Edit tour

Windows Analysis Report
VirusSick.exe

Overview

General Information

Sample name:	VirusSick.exe
Analysis ID:	1635788
MD5:	9144cf49bee346952ab9f46b20240d08
SHA1:	9c3c468f8a41647416f06c031b1081a2bbab3f7f
SHA256:	edf66fa81d2c3cc8192d7816592fe2882a5017c03ab9dfc0a12011c5ec91a078
Tags:	exegdikillmbrtrojanuser-2huMarisa
Infos:

Detection

Score:	56
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

PE file contains more sections than normal

PE file contains sections with non-standard names

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

VirusSick.exe (PID: 6836 cmdline: "C:\Users\user\Desktop\VirusSick.exe" MD5: 9144CF49BEE346952AB9F46B20240D08)

cmd.exe (PID: 760 cmdline: C:\Windows\system32\cmd.exe /c start "" "http://www.drinkify.org" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 5728 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.drinkify.org/ MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6484 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1880,i,8262623870461844564,809522073933189353,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2020 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T00:50:06.209798+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49682	172.67.74.152	443	TCP

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 23:50:46 GMTServer: nginx/1.10.3 (Ubuntu)Content-Type: text/html; charset=UTF-8Content-Length: 3Keep-Alive: timeout=5, max=100Connection: Keep-AliveData Raw: 34 30 34 Data Ascii: 404

