be51d50889c1e9232e37dc
Instruction Fuzzy Hash: C2517274E012189FDB58DFA9D9849DDBBF2FF89300F208169E419AB365DB319905CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0669D0C0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c31155fe9aba38d8e35302bd3c1c628058031cf005dfa3470c1bf8f2c0bbb0
Instruction ID: ca1622fb940ee60b3e816eb143771a1577d2a0bef70147b8bd865a3891527241
Opcode Fuzzy Hash: 24c31155fe9aba38d8e35302bd3c1c628058031cf005dfa3470c1bf8f2c0bbb0
Instruction Fuzzy Hash: 1F417935901619CFDB04AFB0D49D7FEBBB5EB4A306F005969E502672A0CBB80A45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CE3960 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3612042000986ca8608b483794bed295f833c2224b96def65a4ea497eb18fb34
Instruction ID: 5b68f9ffd3191051cffb58a4ae2c553f376d388461a77df4d612603aba264b92
Opcode Fuzzy Hash: 3612042000986ca8608b483794bed295f833c2224b96def65a4ea497eb18fb34
Instruction Fuzzy Hash: BE51B774E01248CFCB48DFAAD98499DBBF2FF89301B209569E805AB364DB35AD41CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00CEA6B0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e24ae3a4e9d0800b6dfcf86d610b4a335a8d53399bd3b4f5a51e013a20af093
Instruction ID: 18ce5e86ca9dabb2eb4640b2759d58a0dd5c6d0e82db4ab437412c34545fd307
Opcode Fuzzy Hash: 4e24ae3a4e9d0800b6dfcf86d610b4a335a8d53399bd3b4f5a51e013a20af093
Instruction Fuzzy Hash: 1641D031B042448FDB19AB7AD8546EE7BB3EBC8310F288469E506D7391CE319C0ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CE9AC3 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf1c8b190d13b5269b57ab792d7c72263737512d1690f422b5e4a459c56dec7
Instruction ID: 949e980563f838a49260def4b0409e9e7bb47979eac2371f02509cf6afb320f8
Opcode Fuzzy Hash: faf1c8b190d13b5269b57ab792d7c72263737512d1690f422b5e4a459c56dec7
Instruction Fuzzy Hash: 4D41E331A04289DFCF25CFA6D844ADEBFB2FF49310F108155E8159B2A1D335EA15DB51

Uniqueness

Uniqueness Score: -1.00%

Function 06698900 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 596f01a9201b8c4e0b96193e4d372dab7e1fd303f64fe50fec2b8be66c1c8a2c
Instruction ID: 6ca7e6b81d10e61f1821857b2b0d59e9de1c9f0f1380445b749e88a1969976f1
Opcode Fuzzy Hash: 596f01a9201b8c4e0b96193e4d372dab7e1fd303f64fe50fec2b8be66c1c8a2c
Instruction Fuzzy Hash: 65416531E002199BDF54DFA5C980ADEBBB5AF99700F14852DE805B7380DB70AD46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06698E48 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f460cc5540cbe2b7dd71ab7014ef35e426750351fb6673fb907f5b14ac0419d
Instruction ID: 1c211221a3045a35d2cb90c11e77bb28f3ce2c3c7ee37b90419ca566e144c2d6
Opcode Fuzzy Hash: 0f460cc5540cbe2b7dd71ab7014ef35e426750351fb6673fb907f5b14ac0419d
Instruction Fuzzy Hash: F441EE74E01249CFDB44DFA4D594BEDBBB2BF49304F10992AE809AB394DB346A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06698E58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778bffcb3b1c12e6594cd2a70f9c582f11bd3a6cb547efc58a71e42b15309650
Instruction ID: c9a4047df1af34e779ed87d4dc5f124b69821c84eb0693007930d0f64205a99b
Opcode Fuzzy Hash: 778bffcb3b1c12e6594cd2a70f9c582f11bd3a6cb547efc58a71e42b15309650
Instruction Fuzzy Hash: 4541EE74E012488FDB44DFA9D5947EEBBF2BF89300F10952AD805A7394DB346A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CE4E20 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee773fd2e8161ff7852c85f7e8a5da4d43359634c46fd3a38aac9a6abcc9e256
Instruction ID: e256ed2ba6f3d784d172cee9085f0494c09ddc8e915a663fa446a39fc90fe5f3
Opcode Fuzzy Hash: ee773fd2e8161ff7852c85f7e8a5da4d43359634c46fd3a38aac9a6abcc9e256
Instruction Fuzzy Hash: B4316131704249AFCF099FA5D854AAF7BA6FF88301F108424F9198B255CB35CE65EBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00CE933C Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e1cebcb8904bde97649957d2db0d7295b48c4d27ec70db692ca278f56cc7e4
Instruction ID: e0b2293e0566073d10a9aefe3baeb6f58a7da3bb7a599c260490d88582e41488
Opcode Fuzzy Hash: c2e1cebcb8904bde97649957d2db0d7295b48c4d27ec70db692ca278f56cc7e4
Instruction Fuzzy Hash: F031D030A00245DFCB11CF69D8809EEBBF6FF85360B648466E854CB261D731E9278BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CE7730 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1993ecf9e9f98f1c27283676325283022fae45a7e93008549989d6a868e4189
Instruction ID: d18766d4950f7fcc1a5cef90d3305ec40cfcbf48db145825a600ea8cbcccf060
Opcode Fuzzy Hash: d1993ecf9e9f98f1c27283676325283022fae45a7e93008549989d6a868e4189
Instruction Fuzzy Hash: E521373070C2814BEB25163B989CA7D2797AFE8B587184639D912CB7D5DE25CC47E3C1

Uniqueness

Uniqueness Score: -1.00%

Function 00CEA869 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58defa191236596ab7a261534b383ee0d51ed6b3a5c2ec84f7c94667b41eb381
Instruction ID: 79558dd8457e3d26645581b6bb981fa75832481b58519e3f61c9f2ef405daf64
Opcode Fuzzy Hash: 58defa191236596ab7a261534b383ee0d51ed6b3a5c2ec84f7c94667b41eb381
Instruction Fuzzy Hash: B3319F71A405058FCB04DF6AC8849AEBBB3FF89750B168159E555EB3B6CB30ED02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0669D0B0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c41d129f4f6a1bf6b12ebf864881b6331a220847a65d2e34c9916d54a1e58b5
Instruction ID: 67ab9a07c17d306ebfd3b670b2476067d34b0bb51896e71118f0c7a9474e6dea
Opcode Fuzzy Hash: 4c41d129f4f6a1bf6b12ebf864881b6331a220847a65d2e34c9916d54a1e58b5
Instruction Fuzzy Hash: 9C31AE75C04609DFDB00AFB0D89D7FEBBB1EB4A306F009869E50166290CBB80A45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CE7740 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b351b318f6bb138f3c0aac65dcd24b6409d5dc36c71cf8b7fb15f9e0a404d4
Instruction ID: 19f199e87fa0d0d0ba1cc65f5d8f5ca91c65ea44ec5c7b4262873e1c707bcae8
Opcode Fuzzy Hash: 13b351b318f6bb138f3c0aac65dcd24b6409d5dc36c71cf8b7fb15f9e0a404d4
Instruction Fuzzy Hash: CE21F93070828157EB25163B889CB7E36979FE8718F288539D916DB7D4DE25CC82E3C1