Source: chromecache_85.5.dr	String found in binary or memory: http://feross.org
Source: chromecache_76.5.dr	String found in binary or memory: http://jquery.com/
Source: chromecache_76.5.dr	String found in binary or memory: http://jquery.org/license
Source: chromecache_80.5.dr	String found in binary or memory: http://microformats.org/profile/hcard
Source: VirusSick.exe	String found in binary or memory: http://www.blahtherapy.com
Source: VirusSick.exe	String found in binary or memory: http://www.blankwindows.com
Source: VirusSick.exe	String found in binary or memory: http://www.bury.me
Source: VirusSick.exe	String found in binary or memory: http://www.cat-bounce.com
Source: VirusSick.exe	String found in binary or memory: http://www.clicktoremove.com
Source: VirusSick.exe	String found in binary or memory: http://www.crossdivisions.com
Source: VirusSick.exe	String found in binary or memory: http://www.damn.dog
Source: VirusSick.exe	String found in binary or memory: http://www.didthanoskill.me
Source: VirusSick.exe, 00000000.00000002.977433493.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.didthanoskill.metov
Source: VirusSick.exe	String found in binary or memory: http://www.donothingfor2minutes.com
Source: VirusSick.exe, 00000000.00000002.977433493.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.donothingfor2minutes.comwov
Source: VirusSick.exe	String found in binary or memory: http://www.drinkify.org
Source: VirusSick.exe, 00000000.00000002.977433493.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.drinkify.orgK
Source: VirusSick.exe, 00000000.00000002.977433493.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.drinkify.orgzov
Source: VirusSick.exe	String found in binary or memory: http://www.dudelol.com
Source: VirusSick.exe	String found in binary or memory: http://www.eelslap.com
Source: VirusSick.exe	String found in binary or memory: http://www.fallingfalling.com
Source: VirusSick.exe, 00000000.00000002.977433493.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fallingfalling.comwov
Source: VirusSick.exe	String found in binary or memory: http://www.fallingguy.com
Source: VirusSick.exe, 00000000.00000002.977433493.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fallingguy.comtov
Source: VirusSick.exe	String found in binary or memory: http://www.femga.com
Source: VirusSick.exe	String found in binary or memory: http://www.giantbatfarts.com
Source: chromecache_71.5.dr	String found in binary or memory: http://www.google-analytics.com
Source: VirusSick.exe	String found in binary or memory: http://www.howtobeadad.com
Source: VirusSick.exe	String found in binary or memory: http://www.icanhas.cheezburger.com
Source: VirusSick.exe, 00000000.00000002.977433493.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.icanhas.cheezburger.comL
Source: VirusSick.exe	String found in binary or memory: http://www.instantrimshot.com
Source: VirusSick.exe	String found in binary or memory: http://www.instantsunstrike.com
Source: VirusSick.exe	String found in binary or memory: http://www.internetlivestats.com
Source: VirusSick.exe, 00000000.00000002.977433493.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.internetlivestats.comwov
Source: VirusSick.exe	String found in binary or memory: http://www.isitchristmas.com
Source: VirusSick.exe	String found in binary or memory: http://www.isitchristmas.comhttp://www.pointerpointer.comhttp://www.donothingfor2minutes.comhttp://w
Source: VirusSick.exe	String found in binary or memory: http://www.isthisyour.name
Source: VirusSick.exe	String found in binary or memory: http://www.koalastothemax.com
Source: VirusSick.exe	String found in binary or memory: http://www.milliondollarhomepage.com
Source: VirusSick.exe	String found in binary or memory: http://www.movenowthinklater.com
Source: VirusSick.exe, 00000000.00000002.977433493.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.movenowthinklater.comwov
Source: VirusSick.exe	String found in binary or memory: http://www.muchbetterthanthis.com
Source: VirusSick.exe, 00000000.00000002.977433493.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.muchbetterthanthis.comwow
Source: VirusSick.exe	String found in binary or memory: http://www.nelson-haha.com
Source: VirusSick.exe	String found in binary or memory: http://www.nyan.cat
Source: VirusSick.exe	String found in binary or memory: http://www.papertoilet.com
Source: VirusSick.exe	String found in binary or memory: http://www.passiveaggressivenotes.com
Source: VirusSick.exe, 00000000.00000002.977433493.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.passiveaggressivenotes.comtov
Source: VirusSick.exe	String found in binary or memory: http://www.pleasedonate.biz
Source: VirusSick.exe	String found in binary or memory: http://www.pointerpointer.com
Source: VirusSick.exe, 00000000.00000002.976676691.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pointerpointer.comsov
Source: VirusSick.exe	String found in binary or memory: http://www.procatinator.com
Source: VirusSick.exe, 00000000.00000002.977433493.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.procatinator.comtov
Source: VirusSick.exe	String found in binary or memory: http://www.randomcolour.com
Source: VirusSick.exe	String found in binary or memory: http://www.rockpaperberlin.com
Source: VirusSick.exe	String found in binary or memory: http://www.rrrgggbbb.com
Source: VirusSick.exe	String found in binary or memory: http://www.sadforjapan.com
Source: VirusSick.exe	String found in binary or memory: http://www.staggeringbeauty.com
Source: VirusSick.exe	String found in binary or memory: http://www.stinkmoji.com
Source: VirusSick.exe	String found in binary or memory: http://www.stupid.com
Source: VirusSick.exe	String found in binary or memory: http://www.thatsthefinger.com
Source: VirusSick.exe, 00000000.00000002.977433493.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.thatsthefinger.comtov
Source: VirusSick.exe	String found in binary or memory: http://www.thesecretlivesofdentists.com
Source: VirusSick.exe, 00000000.00000002.977433493.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.thesecretlivesofdentists.comwov
Source: VirusSick.exe	String found in binary or memory: http://www.theuselessweb.com
Source: VirusSick.exe	String found in binary or memory: http://www.thisiswhyimbroke.com
Source: VirusSick.exe	String found in binary or memory: http://www.unicodesnowmanforyou.com
Source: VirusSick.exe, 00000000.00000002.977433493.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicodesnowmanforyou.coml
Source: VirusSick.exe	String found in binary or memory: http://www.waitingforfriday.com
Source: VirusSick.exe, 00000000.00000002.977433493.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.waitingforfriday.comtov
Source: VirusSick.exe	String found in binary or memory: http://www.whydidyougoto.com
Source: VirusSick.exe, 00000000.00000002.977433493.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.whydidyougoto.comtov
Source: VirusSick.exe	String found in binary or memory: http://www.yesnoif.com
Source: VirusSick.exe	String found in binary or memory: http://www.zombo.com
Source: VirusSick.exe, 00000000.00000002.977433493.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zombo.comW
Source: VirusSick.exe	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: chromecache_95.5.dr	String found in binary or memory: https://itunes.apple.com/us/app/messenger/id454638411
Source: chromecache_95.5.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.facebook.orca
Source: chromecache_85.5.dr, chromecache_80.5.dr	String found in binary or memory: https://raw.githubusercontent.com/stefanpenner/es6-promise/master/LICENSE
Source: chromecache_71.5.dr	String found in binary or memory: https://ssl.google-analytics.com
Source: chromecache_71.5.dr	String found in binary or memory: https://ssl.google-analytics.com/j/__utm.gif
Source: chromecache_71.5.dr	String found in binary or memory: https://stats.g.doubleclick.net/j/collect?
Source: chromecache_71.5.dr	String found in binary or memory: https://www.google.%/ads/ga-audiences?
Source: chromecache_71.5.dr	String found in binary or memory: https://www.google.com/analytics/web/inpage/pub/inpage.js?
Source: chromecache_95.5.dr, chromecache_79.5.dr, chromecache_84.5.dr	String found in binary or memory: https://www.internalfb.com/intern/invariant/

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: C:\Users\user\Desktop\VirusSick.exe

Code function: 0_2_004C2EBB GetDC,CreateCompatibleDC,GetSystemMetrics,GetSystemMetrics,CreateDIBSection,SelectObject,GetDC,BitBlt,BitBlt,ReleaseDC,DeleteDC,