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5AB8 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1877c19f1e9840aaf2e02e238cd9d365454d10d1abddc0bf51b52e51efed957e
Instruction ID: 4a552c6a388bf470cfbaa94715f8171cca86b35096bed83551b4d332fb8eadd3
Opcode Fuzzy Hash: 1877c19f1e9840aaf2e02e238cd9d365454d10d1abddc0bf51b52e51efed957e
Instruction Fuzzy Hash: 0821F231704A929FC7299A76D49853EBBA2FF847547184569E806CF391CE34DC06C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 00CE20B8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9206c8067fd312a6ecfb5bd6c4c3e3f157403d83d376a82e283385f6b4e3e4c
Instruction ID: 0a504149b02f30d27a8dc29bbd371861d9caeb300e2bfcc23b077f8ca57b1f31
Opcode Fuzzy Hash: a9206c8067fd312a6ecfb5bd6c4c3e3f157403d83d376a82e283385f6b4e3e4c
Instruction Fuzzy Hash: 1F21C131A00186AFCF24DF24C880AAE77A9EF99750F10C519E95A9B350DE34EF05CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D4F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558148498.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c7d000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 660a7abd0662f1b62b819752ee346832267c7d213d49849c61ffc894f6189fc4
Instruction ID: 8577101c9a79d7ada560446021836bd791c22d3e21b17b50c58922e5d2e157a8
Opcode Fuzzy Hash: 660a7abd0662f1b62b819752ee346832267c7d213d49849c61ffc894f6189fc4
Instruction Fuzzy Hash: DE2100B2504204DFDB44DF14D9C0B26BF75FF98328F20C6A9E90E0A256C336D956DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C8D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558184267.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c8d000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d115e6be53d541f3dc893ca5643a3f381315257c4c82406e139802c10df4e1
Instruction ID: 0a0c6915ec33674d22d4e94fc21f09377db12b23da84d9baec41fa36b9b32188
Opcode Fuzzy Hash: 94d115e6be53d541f3dc893ca5643a3f381315257c4c82406e139802c10df4e1
Instruction Fuzzy Hash: 2621F271504204EFDB14EF24D9C4B26BB65FB84318F30C66DE94A4B2D2C77AD846CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00CE4E11 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e083511ba6b890bf0b45c439d0717014686010468c159641584063ee2d2d49ca
Instruction ID: 240841384bbf55c2dfff835a5e245813eea137c071e19c8903daafdba9f5444e
Opcode Fuzzy Hash: e083511ba6b890bf0b45c439d0717014686010468c159641584063ee2d2d49ca
Instruction Fuzzy Hash: EA2127317482859FCB199FA5D444BAB7BA2FF88300F108429F8098B295CB38CE55D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 06698AF0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2dc1245c78e0ac75d19c43b926f356dcd667e7a7181e31db9aec217106a08ab
Instruction ID: 2128c0d8a02ee66eaf560f7405ee6d31d5dddc06ef4e247623f77a7ee356c73c
Opcode Fuzzy Hash: e2dc1245c78e0ac75d19c43b926f356dcd667e7a7181e31db9aec217106a08ab
Instruction Fuzzy Hash: 11110136B092505FDB46AFB4981926E7FA3EFC8250F14842EF50ADB381DE748D0593B6

Uniqueness

Uniqueness Score: -1.00%

Function 00CE8F21 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4712dcf8d6265975f81c853fee6a559edcee8ce81af54151d78d9b67ddcff4d1
Instruction ID: 36f24b0d02f652a7ddebf51e670940b784a91e6c394ff7dc4c88f3286d8a4a65
Opcode Fuzzy Hash: 4712dcf8d6265975f81c853fee6a559edcee8ce81af54151d78d9b67ddcff4d1
Instruction Fuzzy Hash: 0F216970E04289DFCB04CFE6D490AEEBFB2AF48301F248069E415A6294DB359A45DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00CEDBA9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d88c9be2d0abd92e5ec448ae3aacd88f73efc285c73819186a841a8fb4e5c1
Instruction ID: a145845b62d01fd29f9d0c0950012933c537b6ec53398d90400e218c1acf735e
Opcode Fuzzy Hash: 60d88c9be2d0abd92e5ec448ae3aacd88f73efc285c73819186a841a8fb4e5c1
Instruction Fuzzy Hash: 66215070E0424A9FDB45EFB9D44179EBBF2FF85304F0482A9C0489B356E7705A468B81

Uniqueness

Uniqueness Score: -1.00%

Function 0669D4C3 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbbdc5a0b626123bd0f077015d9ca6a85051716937dd0736242deb6a12d34a28
Instruction ID: 422b7708e9c85a9d3d6fdb632dd66db41e87f0bbf3012c032af3b0d3db7aa9ef
Opcode Fuzzy Hash: fbbdc5a0b626123bd0f077015d9ca6a85051716937dd0736242deb6a12d34a28
Instruction Fuzzy Hash: 8D11C4317092409FD7050A3A58685FBBFABEFCA210B1988B7E546C3296CD258C1A9371

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5AC8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d1c7fae294ff880eba3c7df96ffc531ed093fd586aadccf2aff8e3e1f05fb6d
Instruction ID: cdb527fde972893433af480cae39e796e93fe7532af276d03631b4665224b198
Opcode Fuzzy Hash: 3d1c7fae294ff880eba3c7df96ffc531ed093fd586aadccf2aff8e3e1f05fb6d
Instruction Fuzzy Hash: 2211ED31704A529BC7299A2BD89893EB7A6FFC87647180178E806CF350DF30DC0287D4

Uniqueness

Uniqueness Score: -1.00%

Function 00CE1FB8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2465f881b7b3acf5858fb880f44b9a68cd555a2b23ca28213857b0e53bc654bb
Instruction ID: 7d769c45a555451f4d7595e350d09796fe30fc8ab17a72578532c5cafaf0f06a
Opcode Fuzzy Hash: 2465f881b7b3acf5858fb880f44b9a68cd555a2b23ca28213857b0e53bc654bb
Instruction Fuzzy Hash: 0321C2B4C0520A8FCB40EFA9D9595EEBFF1FF09310F10556AD805B3210EB301A56DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D4EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558148498.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c7d000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction ID: 0cf31bc21e1f426b5d76829a0c302eb9b3fd2c71c01a2c856816a854717f0ef9
Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction Fuzzy Hash: 9311D3B6504244CFCB15CF10D5C4B16BF71FF94314F24C6A9D80A0B256C33AD95ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06698630 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7de871394196fa70bf4f7d193ce0ce035eaca28c02a1a7a0cca98619a75c91a
Instruction ID: 3264666e3b0defb1a09330fb9b2cf2f8ca5903402d54519fac551b88d7e7d504
Opcode Fuzzy Hash: f7de871394196fa70bf4f7d193ce0ce035eaca28c02a1a7a0cca98619a75c91a
Instruction Fuzzy Hash: FD112676800249DFDB10CF99C845BDEBBF8EB48324F148819EA18A7251C379A954DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CEDBB8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de46f84e4858bf35afe82d11cb33c50f4991d35f1a60caaf85fdb9b793c3a979
Instruction ID: 8de92c6e710d50e26883538aa16c173d9e29146cff579f6bbc315bb57e2a947e
Opcode Fuzzy Hash: de46f84e4858bf35afe82d11cb33c50f4991d35f1a60caaf85fdb9b793c3a979
Instruction Fuzzy Hash: 8A113D70D0420ADFDB44EFA9D44179EBBF2FF85304F10D6A9D0589B355EB705A468B81

Uniqueness

Uniqueness Score: -1.00%

Function 066982C1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55dfe377d980bfce63ab07e9105eec4a23ab9a1889c047085c6f29925d4e3943
Instruction ID: 07b8f77b4c0b54c7d664b8848768fda5cec6399edf32d1e508a835a19247ce5c
Opcode Fuzzy Hash: 55dfe377d980bfce63ab07e9105eec4a23ab9a1889c047085c6f29925d4e3943
Instruction Fuzzy Hash: 3A112E34E005498FEF10DBF8D840BAEBBB5AF45311F409465E908E7349DA3099428B61