0_2_004C2EBB

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir5728_964068780

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir5728_964068780

Jump to behavior

Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_004DE1E0	0_2_004DE1E0
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_00500440	0_2_00500440
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_004E68E0	0_2_004E68E0
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_004CB0C0	0_2_004CB0C0
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_004E5180	0_2_004E5180
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_004D12E0	0_2_004D12E0
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_004DF580	0_2_004DF580
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_0052F5B0	0_2_0052F5B0
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_004CB870	0_2_004CB870
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_004DDD50	0_2_004DDD50
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_004E1F30	0_2_004E1F30

Source: C:\Users\user\Desktop\VirusSick.exe	Code function: String function: 004D3F50 appears 80 times
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: String function: 0053B610 appears 52 times
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: String function: 005788D0 appears 32 times

Source: VirusSick.exe

Static PE information: Number of sections : 17 > 10

Source: VirusSick.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.winEXE@27/47@35/12

Source: C:\Users\user\Desktop\VirusSick.exe

Code function: 0_2_004DC820 GetLastError,FormatMessageA,IsDebuggerPresent,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,LocalFree,

0_2_004DC820

Source: C:\Users\user\Desktop\VirusSick.exe	Mutant created: \Sessions\1\BaseNamedObjects\LeBkAaAa__shmem3_winpthreads_tdm_
Source: C:\Users\user\Desktop\VirusSick.exe	Mutant created: \Sessions\1\BaseNamedObjects\LeBkAaAa__eh_shmem3_gcc_tdm_
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03

Source: VirusSick.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\VirusSick.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VirusSick.exe	Virustotal: Detection: 63%
Source: VirusSick.exe	ReversingLabs: Detection: 50%

Source: VirusSick.exe	String found in binary or memory: /addr_imp
Source: VirusSick.exe	String found in binary or memory: /addr_imp

Source: unknown	Process created: C:\Users\user\Desktop\VirusSick.exe "C:\Users\user\Desktop\VirusSick.exe"
Source: C:\Users\user\Desktop\VirusSick.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c start "" "http://www.drinkify.org"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.drinkify.org/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1880,i,8262623870461844564,809522073933189353,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2020 /prefetch:3
Source: C:\Users\user\Desktop\VirusSick.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c start "" "http://www.drinkify.org"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.drinkify.org/	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1880,i,8262623870461844564,809522073933189353,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2020 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VirusSick.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior

Source: C:\Users\user\Desktop\VirusSick.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: VirusSick.exe

Static file information: File size 2300091 > 1048576

Source: VirusSick.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\VirusSick.exe

Code function: 0_2_004E91F1 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

0_2_004E91F1

Source: VirusSick.exe	Static PE information: section name: /4
Source: VirusSick.exe	Static PE information: section name: /19
Source: VirusSick.exe	Static PE information: section name: /31
Source: VirusSick.exe	Static PE information: section name: /45
Source: VirusSick.exe	Static PE information: section name: /57
Source: VirusSick.exe	Static PE information: section name: /70
Source: VirusSick.exe	Static PE information: section name: /81
Source: VirusSick.exe	Static PE information: section name: /92

Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_005363E4 push ecx; mov dword ptr [esp], eax	0_2_0053640D
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_005245E3 push ecx; mov dword ptr [esp], eax	0_2_00524605
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_005186C8 push ecx; mov dword ptr [esp], eax	0_2_005186EA
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_005387C1 push ecx; mov dword ptr [esp], eax	0_2_005387EA
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_005287AC push ecx; mov dword ptr [esp], eax	0_2_005287CE
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_0051AAE3 push ecx; mov dword ptr [esp], eax	0_2_0051AB05
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_00526B71 push ecx; mov dword ptr [esp], eax	0_2_00526B93
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_004DADE0 push eax; mov dword ptr [esp], esi	0_2_004DAE9B
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_00517039 push ecx; mov dword ptr [esp], eax	0_2_0051705B
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_005251C1 push ecx; mov dword ptr [esp], eax	0_2_005251E3
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_005191F8 push ecx; mov dword ptr [esp], eax	0_2_0051921A
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_005353CB push ecx; mov dword ptr [esp], eax	0_2_005353F4
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_005377C1 push ecx; mov dword ptr [esp], eax	0_2_005377EA
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_005278C9 push ecx; mov dword ptr [esp], eax	0_2_005278EB
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_0051B93B push ecx; mov dword ptr [esp], eax	0_2_0051B95D
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_005239D1 push ecx; mov dword ptr [esp], eax	0_2_005239F3
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_00517B79 push edx; mov dword ptr [esp], eax	0_2_00517B9B
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_00525DB9 push ecx; mov dword ptr [esp], eax	0_2_00525DDB
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_00519E93 push edx; mov dword ptr [esp], eax	0_2_00519EB5

Source: C:\Users\user\Desktop\VirusSick.exe

API coverage: 2.3 %

Source: C:\Users\user\Desktop\VirusSick.exe

Code function: 0_2_004DC239 _strdup,free,IsDebuggerPresent,RaiseException,

0_2_004DC239

Source: C:\Users\user\Desktop\VirusSick.exe

Code function: 0_2_004DC820 GetLastError,FormatMessageA,IsDebuggerPresent,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,LocalFree,

0_2_004DC820

Source: C:\Users\user\Desktop\VirusSick.exe

Code function: 0_2_004E91F1 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

0_2_004E91F1

Source: C:\Users\user\Desktop\VirusSick.exe

Code function: 0_2_004C1749 GetProcessHeap,HeapAlloc,RtlAllocateHeap,waveOutOpen,waveOutPrepareHeader,waveOutWrite,Sleep,Sleep,Sleep,Sleep,waveOutReset,waveOutUnprepareHeader,HeapFree,

0_2_004C1749

Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_004D8A24 RtlRemoveVectoredExceptionHandler,RtlAddVectoredExceptionHandler,TlsGetValue,CloseHandle,CloseHandle,CloseHandle,TlsSetValue,CloseHandle,CloseHandle,CloseHandle,TlsSetValue,GetCurrentThreadId,_setjmp3,CloseHandle,Sleep,	0_2_004D8A24
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_004C117C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	0_2_004C117C
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_004D8AB1 RtlAddVectoredExceptionHandler,	0_2_004D8AB1
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_004C1170 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	0_2_004C1170
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_004C11B3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	0_2_004C11B3
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 0_2_004C13D1 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	0_2_004C13D1

Source: C:\Users\user\Desktop\VirusSick.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c start "" "http://www.drinkify.org"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.drinkify.org/			Jump to behavior

Source: C:\Users\user\Desktop\VirusSick.exe

Code function: 0_2_00564BC0 cpuid

0_2_00564BC0

Source: C:\Users\user\Desktop\VirusSick.exe

Code function: 0_2_004D5700 GetSystemTimeAsFileTime,

0_2_004D5700

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	3 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: http://www.drinkify.org/	HTTP Parser: No favicon
Source: http://www.drinkify.org/	HTTP Parser: No favicon
Source: http://www.drinkify.org/	HTTP Parser: No favicon
Source: http://www.drinkify.org/	HTTP Parser: No favicon
Source: http://www.drinkify.org/	HTTP Parser: No favicon
Source: http://www.drinkify.org/	HTTP Parser: No favicon
Source: http://www.drinkify.org/	HTTP Parser: No favicon

Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	0_2_004F0150
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push esi	0_2_00548160
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push ebp	0_2_00544314
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then movzx edx, byte ptr [esp+14h]	0_2_005363E4
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then jmp 0053C230h	0_2_0053C3A0
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push edi	0_2_0054E4B0
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push ebp	0_2_0054E4B0
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push esi	0_2_0053C5B0
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	0_2_004F0600
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push edi	0_2_004F0720
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, 005A8390h	0_2_00546A80
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push edi	0_2_00548B50
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push edi	0_2_00548B50
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push ebp	0_2_00548B50
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push edi	0_2_00546CB0
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push edi	0_2_004FB140
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	0_2_004F9120
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	0_2_004F91BC
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then sub esp, 1Ch	0_2_004EB270
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push edi	0_2_00549210
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push edi	0_2_00549210
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push ebp	0_2_00549210
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push ebp	0_2_005432D2
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then sub esp, 1Ch	0_2_004EB2E2
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	0_2_004F9350
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	0_2_004F93EC
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, ecx	0_2_0057F380
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push ebp	0_2_004F9420
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	0_2_004F9420
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push ebp	0_2_004F94BC
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	0_2_004F956C
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push ebp	0_2_005415C4
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	0_2_004F96D0
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	0_2_004F976C
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push edi	0_2_004EF770
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, ecx	0_2_0057B7F0
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push ebp	0_2_0052B960
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	0_2_004F9900
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push ebp	0_2_004F99D0
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	0_2_004F99D0
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	0_2_004F999C
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push ebp	0_2_004F9A6C
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	0_2_004F9B1C
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push ebp	0_2_004FDC61
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push ebp	0_2_004FDC61
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	0_2_004FDC61
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push ebp	0_2_004FDD0C
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push ebp	0_2_004FDDBC
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	0_2_004FDE6C
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	0_2_004FBE30
Source: C:\Users\user\Desktop\VirusSick.exe	Code function: 4x nop then push ebp	0_2_00543FC4