Uniqueness

Uniqueness Score: -1.00%

Function 00C8D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558184267.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c8d000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
Instruction ID: e7f1d76c963fddb72352c36b97ff89e575b48c875a5a5b2d2461ae5fc56902aa
Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
Instruction Fuzzy Hash: 58119D75504284DFCB15DF10D9C4B15BBA2FB84328F24C6A9D84A4B696C33AD94ACF62

Uniqueness

Uniqueness Score: -1.00%

Function 06698D98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a5a6bb42bd6cdc6845445a3f646f67c6466428baf9d3735ab03e55834e13dc
Instruction ID: 6501a053994ec7bb0c9ac5df97e8311ab57466f77317f445336859abf8a68e60
Opcode Fuzzy Hash: e7a5a6bb42bd6cdc6845445a3f646f67c6466428baf9d3735ab03e55834e13dc
Instruction Fuzzy Hash: 8B1146B6800249DFDF10CF99C945BEEBBF4EF48324F148819EA18A7251C339A554DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CE565F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c286e46b1656828e236123c725004aeabd3387675906454463098a5754e9c7af
Instruction ID: 56a5163c1314fc2ae9222a87168f2c61cc487bfed74ea70ed946ecb6ad42e25f
Opcode Fuzzy Hash: c286e46b1656828e236123c725004aeabd3387675906454463098a5754e9c7af
Instruction Fuzzy Hash: 02014C72B041546FCB028E6598046FF3FEBDFC8351B14802AF918C7390DA31CD129790

Uniqueness

Uniqueness Score: -1.00%

Function 06698B60 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a19a658c244a2fc4253a90f813229fc821c4dbd554adee45a710ca6c1b7f64
Instruction ID: fc6a140e4fff05b51128f26c33a9703685ac0a115fc4d7dbc878efff55faefc8
Opcode Fuzzy Hash: c1a19a658c244a2fc4253a90f813229fc821c4dbd554adee45a710ca6c1b7f64
Instruction Fuzzy Hash: E1F0E9327101186B8F059E98EC449AF7FABEFC8260B00842DFA09C7240CE718D1097B5

Uniqueness

Uniqueness Score: -1.00%

Function 00CE2068 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 236cca3fbd05b039bb4c151bb8a36b612b5f11b8c3e29048d835dedb5a577597
Instruction ID: 0c49e43b508a775f9d2cea708136ee8943932fc255465403d9e39a622c7c7db2
Opcode Fuzzy Hash: 236cca3fbd05b039bb4c151bb8a36b612b5f11b8c3e29048d835dedb5a577597
Instruction Fuzzy Hash: F5E0D8319253D64FC7029BB49C544FEFFB4ADC7210B4985ABD09077450EB30191AC751

Uniqueness

Uniqueness Score: -1.00%

Function 00CE2078 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a06562f7badcef9b5bffdcff9088fc4950576929707e9667e689cc87aa3805
Instruction ID: 147ee78828227962921ec1eba055844c63657c25adc41008e53666b5b6430e1e
Opcode Fuzzy Hash: 99a06562f7badcef9b5bffdcff9088fc4950576929707e9667e689cc87aa3805
Instruction Fuzzy Hash: C1D01732E2126B968B00AAA5EC048EEB738EE96661B948626D52437140EB70665986A1

Uniqueness

Uniqueness Score: -1.00%

Function 00CE82B8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: e4f1b62a73b222bcc77e976c6d16299ba371cd14e5caaf66dd37d8e8d291936c
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 53C08C7320C5682AA234508F7C40EE3BB8CC3C1BB4A310137FA2CE3341AC429C8411F4