Source: Joe Sandbox View	IP Address: 151.101.8.157 151.101.8.157
Source: Joe Sandbox View	IP Address: 162.159.140.229 162.159.140.229
Source: Joe Sandbox View	IP Address: 172.66.0.227 172.66.0.227

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 11 Mar 2025 23:50:26 GMTServer: nginx/1.10.3 (Ubuntu)Content-Type: text/html; charset=UTF-8Content-Length: 5252Vary: Accept-EncodingContent-Encoding: gzipKeep-Alive: timeout=5, max=100Connection: Keep-AliveData Raw: 1f 8b 08 00 00 00 00 00 00 03 cd 3c 6b 77 db b6 92 df f3 2b 10 b9 b9 92 5a 91 7a cb b6 6c 39 b5 13 a7 f5 dd 34 ee 26 ce ed 76 7b ba 39 90 08 49 b0 29 52 97 a4 2c bb b9 39 67 ff c6 fe bd fd 25 3b 03 be 00 10 a4 e4 dc c7 59 a6 95 25 12 18 0c e6 3d 03 02 cf 4e 9f bf be 7e 75 f3 eb cf 97 64 19 ad dc b3 67 a7 f8 87 b8 d4 5b 4c 6a cc ab 9d 3d 7b 76 fa dc b2 c8 5f 2e df ff 4a 3e 5c bf 87 cf 37 d7 ef c9 f9 db b7 e4 a7 f3 f7 ff f6 f1 67 f2 e1 ea dd 07 72 f3 e3 f9 0d 3c 78 fb f6 fa 17 9b f4 06 64 e9 6f 82 90 70 cf e3 91 4d 2c 0b a0 10 72 ba 64 d4 39 83 2f 84 88 8f d3 15 8b 28 99 2d 69 10 b2 68 52 db 44 73 eb a8 76 26 3d f2 e8 8a 4d 6a f7 9c 6d d7 7e 10 d5 c8 cc f7 22 e6 41 d3 2d 77 a2 e5 c4 61 f7 7c c6 2c f1 a3 c5 61 24 4e 5d 2b 9c 51 97 4d ba b5 c2 38 eb c0 5f b3 20 7a 9c d4 fc c5 38 e4 11 fb 84 e0 25 a0 af 03 ee dd f1 f9 63 8d b4 13 24 22 1e b9 ec 2c bd 7f da 8e 7f 97 c1 14 4f ab e0 95 75 dc 04 ae d4 6d 19 45 eb 71 bb ed 24 bd 6d 3f 58 b4 33 10 25 10 f8 8a 2e d8 0e 18 dc 9b b9 1b 87 85 6d d1 b8 bd f4 57 ec d3 74 61 df ae 17 b5 d2 29 41 f3 59 c0 d7 11 f7 3d 09 fa af fe 86 ac f9 ec 8e 44 4b 46 56 9b 90 cf 5a 64 cb ea ae 9b df 15 23 3f 27 d7 4b e2 30 1a d8 0a fe f1 60 0e bf 27 dc 99 d4 e6 53 2b f0 fd a8 76 76 da 86 5b 09 26 f1 a8 67 8d f9 c6 9b e1 e0 0d a7 45 c2 16 b4 6f 92 cf 09 9c 7b 1a 90 5b b8 37 bf 0d c9 84 38 f6 82 45 97 2e 5b 01 82 e1 c5 e3 0d 5d bc 03 e6 36 c2 e6 6f 9d df 4f 92 1e 7c 4e 1a 72 bb 8b c7 2b a7 01 20 9b 24 60 d1 26 f0 d2 76 09 c0 59 c0 68 c4 92 b6 00 e9 04 1e d8 dc 81 67 dc c9 9b da 61 30 83 5b b5 76 1b c8 e3 b1 59 64 cf e9 8c 4d 7d ff ce f6 58 d4 66 de a7 8f 1f da d4 75 ed db f0 e0 61 3e 5d b9 93 ee 9f e8 7a 7d e5 4c ba 83 c1 68 30 1a 75 7a fd 4e ef f0 b8 53 4b 61 c2 84 ec 35 0d 60 d0 77 be c3 6c ee 85 c0 8e 0b 36 f7 03 d6 48 26 dc 8c db 7e 69 38 fe 6c 83 e8 b5 48 3d 26 59 1d be a5 08 58 b7 61 e8 dc d5 9b cd 93 d3 76 42 50 49 0c 41 a7 7f 03 8a b8 11 b9 ba 24 c7 bf a7 ec 49 48 4f 60 5a 99 18 a1 41 18 86 4b be b2 17 be bf 70 d9 0c f1 9a f9 ab 76 78 ef b5 a3 60 e3 dd c5 4d 60 8e c8 46 79 ac d3 e7 bf 31 cf e1 f3 df d1 04 18 e1 87 30 00 bd a5 0f 09 6c ba e6 a1 80 8d f7 da 2e 9f 86 ed db bf 6e 58 f0 d8 ee da 23 7b 90 fc b0 57 dc 33 8d e6 82 d4 91 65 c0 e6 93 5a 2e ef 40 8b 28 8c 02 ba b6 67 61 58 03 66 bb 93 5a 18 3d ba 2c 5c 32 16 a5 c2 2f ee 90 e8 71 0d 16 27 62 0f 51 1b 1b a7 54 69 7f 4b ae ef 59 10 70 87 91 10 14 07 a4 7a 4e 37 6e 14 92 6f db cf 24 a9 96 af ef e7 a0 2f 16 32 83 7c 4e be ae b8 fb 38 26 f5 37 1b 10 37 7a 71 63 5d 00 97 ea 27 40 8a 31 01 1b d0 a8 67 28 cf 45 8b 76 b7 7f 34 bc ec 7c ea d8 cc 8f ea cd 3d 1b be 3c e0 6c ce 1f ea 4d 02 22 b3 a2 51 a3 ce 56 53 e6 38 cc b1 40 b3 3d 9c 61 bd d9 aa 06 b3 f5 e7 73 09 40 fc 73 47 9f 28 92 bb 80 58 b0 bd 86 0a ef 17 07 5b b9 27 d
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 11 Mar 2025 23:50:27 GMTServer: nginx/1.10.3 (Ubuntu)Content-Type: text/cssContent-Length: 9649Last-Modified: Fri, 29 Nov 2013 16:55:13 GMTETag: "db97-4ec53b19ff2ed-gzip"Vary: Accept-EncodingContent-Encoding: gzipAccept-Ranges: bytesKeep-Alive: timeout=5, max=100Connection: Keep-AliveData Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 3d 6b 93 e3 36 72 9f 33 bf 82 f1 95 e3 dd 8d 24 53 d4 7b 5c b7 75 3e db c9 b9 ea ec ba 3a fb 92 54 f9 5c 29 88 a4 46 cc 52 a2 4c 52 3b 3b 76 f9 bf a7 f1 24 1e 0d 90 d2 3c 2e ae ca ce ce 43 78 34 1a 8d 46 a3 d1 68 34 3e 7d f3 cf 37 d1 9b e8 8f 55 d5 36 6d 4d 4e d1 fb e9 64 3e 89 21 8d 26 7f 51 9d 1e ea e2 6e df 46 49 3c 9d 46 df df 17 6d 9b d7 a3 e8 eb 63 4a b3 ff 5c a4 f9 b1 c9 b3 e8 7c cc f2 3a 6a f7 79 f4 f9 89 a4 f0 4b e4 44 ef 13 06 2b da b7 ed e9 f6 d3 4f ef ef ef 27 84 95 98 54 f5 dd a7 25 2f d5 7c fa e7 af bf f8 ea db ef be 1a 27 aa e5 2f f3 a6 b8 3b 02 68 72 cc a2 ed b9 28 db 08 1a df 47 a4 2c 59 3b 65 f5 3e 8f 8a 23 fb fb be aa cb 2c fa 43 cb b1 8b b6 0f d1 1f 0e 59 c5 6a fe 61 47 da 09 83 47 da fc 36 fa 8e b4 d1 b7 d5 fb 28 5a 44 d3 d5 6d bc ba 9d af a3 bf 7c f9 3d eb 1d 94 fa f4 e6 d3 37 d1 5f f3 26 6f 27 65 de 34 b4 de 5f ea ea d4 44 6d 15 7d 55 17 69 f4 4d fe 00 0d bc 3a d0 5f f7 f9 76 92 56 87 d7 d1 ae aa a3 7d d1 44 5f 7c f7 5d 54 d3 ca d1 ae 28 f3 49 f4 9f f9 27 75 1e 9d 9b e2 78 07 b8 44 24 23 a7 16 3a f4 3e af 9b a2 3a 46 fb bc ce ff a9 dd 03 46 e9 b9 6d a2 ea dc 46 4d 75 c8 a3 6a c7 3a c5 21 fd e9 fb 6f fe 1c e5 65 7e c8 8f 50 e6 1e fa 5a 00 01 8e 39 00 81 9f 00 8d 42 89 5e 15 93 7c 32 8a b2 dd 71 14 35 e4 70 1a 45 79 9b be 66 fd 1e ff 76 ff d1 f1 d8 b7 87 72 14 6d ab ec 21 fa e5 26 8a 0e a4 be 2b 8e b7 51 fc 19 7c 38 91 2c 03 da b2 4f bf de ec a7 a3 9b 7d 02 df 33 f8 9e c3 f7 02 be 97 a3 9b d3 e8 66 5b 56 e9 bb 9f ce 55 9b c3 c7 1a 7e 10 f8 bf dd d6 f0 33 ad ab e3 c3 01 fe c8 32 20 78 33 ba 49 0b 5a 2a ad 32 f8 99 e5 25 fc 00 a2 de e4 50 a4 38 dc 8d 6e 7e 1a dd 40 21 46 e3 9b e6 00 cc 08 bf da ba 78 97 b3 df d5 11 8a 34 e7 2d fd 01 05 da 76 74 f3 9e 40 33 59 06 df 14 16 24 94 c5 e8 a6 82 bf cf f0 bd 2b f2 32 83 61 86 bf aa 1a 9a 28 c9 96 36 59 e6 77 f9 11 aa 6c cf 6d 5b 41 eb 2d d9 96 14 29 e0 9f 82 7d a6 f4 80 5f 3b 98 b4 f0 6b 9f 13 28 dc d6 f4 4f f8 ce c2 94 8a 80 9a 35 cc 56 f1 61 57 1d db f1 7d 4e e7 f8 6d 74 04 2c 48 a9 92 9b f6 a1 cc dd d4 e2 67 48 9c c6 f1 c7 34 a9 2c 8e f9 78 2f ea 4f 55 a1 1d 39 14 e5 c3 2d cc 50 60 d0 a2 a5 03 c4 7a c1 70 e3 08 8c d3 aa 2c c9 a9 01 60 f2 af 0e bb 71 03 52 a2 1b 5c 20 58 74 2e 59 e5 b2 68 34 cc 8e 39 cd fe e9 76 9b 03 05 81 46 3f dd 92 1d 95 50 da 98 ab 3c 2d 89 15 62 e0 52 c0 16 e6 d6 6d f4 d1 47 8c 8b 80 df 58 3a 88 97 7a 57 56 f7 63 e8 44 03 5c 52 fa 08 00 c4 db be 2b da 71 9b 7f e0 59 63 92 fd cf b9 69 b5 12 87 c6 9b fb eb 0d b9 dd 55 e9 b9 e1 8d 9e 5b 4a cf 5b 10 00 20 da b2 0a c4 59 c6 cb ec 29 3e a3 88 dc 92 b4 2d de e7 66 69 46 22 52 b7 45 4a d9 84 34 05 67 de 96 14 65 43 99 ec 4e 71 0e fc 7d a6 a4 a0 9c