Uniqueness

Uniqueness Score: -1.00%

Function 00CEA76D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69af4e0de8d1af384214164dfabe3f1f6bf8d1e08a9af1623255fae63301b3cb
Instruction ID: 865bb2cf3c0b96290d1bb9f07889bffc4858e1d40d1a71a446a107f6c060bbea
Opcode Fuzzy Hash: 69af4e0de8d1af384214164dfabe3f1f6bf8d1e08a9af1623255fae63301b3cb
Instruction Fuzzy Hash: C2D0677BB41008DFCB049F99EC409DDB7B6FB9C221B048526F925A3260C6319925DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5F00 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b9505eaee474a5226e04cbf0993e8cd27060e12d2d326083b6a8e072997bb4a
Instruction ID: cdd5ecbb35538a2ae5541b8594dd97066d2feb1201ac012f43d42c0b6bace31b
Opcode Fuzzy Hash: 5b9505eaee474a5226e04cbf0993e8cd27060e12d2d326083b6a8e072997bb4a
Instruction Fuzzy Hash: 8EE02B70A0C3C35FC712F3B8E8A28DC3F32EE80208F4442A8EC444E617E976494B8791

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5F10 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ebd1652f39c52f942c657204c9d8b6071eac1b7c27b85b5d9ac724534dcb67
Instruction ID: a2864cf53a31268d2a313e0ff13770e4615bd7408545695943db45c0b13da044
Opcode Fuzzy Hash: 96ebd1652f39c52f942c657204c9d8b6071eac1b7c27b85b5d9ac724534dcb67
Instruction Fuzzy Hash: 17C0123050870B8BD501F7F5E946959771AEAC0300F408614B5090D21AEE78598556D1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00CEDED8 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4558350460.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a950ca17eafdb8ab70eb8014de77df2b958c7ed37ca81ed2758a123b375692
Instruction ID: d9b4c3208a996b62513cc18d62ded7fe63a9e2dec2b3028e1c1a3d37d777baf9
Opcode Fuzzy Hash: 23a950ca17eafdb8ab70eb8014de77df2b958c7ed37ca81ed2758a123b375692
Instruction Fuzzy Hash: 0A52AB74E01268CFDB64DF65C884BADBBB2BF89300F1481E9D409AB255DB31AE85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 06694E70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614b317f844baee8724a090997a7e8abbd0ddc639d8381ca635679a5809a5239
Instruction ID: 15ace65b2592b0cdb538ca8188882162cd1315efc338ecbac2ab37063ba89c86
Opcode Fuzzy Hash: 614b317f844baee8724a090997a7e8abbd0ddc639d8381ca635679a5809a5239
Instruction Fuzzy Hash: 73C19074E01218CFDB54DFA5C984BADBBB2EF89304F1081A9D809AB355DB359E86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06695720 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf9b78d66b99699a5f98d1193c7adee6b0787c09d1e3516257cc32983a5a27f
Instruction ID: beede0140ae14aaed451c4be20b572214ebf04f0bda16c6739e5d0cfbfe348d8
Opcode Fuzzy Hash: adf9b78d66b99699a5f98d1193c7adee6b0787c09d1e3516257cc32983a5a27f
Instruction Fuzzy Hash: 43C1B074E00218CFDB54DFA5C984BADBBB2EF89304F1081A9D809AB355DB359E86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06695FD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e70d6467becd23e2b8e0c5f079e0c3a616cc98c46792b224c41e95eb055c343
Instruction ID: 4bfc6d0f2c0e6365435b3202472184c3a5d6a573c81b4842e491f6cff69238b1
Opcode Fuzzy Hash: 4e70d6467becd23e2b8e0c5f079e0c3a616cc98c46792b224c41e95eb055c343
Instruction Fuzzy Hash: 0AC19074E01218CFEB54DFA5C984BADBBB2EF89304F1081A9D809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06696450 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569ccdca675656908f0d5d04e96b7043ff059c0401bc26a368ab3ec6f7d53958
Instruction ID: 2b320cd0cee08e292cd4b0dd5b5dabeb04a6ecfeb1fe814b308974a2ba52003b