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: AutoItHost: api.ipify.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: AutoItHost: api.ipify.org
Source: global traffic	HTTP traffic detected: GET /api/json/ip/5SPfwvEV3gwc55pvxBQOnjhEt01fgi0C/173.63.140.196 HTTP/1.1User-Agent: AutoItHost: ipqualityscore.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /en_US/all.js HTTP/1.1Host: connect.facebook.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: http://www.drinkify.org/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /en_US/all.js?hash=95d551812e9838d7fc28ed122813058e HTTP/1.1Host: connect.facebook.netConnection: keep-aliveOrigin: http://www.drinkify.orgsec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: http://www.drinkify.org/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /widgets/widget_iframe.2f70fb173b9000da126c79afe2098f02.html?origin=http%3A%2F%2Fwww.drinkify.org HTTP/1.1Host: platform.twitter.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeSec-Fetch-Storage-Access: activeReferer: http://www.drinkify.org/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /plugins/like.php?action=like&app_id=144646602302790&channel=https%3A%2F%2Fstaticxx.facebook.com%2Fx%2Fconnect%2Fxd_arbiter%2F%3Fversion%3D46%23cb%3Dfe03f3a253b0fddeb%26domain%3Dwww.drinkify.org%26is_canvas%3Dfalse%26origin%3Dhttp%253A%252F%252Fwww.drinkify.org%252Ff7317b22f1ae06b8c%26relation%3Dparent.parent&container_width=273&href=http%3A%2F%2Fdrinkify.org%2F&layout=button_count&locale=en_US&sdk=joey&share=false&show_faces=false HTTP/1.1Host: www.facebook.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeSec-Fetch-Storage-Access: activeReferer: http://www.drinkify.org/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /js/button.856debeac157d9669cf51e73a08fbc93.js HTTP/1.1Host: platform.twitter.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: http://www.drinkify.org/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=h0FA.CRUACF9FROR29BVyI9IlIC_kMeUmhIi0STNF9M-1741737037-1.0.1.1-xD2UvrL_v.wI8iosE3TdcJUytPan2L1og_qTkURmT7QArCh5YEksDgcr9EHkJ4hXazjLUbwyMJHr.wDE8Y4w6yTidWmY5t0nK6jdsz4d1Ts
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v4iEpO4/yU/l/en_US/NsDwOL4Sjgn.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Origin: https://www.facebook.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v4/yD/r/FEppCFCt76d.png HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /widgets/follow_button.2f70fb173b9000da126c79afe2098f02.en.html HTTP/1.1Host: platform.twitter.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeSec-Fetch-Storage-Access: activeReferer: http://www.drinkify.org/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=h0FA.CRUACF9FROR29BVyI9IlIC_kMeUmhIi0STNF9M-1741737037-1.0.1.1-xD2UvrL_v.wI8iosE3TdcJUytPan2L1og_qTkURmT7QArCh5YEksDgcr9EHkJ4hXazjLUbwyMJHr.wDE8Y4w6yTidWmY5t0nK6jdsz4d1Ts
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v4/yD/r/FEppCFCt76d.png HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v4iEpO4/yU/l/en_US/NsDwOL4Sjgn.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v4iEpO4/yU/l/en_US/NsDwOL4Sjgn.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.drinkify.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /includes/bootstrap.css HTTP/1.1Host: www.drinkify.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/css,/;q=0.1Referer: http://www.drinkify.org/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /includes/image/loader.gif HTTP/1.1Host: www.drinkify.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://www.drinkify.org/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /includes/image/loader.gif HTTP/1.1Host: www.drinkify.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /includes/image/bg_tile.gif HTTP/1.1Host: www.drinkify.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://www.drinkify.org/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /includes/image/home_bg.jpg HTTP/1.1Host: www.drinkify.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://www.drinkify.org/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /widgets.js HTTP/1.1Host: platform.twitter.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Referer: http://www.drinkify.org/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /includes/futura/1385E0_0.woff HTTP/1.1Host: www.drinkify.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Origin: http://www.drinkify.orgAccept: /Referer: http://www.drinkify.org/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /includes/image/bg_tile.gif HTTP/1.1Host: www.drinkify.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /includes/image/home_bg.jpg HTTP/1.1Host: www.drinkify.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.drinkify.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://www.drinkify.org/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=22995566.1384442178.1741737032.1741737032.1741737032.1; __utmc=22995566; __utmz=22995566.1741737032.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=22995566.1.10.1741737032

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
VirusSick.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Source: VirusSick.exe	Virustotal: Detection: 63%			Perma Link
Source: VirusSick.exe	ReversingLabs: Detection: 50%

Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.215.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.98.62
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.99
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.99
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: chromecache_95.5.dr	String found in binary or memory: } }).call(global);})();} catch (__fb_err) {var __fb_i = new Image();__fb_i.crossOrigin = 'anonymous';__fb_i.dataset.testid = 'fbSDKErrorReport';__fb_i.src='https://www.facebook.com/platform/scribe_endpoint.php/?c=jssdk_error&m='+encodeURIComponent('{"error":"LOAD", "extra": {"name":"'+__fb_err.name+'","line":"'+(__fb_err.lineNumber\|\|__fb_err.line)+'","script":"'+(__fb_err.fileName\|\|__fb_err.sourceURL\|\|__fb_err.script\|\|"all.js")+'","stack":"'+(__fb_err.stackTrace\|\|__fb_err.stack)+'","revision":"1020800288","namespace":"FB","message":"'+__fb_err.message+'"}}');document.body.appendChild(__fb_i);} equals www.facebook.com (Facebook)
Source: chromecache_79.5.dr, chromecache_84.5.dr	String found in binary or memory: * License: https://www.facebook.com/legal/license/A4tfXiHOGrs/ equals www.facebook.com (Facebook)
Source: chromecache_79.5.dr, chromecache_84.5.dr	String found in binary or memory: * License: https://www.facebook.com/legal/license/Ga6vBwdwgUx/ equals www.facebook.com (Facebook)
Source: chromecache_79.5.dr, chromecache_84.5.dr	String found in binary or memory: * License: https://www.facebook.com/legal/license/V9vdYColc4k/ equals www.facebook.com (Facebook)
Source: chromecache_79.5.dr, chromecache_84.5.dr	String found in binary or memory: * License: https://www.facebook.com/legal/license/WRsJ32R7YJG/ equals www.facebook.com (Facebook)
Source: chromecache_95.5.dr	String found in binary or memory: * License: https://www.facebook.com/legal/license/t3hOLs8wlXy/ equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: www.drinkify.org
Source: global traffic	DNS traffic detected: DNS query: connect.facebook.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: platform.twitter.com
Source: global traffic	DNS traffic detected: DNS query: syndication.twitter.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: static.xx.fbcdn.net
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: boston.musichackday.org

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VirusSick.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
VirusSick.exe