Opcode Fuzzy Hash: 569ccdca675656908f0d5d04e96b7043ff059c0401bc26a368ab3ec6f7d53958
Instruction Fuzzy Hash: B2C19074E01218CFEB54DFA5C984B9DBBB2BF89304F1081A9D809AB355DB359E86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06690498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ae5328b0b1e0082998d099f9e32b32ad10cdc78233ce50da59a4f962cb4c341
Instruction ID: d5b43ab0ca0b42ff58a019c068c4649cb74d9f1406eb17106baff56004491fcd
Opcode Fuzzy Hash: 3ae5328b0b1e0082998d099f9e32b32ad10cdc78233ce50da59a4f962cb4c341
Instruction Fuzzy Hash: 1FC19174E01218CFDB54DFA5C984B9DBBB2EF89304F1081A9D809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 066975B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fb8a8be9ed4fefa29b42f8b33d7e46c13360077967cc215c07cad675b5c8e8
Instruction ID: 497284783dc89b255b88e07bf8805e6de688562ce8fa0a29e0743c87204a1613
Opcode Fuzzy Hash: 97fb8a8be9ed4fefa29b42f8b33d7e46c13360077967cc215c07cad675b5c8e8
Instruction Fuzzy Hash: D0C19F74E01218CFDB54DFA5C984BADBBB2EF89304F2081A9D809AB355DB359A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06694598 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982364c07d29bf259d0e9482e500fbd40c08ff1dc8ad1e3679b494520f746b15
Instruction ID: 9322de0990a54edff357be9d415beb7df0fd7d9d51c6af9145fae7c74149a259
Opcode Fuzzy Hash: 982364c07d29bf259d0e9482e500fbd40c08ff1dc8ad1e3679b494520f746b15
Instruction Fuzzy Hash: 75C1A074E00218CFDB54DFA5C984BADBBB2EF89304F1081A9D809AB355DB359E86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06694A18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3975c7458a28f1ec95a4d2521bf031ad1f9aa0d70dceffdb757731000d43534e
Instruction ID: 273a280eb89bd9cd14d019ca552997f4ab6a6f0d98e082118dd81a07b5de8fcf
Opcode Fuzzy Hash: 3975c7458a28f1ec95a4d2521bf031ad1f9aa0d70dceffdb757731000d43534e
Instruction Fuzzy Hash: 5AC1A074E01258CFDB54DFA5C984BADBBB2EF89300F1081A9D809AB355DB359E86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 066952C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d040126e2716345ae38b28fdd859cddfe69da520d19dcd1f8562a226331bc7d8
Instruction ID: 6ddd744aa7d32b4299c9db9835af06c01c3147bfb9da05e960af2917fe482d49
Opcode Fuzzy Hash: d040126e2716345ae38b28fdd859cddfe69da520d19dcd1f8562a226331bc7d8
Instruction Fuzzy Hash: 35C19074E01218CFDB54DFA5C984BADBBB2BF89304F1081A9D809AB355DB359E86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06695B78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710aa7d1c34530ddfafeb8b068d9902a560971d34e3eb0b2e8d54676d66186d3
Instruction ID: bf7dd019671f8bb811d22443ecf22cdbc55175bfb8592e7c1a491c16540b8bfe
Opcode Fuzzy Hash: 710aa7d1c34530ddfafeb8b068d9902a560971d34e3eb0b2e8d54676d66186d3
Instruction Fuzzy Hash: 91C1A074E00258CFDB54DFA5C984B9DBBB2AF89304F1081A9D809AB355DB359A86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06690040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: effd2a1530045e22aa3742a415a06c94c104c473df146a48291aea79dad8a8fd
Instruction ID: 3edd54a377ef73ed9261f4feed58f18bb62503cda9346bef95bcebb25bc40afc
Opcode Fuzzy Hash: effd2a1530045e22aa3742a415a06c94c104c473df146a48291aea79dad8a8fd
Instruction Fuzzy Hash: 98C19074E01218CFDB54DFA5C984BADBBB2BF89304F1081A9D809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 066908F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932cd9b53ce02a5ffece363ab5e31d35628c8ee15df0495dc6e0a3a7d3f9ba00
Instruction ID: 247d978af9b213674051a65264544288d8bbeda7aa478c255b4b72154dc48139
Opcode Fuzzy Hash: 932cd9b53ce02a5ffece363ab5e31d35628c8ee15df0495dc6e0a3a7d3f9ba00
Instruction Fuzzy Hash: 11C19074E01218CFDB54DFA5C984BADBBB2BF89304F2081A9D809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 066968A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82db59d591587fd561321fc80ed4f2d60082c59fa29a0445fb7e3eaffe31ea7
Instruction ID: 81429182f61152d0230f764fc5a048fb55871b16e368a2e8bef200d403160481
Opcode Fuzzy Hash: c82db59d591587fd561321fc80ed4f2d60082c59fa29a0445fb7e3eaffe31ea7
Instruction Fuzzy Hash: C0C19174E01218CFEB54DFA5C984B9DBBB2EF89304F1081A9D809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06697158 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94646e831a69ac0e5b37f2934fde6919303349516947547d07a215de77b7551c
Instruction ID: 333f39091052500c820439dd2adcd0b2d4cc15b8f596e272780e4fc3fa077854
Opcode Fuzzy Hash: 94646e831a69ac0e5b37f2934fde6919303349516947547d07a215de77b7551c
Instruction Fuzzy Hash: 97C1A074E10218CFDB54DFA5C984BADBBB2AF89300F1081A9D809AB355DB359E86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 066927B8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b980aee39f53e4152192c5c7d63020ddffba42cafa6c099be61beffce2068c
Instruction ID: 2b1ed5d33e159a3f04d48de1d63c7d9bf9b6cfbc6efcce0af4136269bdee7629
Opcode Fuzzy Hash: 91b980aee39f53e4152192c5c7d63020ddffba42cafa6c099be61beffce2068c
Instruction Fuzzy Hash: 75B18574E10218CFDB54DFA9D894A9DBBB2FF89310F1081A9D819AB365DB31AD42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 066927AA Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6773d38ecfce40ba75f90fd83e61e0779e13057c41d9ddf96cdd88203d10c25
Instruction ID: 3cb0a35f7bf733c558ccc316ca8c579e61c7f0a29f807049ee4d1de8e32e4486
Opcode Fuzzy Hash: d6773d38ecfce40ba75f90fd83e61e0779e13057c41d9ddf96cdd88203d10c25
Instruction Fuzzy Hash: AE51D474E00648CFDB58CFAAD884A9DBBF2BF89300F148069D819AB365DB319942CF10

Uniqueness

Uniqueness Score: -1.00%

Function 06692ACE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4563712143.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_gZIZ5eyCtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5399877da254eca3b5cb1ee5bbb0589898d04a476541ec14424802e777d8a04
Instruction ID: 4139632df9dce5e497b36f06ba2cd067f9be6f59d837681ea7933031252c1ef9
Opcode Fuzzy Hash: e5399877da254eca3b5cb1ee5bbb0589898d04a476541ec14424802e777d8a04
Instruction Fuzzy Hash: 9BD05E34D0425CCBCF20EF58D8413ADB371FF86300F0020959009BB100C7308E51AF12

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gZIZ5eyCtS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gZIZ5eyCtS.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
gZIZ5eyCtS.exe

Function 0175AC18 Relevance: 1.9, Strings: 1, Instructions: 615
COMMON

Function 01759F6C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Function 0175A7F0 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Function 01759F90 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Function 0175A948 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Function 0175A6C8 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Function 01759F78 Relevance: 1.6, APIs: 1, Instructions: 91
threadCOMMON

Function 0175AA68 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Function 0166D5B8 Relevance: .1, Instructions: 75
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre