Edit tour

Windows Analysis Report
3EqRILOXx1.exe

Overview

General Information

Sample Name:	3EqRILOXx1.exe
Analysis ID:	614683
MD5:	5ca02369b45067fe039314f38b286767
SHA1:	b11ff0b977b16863c34dc35126f1d3d13ab5cc4f
SHA256:	039c261036b80fd500607279933c43c4f1c78fdba1b54a9edbc8217df49ec154
Tags:	exesansisc
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Antivirus / Scanner detection for submitted sample

Contains functionality to capture screen (.Net source)

.NET source code references suspicious native API functions

Machine Learning detection for sample

May check the online IP address of the machine

Uses 32bit PE files

Yara signature match

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

One or more processes crash

Internet Provider seen in connection with other malware

Yara detected Credential Stealer

Contains functionality to call native functions

IP address seen in connection with other malware

Enables debug privileges

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

3EqRILOXx1.exe (PID: 6192 cmdline: "C:\Users\user\Desktop\3EqRILOXx1.exe" MD5: 5CA02369B45067FE039314F38B286767)

dw20.exe (PID: 6484 cmdline: dw20.exe -x -s 1364 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)

cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "FTP", "FTP Server": "ftp://103.147.185.85/", "Password": "bvhfgas7", "Port": 21}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
3EqRILOXx1.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x71d5e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x70f47:$a3: \Google\Chrome\User Data\Default\Login Data 0x7138e:$a4: \Orbitum\User Data\Default\Login Data 0x7250f:$a5: \Kometa\User Data\Default\Login Data
3EqRILOXx1.exe	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3EqRILOXx1.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3EqRILOXx1.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3EqRILOXx1.exe	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x6c12a:$s1: UnHook 0x6c131:$s2: SetHook 0x6c139:$s3: CallNextHook 0x6c146:$s4: _hook
3EqRILOXx1.exe	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x6c9c9:$s8: GrabbedClp 0x6cc71:$s9: StartKeylogger 0x6f434:$x1: $%SMTPDV$ 0x6e0de:$x2: $#TheHashHere%& 0x6e0cc:$x3: %FTPDV$ 0x6f4c2:$x4: $%TelegramDv$ 0x6cd00:$x5: KeyLoggerEventArgs 0x6d3e8:$x5: KeyLoggerEventArgs 0x6f460:$m1: \| Snake Keylogger 0x6f522:$m1: \| Snake Keylogger 0x6f676:$m1: \| Snake Keylogger 0x6f79c:$m1: \| Snake Keylogger 0x6f8f6:$m1: \| Snake Keylogger 0x6f400:$m2: Clipboard Logs ID 0x6f62c:$m2: Screenshot Logs ID 0x6f740:$m2: keystroke Logs ID 0x6f92c:$m3: SnakePW 0x6f604:$m4: \SnakeKeylogger\
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x6c7c9:$s8: GrabbedClp 0x6ca71:$s9: StartKeylogger 0x6f234:$x1: $%SMTPDV$ 0x6dede:$x2: $#TheHashHere%& 0x6decc:$x3: %FTPDV$ 0x6f2c2:$x4: $%TelegramDv$ 0x6cb00:$x5: KeyLoggerEventArgs 0x6d1e8:$x5: KeyLoggerEventArgs 0x6f260:$m1: \| Snake Keylogger 0x6f322:$m1: \| Snake Keylogger 0x6f476:$m1: \| Snake Keylogger 0x6f59c:$m1: \| Snake Keylogger 0x6f6f6:$m1: \| Snake Keylogger 0x6f200:$m2: Clipboard Logs ID 0x6f42c:$m2: Screenshot Logs ID 0x6f540:$m2: keystroke Logs ID 0x6f72c:$m3: SnakePW 0x6f404:$m4: \SnakeKeylogger\
00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x6c7c9:$s8: GrabbedClp 0x6ca71:$s9: StartKeylogger 0x6f234:$x1: $%SMTPDV$ 0x6dede:$x2: $#TheHashHere%& 0x6decc:$x3: %FTPDV$ 0x6f2c2:$x4: $%TelegramDv$ 0x6cb00:$x5: KeyLoggerEventArgs 0x6d1e8:$x5: KeyLoggerEventArgs 0x6f260:$m1: \| Snake Keylogger 0x6f322:$m1: \| Snake Keylogger 0x6f476:$m1: \| Snake Keylogger 0x6f59c:$m1: \| Snake Keylogger 0x6f6f6:$m1: \| Snake Keylogger 0x6f200:$m2: Clipboard Logs ID 0x6f42c:$m2: Screenshot Logs ID 0x6f540:$m2: keystroke Logs ID 0x6f72c:$m3: SnakePW 0x6f404:$m4: \SnakeKeylogger\
Process Memory Space: 3EqRILOXx1.exe PID: 6192	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: 3EqRILOXx1.exe PID: 6192	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 3EqRILOXx1.exe PID: 6192	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 3EqRILOXx1.exe PID: 6192	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1b79c:$s8: GrabbedClp 0x1ba44:$s9: StartKeylogger 0x1bad3:$x5: KeyLoggerEventArgs 0x1c1bb:$x5: KeyLoggerEventArgs 0x1ef43:$x5: KeyLoggerEventArgs 0x1f5bc:$x5: KeyLoggerEventArgs 0x20ad4:$m1: \| Snake Keylogger 0x20b31:$m1: \| Snake Keylogger 0x20bc5:$m1: \| Snake Keylogger 0x20c26:$m1: \| Snake Keylogger 0x20c9b:$m1: \| Snake Keylogger 0x20aa3:$m2: Clipboard Logs ID 0x20ba0:$m2: Screenshot Logs ID 0x20bf8:$m2: keystroke Logs ID 0x20cb6:$m3: SnakePW 0x20b8c:$m4: \SnakeKeylogger\
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.3EqRILOXx1.exe.780000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x71d5e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x70f47:$a3: \Google\Chrome\User Data\Default\Login Data 0x7138e:$a4: \Orbitum\User Data\Default\Login Data 0x7250f:$a5: \Kometa\User Data\Default\Login Data
0.0.3EqRILOXx1.exe.780000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.0.3EqRILOXx1.exe.780000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.0.3EqRILOXx1.exe.780000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.3EqRILOXx1.exe.780000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x6c12a:$s1: UnHook 0x6c131:$s2: SetHook 0x6c139:$s3: CallNextHook 0x6c146:$s4: _hook
0.0.3EqRILOXx1.exe.780000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x6c9c9:$s8: GrabbedClp 0x6cc71:$s9: StartKeylogger 0x6f434:$x1: $%SMTPDV$ 0x6e0de:$x2: $#TheHashHere%& 0x6e0cc:$x3: %FTPDV$ 0x6f4c2:$x4: $%TelegramDv$ 0x6cd00:$x5: KeyLoggerEventArgs 0x6d3e8:$x5: KeyLoggerEventArgs 0x6f460:$m1: \| Snake Keylogger 0x6f522:$m1: \| Snake Keylogger 0x6f676:$m1: \| Snake Keylogger 0x6f79c:$m1: \| Snake Keylogger 0x6f8f6:$m1: \| Snake Keylogger 0x6f400:$m2: Clipboard Logs ID 0x6f62c:$m2: Screenshot Logs ID 0x6f740:$m2: keystroke Logs ID 0x6f92c:$m3: SnakePW 0x6f604:$m4: \SnakeKeylogger\
0.2.3EqRILOXx1.exe.780000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x71d5e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x70f47:$a3: \Google\Chrome\User Data\Default\Login Data 0x7138e:$a4: \Orbitum\User Data\Default\Login Data 0x7250f:$a5: \Kometa\User Data\Default\Login Data
0.2.3EqRILOXx1.exe.780000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.3EqRILOXx1.exe.780000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.3EqRILOXx1.exe.780000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.3EqRILOXx1.exe.780000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x6c12a:$s1: UnHook 0x6c131:$s2: SetHook 0x6c139:$s3: CallNextHook 0x6c146:$s4: _hook
0.2.3EqRILOXx1.exe.780000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x6c9c9:$s8: GrabbedClp 0x6cc71:$s9: StartKeylogger 0x6f434:$x1: $%SMTPDV$ 0x6e0de:$x2: $#TheHashHere%& 0x6e0cc:$x3: %FTPDV$ 0x6f4c2:$x4: $%TelegramDv$ 0x6cd00:$x5: KeyLoggerEventArgs 0x6d3e8:$x5: KeyLoggerEventArgs 0x6f460:$m1: \| Snake Keylogger 0x6f522:$m1: \| Snake Keylogger 0x6f676:$m1: \| Snake Keylogger 0x6f79c:$m1: \| Snake Keylogger 0x6f8f6:$m1: \| Snake Keylogger 0x6f400:$m2: Clipboard Logs ID 0x6f62c:$m2: Screenshot Logs ID 0x6f740:$m2: keystroke Logs ID 0x6f92c:$m3: SnakePW 0x6f604:$m4: \SnakeKeylogger\
Click to see the 7 entries

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke (rule): Data: Image: C:\Users\user\Desktop\3EqRILOXx1.exe, QueryName: checkip.dyndns.org

Snort Signatures

ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check - Source IP: 192.168.2.4 - Destination IP: 132.226.247.73

Timestamp:	04/25/22-07:30:14.530852 04/25/22-07:30:14.530852
SID:	2842536
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.0.3EqRILOXx1.exe.780000.0.unpack

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "FTP", "FTP Server": "ftp://103.147.185.85/", "Password": "bvhfgas7", "Port": 21}

Multi AV Scanner detection for submitted file

Source: 3EqRILOXx1.exe

ReversingLabs: Detection: 69%

Antivirus / Scanner detection for submitted sample

Source: 3EqRILOXx1.exe

Avira: detected

Machine Learning detection for sample

Source: 3EqRILOXx1.exe

Joe Sandbox ML: detected

Source: 3EqRILOXx1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\3EqRILOXx1.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: 3EqRILOXx1.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: browserpassEcostura.browserpass.dll.compressedEcostura.browserpass.pdb.compressed+newtonsoft.json.net20Ycostura.newtonsoft.json.net20.dll.compressedYcostura.newtonsoft.json.net20.pdb.compressed source: 3EqRILOXx1.exe
Source:	Binary string: costura.browserpass.pdb.compressed source: 3EqRILOXx1.exe
Source:	Binary string: symbols\dll\mscorlib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.318849682.0000000000B86000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: lib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: q#"costura.browserpass.pdb.compressed source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.newtonsoft.json.net20.pdb.compressed source: 3EqRILOXx1.exe
Source:	Binary string: q-,costura.newtonsoft.json.net20.pdb.compressed( source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbd source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.4:49738 -> 132.226.247.73:80

May check the online IP address of the machine

Source: C:\Users\user\Desktop\3EqRILOXx1.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	DNS query: name: checkip.dyndns.org

Source: Joe Sandbox View

ASN Name: UTMEMUS UTMEMUS

Source: Joe Sandbox View

IP Address: 132.226.247.73 132.226.247.73

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: 3EqRILOXx1.exe, 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 3EqRILOXx1.exe	String found in binary or memory: http://checkip.dyndns.org/q
Source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgx&Qq
Source: 3EqRILOXx1.exe	String found in binary or memory: https://api.telegram.org/bot
Source: 3EqRILOXx1.exe	String found in binary or memory: https://freegeoip.app/xml/

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: C:\Users\user\Desktop\3EqRILOXx1.exe

Code function: 0_2_00EBA09A recv,

0_2_00EBA09A

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs	.Net Code: TakeScreenshot
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs	.Net Code: TakeScreenshot
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs	.Net Code: TakeScreenshot

System Summary

Malicious sample detected (through community Yara rule)

Source: 3EqRILOXx1.exe, type: SAMPLE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3EqRILOXx1.exe, type: SAMPLE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3EqRILOXx1.exe, type: SAMPLE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: 3EqRILOXx1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 3EqRILOXx1.exe, type: SAMPLE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3EqRILOXx1.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3EqRILOXx1.exe, type: SAMPLE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: C:\Users\user\Desktop\3EqRILOXx1.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1364

Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Code function: 0_2_00EBA67E NtQuerySystemInformation,		0_2_00EBA67E
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Code function: 0_2_00EBA64D NtQuerySystemInformation,		0_2_00EBA64D

Source: 3EqRILOXx1.exe, 00000000.00000002.318794855.00000000007F8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewvwsOyZpBTrBOUxpiQDJT.exeL vs 3EqRILOXx1.exe
Source: 3EqRILOXx1.exe	Binary or memory string: OriginalFilenamewvwsOyZpBTrBOUxpiQDJT.exeL vs 3EqRILOXx1.exe

Source: 3EqRILOXx1.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 3EqRILOXx1.exe

ReversingLabs: Detection: 69%

Source: C:\Users\user\Desktop\3EqRILOXx1.exe

File read: C:\Users\user\Desktop\3EqRILOXx1.exe

Jump to behavior

Source: 3EqRILOXx1.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\3EqRILOXx1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\3EqRILOXx1.exe "C:\Users\user\Desktop\3EqRILOXx1.exe"
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1364
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1364	Jump to behavior

Source: C:\Users\user\Desktop\3EqRILOXx1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Code function: 0_2_00EBA502 AdjustTokenPrivileges,		0_2_00EBA502
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Code function: 0_2_00EBA4CB AdjustTokenPrivileges,		0_2_00EBA4CB

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5266.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@1/1

Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\3EqRILOXx1.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: 3EqRILOXx1.exe	String found in binary or memory: F-Stopw
Source: 3EqRILOXx1.exe	String found in binary or memory: F-Stopw

Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/COVIDPickers.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVIDPickers.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVIDPickers.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\3EqRILOXx1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\3EqRILOXx1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\3EqRILOXx1.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: 3EqRILOXx1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 3EqRILOXx1.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: browserpassEcostura.browserpass.dll.compressedEcostura.browserpass.pdb.compressed+newtonsoft.json.net20Ycostura.newtonsoft.json.net20.dll.compressedYcostura.newtonsoft.json.net20.pdb.compressed source: 3EqRILOXx1.exe
Source:	Binary string: costura.browserpass.pdb.compressed source: 3EqRILOXx1.exe
Source:	Binary string: symbols\dll\mscorlib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.318849682.0000000000B86000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: lib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: q#"costura.browserpass.pdb.compressed source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.newtonsoft.json.net20.pdb.compressed source: 3EqRILOXx1.exe
Source:	Binary string: q-,costura.newtonsoft.json.net20.pdb.compressed( source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbd source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp

Source: initial sample

Static PE information: section name: .text entropy: 7.74079601316

Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\3EqRILOXx1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\3EqRILOXx1.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\3EqRILOXx1.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/FFDecryptor.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/FFDecryptor.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/FFDecryptor.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')

Source: C:\Users\user\Desktop\3EqRILOXx1.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1364

Jump to behavior

Source: C:\Users\user\Desktop\3EqRILOXx1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 3EqRILOXx1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 3EqRILOXx1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR

Source: Yara match	File source: 3EqRILOXx1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 3EqRILOXx1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 3EqRILOXx1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Access Token Manipulation	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Screen Capture	Exfiltration Over Other Network Medium	2 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Access Token Manipulation	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	12 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	2 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
3EqRILOXx1.exe	69%	ReversingLabs	ByteCode-MSIL.Infostealer.Mintluks
3EqRILOXx1.exe	100%	Avira	TR/ATRAPS.Gen
3EqRILOXx1.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.3EqRILOXx1.exe.780000.0.unpack	100%	Avira	HEUR/AGEN.1203010		Download File
0.2.3EqRILOXx1.exe.780000.0.unpack	100%	Avira	HEUR/AGEN.1203010		Download File

Domains

Source	Detection	Scanner	Label	Link
checkip.dyndns.com	0%	Virustotal		Browse
checkip.dyndns.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://freegeoip.app/xml/	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://checkip.dyndns.orgx&Qq	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
checkip.dyndns.com	132.226.247.73	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://freegeoip.app/xml/	3EqRILOXx1.exe	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	3EqRILOXx1.exe	false		high
http://checkip.dyndns.org/q	3EqRILOXx1.exe	false	URL Reputation: safe	unknown
http://checkip.dyndns.orgx&Qq	3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	614683
Start date and time: 25/04/202207:29:11	2022-04-25 07:29:11 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	3EqRILOXx1.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/3@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 8.6% (good quality ratio 7.7%) Quality average: 55.4% Quality standard deviation: 28.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 79 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, store-images.s-microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:30:55	API Interceptor	1x Sleep call for process: dw20.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
132.226.247.73	iIhOwauYND.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PAGO y ORDEN DE COMPRA.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	56516426-056C-4DBA-984B-979F68AB8D18.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	CSAN #U00d6DEME DEKONTU 22.04.22.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SecuriteInfo.com.W32.AIDetectNet.01.22194.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	payment slip.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Halkbank_Ekstre_20220327_073712_983787.pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Ag5ThzObvDoT0ik.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	12240322409_20220421_05482267_HesapOzeti.pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	DO AND INVOICE.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PURCHASE ORDER FOR INVOICE SUBMISSION.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	sk09876543456789098765434567890.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SKOP09876543456789098765-54.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	ibHrKoujQU.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	T#U0130CAR#U0130 FATURA VE NAKL#U0130YE BELGELER#U0130.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	to Invoice.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Agency nomination.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	final PO THL-M05041.ppam	Get hash	malicious	Browse	checkip.dyndns.org/
	b1e70ac3f3eee60358fd67d17b8b26aa45134b1c3e3c1.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	2021 PDA certificate.exe	Get hash	malicious	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
checkip.dyndns.com	swift copy for the balance payment.exe	Get hash	malicious	Browse	193.122.130.0
	iIhOwauYND.exe	Get hash	malicious	Browse	132.226.247.73
	Product Inquiry.exe	Get hash	malicious	Browse	193.122.130.0
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse	193.122.130.0
	88aBugKI79.exe	Get hash	malicious	Browse	132.226.8.169
	PAGO y ORDEN DE COMPRA.exe	Get hash	malicious	Browse	132.226.247.73
	ufRcZOTXD0.exe	Get hash	malicious	Browse	132.226.8.169
	Wpghskn.exe	Get hash	malicious	Browse	193.122.6.168
	Purchasing Ordersigned contract No.024Ducref06924-INVIII2022.exe	Get hash	malicious	Browse	193.122.6.168
	SFA65309.exe	Get hash	malicious	Browse	193.122.130.0
	56516426-056C-4DBA-984B-979F68AB8D18.exe	Get hash	malicious	Browse	132.226.247.73
	9iHeW9KrVk.exe	Get hash	malicious	Browse	193.122.130.0
	In-depth Research Report on Global Refrigerator Market 2021-2025.exe	Get hash	malicious	Browse	158.101.44.242
	CSAN #U00d6DEME DEKONTU 22.04.22.exe	Get hash	malicious	Browse	132.226.247.73
	SecuriteInfo.com.W32.AIDetectNet.01.22194.exe	Get hash	malicious	Browse	132.226.8.169
	dokumen dan pesanan pembelian.exe	Get hash	malicious	Browse	193.122.130.0
	12240322409_20220422_05482267_HesapOzeti.exe	Get hash	malicious	Browse	193.122.6.168
	payment slip.exe	Get hash	malicious	Browse	132.226.247.73
	Halkbank_Ekstre_20220327_073712_983787.pdf.exe	Get hash	malicious	Browse	132.226.247.73
	New contract BL.exe	Get hash	malicious	Browse	193.122.130.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UTMEMUS	iIhOwauYND.exe	Get hash	malicious	Browse	132.226.247.73
	88aBugKI79.exe	Get hash	malicious	Browse	132.226.8.169
	PAGO y ORDEN DE COMPRA.exe	Get hash	malicious	Browse	132.226.247.73
	ufRcZOTXD0.exe	Get hash	malicious	Browse	132.226.8.169
	56516426-056C-4DBA-984B-979F68AB8D18.exe	Get hash	malicious	Browse	132.226.247.73
	CSAN #U00d6DEME DEKONTU 22.04.22.exe	Get hash	malicious	Browse	132.226.247.73
	SecuriteInfo.com.W32.AIDetectNet.01.22194.exe	Get hash	malicious	Browse	132.226.247.73
	payment slip.exe	Get hash	malicious	Browse	132.226.247.73
	Halkbank_Ekstre_20220327_073712_983787.pdf.exe	Get hash	malicious	Browse	132.226.247.73
	Ag5ThzObvDoT0ik.exe	Get hash	malicious	Browse	132.226.247.73
	https://gofile.io/d/db43dde5-24a5-4449-81dc-ee19b62d931d	Get hash	malicious	Browse	132.226.41.106
	12240322409_20220421_05482267_HesapOzeti.pdf.exe	Get hash	malicious	Browse	132.226.247.73
	RFQ AND PROFORMA.exe	Get hash	malicious	Browse	132.226.8.169
	DO AND INVOICE.exe	Get hash	malicious	Browse	132.226.247.73
	Official Order6777889.docx	Get hash	malicious	Browse	132.226.8.169
	PURCHASE ORDER FOR INVOICE SUBMISSION.exe	Get hash	malicious	Browse	132.226.247.73
	sk09876543456789098765434567890.exe	Get hash	malicious	Browse	132.226.247.73
	SKOP09876543456789098765-54.exe	Get hash	malicious	Browse	132.226.247.73
	ibHrKoujQU.exe	Get hash	malicious	Browse	132.226.247.73
	T#U0130CAR#U0130 FATURA VE NAKL#U0130YE BELGELER#U0130.exe	Get hash	malicious	Browse	132.226.247.73

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_3EqRILOXx1.exe_ee11ed3d42939d22332a8251e19e2f7a90e88_00000000_1906d41a\Report.wer

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0655206820205292
Encrypted:	false
SSDEEP:	192:LwEji510DHHaKsn9fC59Fm1sNOAkRm5/u7sCS274It1:sE+510jaKCg5/u7sCX4It1
MD5:	F2243B207211AE71852BE57DF7C86BC4
SHA1:	3ABA79F29AE07D7448C93B2006647AB3230F78A8
SHA-256:	FBA21EFC03A5C054899A0815031322815DD79759370EB3A3546A650787A7FF17
SHA-512:	ECD985387E105E2067335DD2205933678FA4D1A500068565F56F201745B407FDDACD6A948D4E5F2C74E96570384FD6DD82FE318093B1DB995BE419F404425150
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.5.3.3.8.2.2.2.0.3.7.7.2.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.5.3.3.8.2.2.2.7.4.0.8.4.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.6.6.f.d.a.3.c.-.3.6.0.5.-.4.6.4.2.-.a.7.4.8.-.d.4.e.c.d.1.6.7.9.b.b.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.w.v.w.s.O.y.Z.p.B.T.r.B.O.U.x.p.i.Q.D.J.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.3.0.-.0.0.0.1.-.0.0.1.c.-.9.1.1.8.-.c.9.8.8.6.5.5.8.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.4.b.c.c.3.a.0.3.8.f.b.d.8.8.a.8.2.5.6.f.d.6.b.7.c.4.1.8.f.1.1.0.0.0.0.0.0.0.0.!.0.0.0.0.b.1.1.f.f.0.b.9.7.7.b.1.6.8.6.3.c.3.4.d.c.3.5.1.2.6.f.1.d.3.d.1.3.a.b.5.c.c.4.f.!.3.E.q.R.I.L.O.X.x.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.9././.0.3.:.1.8.:.5.7.:.5.4.!.0.!.3.E.q.R.I.L.O.X.x.1...e.x.e.....B.o.o.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5266.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	7610
Entropy (8bit):	3.709037103507393
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNizj26B6Y4eSURgWgmf4T8Sv+p1V9b1fKHm:RrlsNi/26B6YhSURgWgmf4YSqV9pfz
MD5:	6FC24DEB25D133A71BDE3B90F4605205
SHA1:	D388155933CAE5A0A993EC13583628FA1D0F69F5
SHA-256:	B7499C986FF8920C3A82932AE9D03CFAC50D79E707CADF5BD69A64B7E398C08A
SHA-512:	669563F8FD5F0F1027E712D213220646D51A5E3F0F33EFD8BB83F419BE9FA62F5B357A27CCA0E7B4531DD62D51C684020266AFB7E65F5A409911E8E684D4AE47
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.9.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5390.tmp.xml

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4600
Entropy (8bit):	4.515711899276359
Encrypted:	false
SSDEEP:	48:cvIwSD8zsFJgtWI9JVWgc8sqYjt8fm8M4JFKfeuJoF8D+q88xsJ1XE52tftud:uITff2kgrsqYWJFKLtDfuXk2tfId
MD5:	CF658A65942D584916E491A1A51BE94A
SHA1:	A4286EEB6E00E88349D4E2BC759DBAA4878DA2AD
SHA-256:	927152BBE0CE4E7A2C6B7BB9639EE32441FC908CC11864FC9F80C72C71091FC1
SHA-512:	C8B49B2A1E9712DC31A24B5EBBDA6EEE6A9F480042CABDB2044AD36BFCFA0422AD22B6543D67CF4654F041235636D355E3920F9263725ED8A8E88BF234D47CFB
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1486961" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.7243202513703695
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	3EqRILOXx1.exe
File size:	481280
MD5:	5ca02369b45067fe039314f38b286767
SHA1:	b11ff0b977b16863c34dc35126f1d3d13ab5cc4f
SHA256:	039c261036b80fd500607279933c43c4f1c78fdba1b54a9edbc8217df49ec154
SHA512:	302c954d724d00309a650661689316fd0898135463882af5ca787cdef4cf9c60e2144dc2f55f80ed6df5e7141730433e1c92ae68eb0f379f1473d050abf0d1a4
SSDEEP:	12288:eR3E3HDei3oXA2jCXgXLz/HQOqzjW/NP:eRU3Hq6oXA2jBXHnqzjG
TLSH:	7CA4E02D37E88900E2BED9B225B14011C7B9A802195FEE0D57D2F42D3E3D6948E5AFD7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2p2a.................L...........j... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x476aae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61327032 [Fri Sep 3 18:57:54 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x76a60	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x78000	0x606	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x74ab4	0x74c00	False	0.836378730594	data	7.74079601316	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x78000	0x606	0x800	False	0.32568359375	data	3.50532555502	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x780a0	0x37c	data
RT_MANIFEST	0x7841c	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2021
Assembly Version	1.0.0.0
InternalName	wvwsOyZpBTrBOUxpiQDJT.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	wvwsOyZpBTrBOUxpiQDJT
ProductVersion	1.0.0.0
FileDescription	wvwsOyZpBTrBOUxpiQDJT
OriginalFilename	wvwsOyZpBTrBOUxpiQDJT.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/25/22-07:30:14.530852 04/25/22-07:30:14.530852	TCP	2842536	ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check	49738	80	192.168.2.4	132.226.247.73

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2022 07:30:14.300725937 CEST	49738	80	192.168.2.4	132.226.247.73
Apr 25, 2022 07:30:14.530256033 CEST	80	49738	132.226.247.73	192.168.2.4
Apr 25, 2022 07:30:14.530395985 CEST	49738	80	192.168.2.4	132.226.247.73
Apr 25, 2022 07:30:14.530852079 CEST	49738	80	192.168.2.4	132.226.247.73
Apr 25, 2022 07:30:14.760173082 CEST	80	49738	132.226.247.73	192.168.2.4
Apr 25, 2022 07:30:21.409869909 CEST	80	49738	132.226.247.73	192.168.2.4
Apr 25, 2022 07:30:21.587019920 CEST	49738	80	192.168.2.4	132.226.247.73
Apr 25, 2022 07:30:56.630317926 CEST	49738	80	192.168.2.4	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2022 07:30:14.181183100 CEST	64454	53	192.168.2.4	8.8.8.8
Apr 25, 2022 07:30:14.199006081 CEST	53	64454	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 25, 2022 07:30:14.181183100 CEST	192.168.2.4	8.8.8.8	0xcf55	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 25, 2022 07:30:14.199006081 CEST	8.8.8.8	192.168.2.4	0xcf55	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Apr 25, 2022 07:30:14.199006081 CEST	8.8.8.8	192.168.2.4	0xcf55	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)
Apr 25, 2022 07:30:14.199006081 CEST	8.8.8.8	192.168.2.4	0xcf55	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)
Apr 25, 2022 07:30:14.199006081 CEST	8.8.8.8	192.168.2.4	0xcf55	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)
Apr 25, 2022 07:30:14.199006081 CEST	8.8.8.8	192.168.2.4	0xcf55	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)
Apr 25, 2022 07:30:14.199006081 CEST	8.8.8.8	192.168.2.4	0xcf55	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49738	132.226.247.73	80	C:\Users\user\Desktop\3EqRILOXx1.exe

Timestamp	kBytes transferred	Direction	Data
Apr 25, 2022 07:30:14.530852079 CEST	468	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 25, 2022 07:30:21.409869909 CEST	1153	IN	HTTP/1.1 504 Gateway Time-out Date: Mon, 25 Apr 2022 05:30:21 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Target ID:	0
Start time:	07:30:11
Start date:	25/04/2022
Path:	C:\Users\user\Desktop\3EqRILOXx1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3EqRILOXx1.exe"
Imagebase:	0x780000
File size:	481280 bytes
MD5 hash:	5CA02369B45067FE039314F38B286767
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	07:30:21
Start date:	25/04/2022
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
Wow64 process (32bit):	true
Commandline:	dw20.exe -x -s 1364
Imagebase:	0x10000000
File size:	33936 bytes
MD5 hash:	8D10DA8A3E11747E51F23C882C22BBC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	17%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	13.5%
Total number of Nodes:	126
Total number of Limit Nodes:	6

Executed Functions

Function 00EBA4CB Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00EBA54B

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 7a7097e9ffdc316db59fe1c891dadf282f1543517095eed802199b23730c993c
Instruction ID: 23cb8bd9404527d3bfd79677bccbc88e778cfe0bae9fda7b74c8c6c33cec54d3
Opcode Fuzzy Hash: 7a7097e9ffdc316db59fe1c891dadf282f1543517095eed802199b23730c993c
Instruction Fuzzy Hash: B921BF765097809FDB238F25DC40B92BFF4AF06314F0884AAE9858F163D270A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA64D Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00EBA6B9

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a549de77c2d2133c154480f4ca8055ccd70f4cb79df8370a3ff7210908e76f78
Instruction ID: 71e7669e8bf476c6217258f6e62d45e7c3adf43702cb5886346f81ab4b9fc45e
Opcode Fuzzy Hash: a549de77c2d2133c154480f4ca8055ccd70f4cb79df8370a3ff7210908e76f78
Instruction Fuzzy Hash: BA11BE724093C09FDB228B14DC40A92FFB4EF06314F0D80DAE9848F263C265A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA502 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00EBA54B

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 4eb560ca11129a521899b1076a4e5eb54cadfb12c4fd0bb7bcc78e219b2e4c43
Instruction ID: f988ec43eec5a3b3e1bb48e66c6e305e6bce86da09eeff280e5132beaf6ef2a7
Opcode Fuzzy Hash: 4eb560ca11129a521899b1076a4e5eb54cadfb12c4fd0bb7bcc78e219b2e4c43
Instruction Fuzzy Hash: F2119A715012449FDB21CF55D884BA6FBE8EF08320F08C4AAED4A8B652D231E918CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA09A Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 00EBA0D5

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: a90c481f40193af4cb64d69fbf6a3975972a2e1d23072e770be6ffcc0fd04e43
Instruction ID: 14ccd2b812c5e18b672ea8968844e20a1f623bcdae3080a542ee4c5e8bcc7e06
Opcode Fuzzy Hash: a90c481f40193af4cb64d69fbf6a3975972a2e1d23072e770be6ffcc0fd04e43
Instruction Fuzzy Hash: 6D019A714046409FDB60DF59DC84BA6FBA4EF08324F08C4ABDD499B252D275A408CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA67E Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00EBA6B9

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: f83be8d6a13f0293949d391e73255343c341c91334f9b34700b5da5412a91a60
Instruction ID: 9db84591230774f7126390ec9994cfaef9590e4e723e9a7e8a3c7a6d50eaa85a
Opcode Fuzzy Hash: f83be8d6a13f0293949d391e73255343c341c91334f9b34700b5da5412a91a60
Instruction Fuzzy Hash: 8D018B754046449FDB208F05D984BA2FBA0EF08320F0CC4AADD895B65AD275E418DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 05160AE6 Relevance: 1.6, APIs: 1, Instructions: 111
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 05160B9D

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e056894e39125af69d58315ede6db6158e7c236172270d459bc77ab02a873ef9
Instruction ID: 54c2065f6a912ecbac613dc9bb0c368021afc8e4f2ffea3fbcca6405380391e2
Opcode Fuzzy Hash: e056894e39125af69d58315ede6db6158e7c236172270d459bc77ab02a873ef9
Instruction Fuzzy Hash: E6419275409384AFE7128F65CC94FA7BFA8EF06310F08899BE885DB193D364A919C771

Uniqueness

Uniqueness Score: -1.00%

Function 00EBADB4 Relevance: 1.6, APIs: 1, Instructions: 102
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 00EBAE66

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: d93175806937723dbdf9ef216de19f8a86582b32e1ea5aeceed446f24715a5c0
Instruction ID: cfff370b9cd4f1da29c551fd0567d87794b0c2bef636fcec4573abd7d52c53f2
Opcode Fuzzy Hash: d93175806937723dbdf9ef216de19f8a86582b32e1ea5aeceed446f24715a5c0
Instruction Fuzzy Hash: FE3182714093C0AFD7238B65DC55B56BFB4EF06214F0984DBE9849F5A3D365A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05161403 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 051614DB

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: aaccf64866b83f9dc97981d720045eebfe2764b71743cb0b8e345411024fa723
Instruction ID: 37bc93436ed679a107feb5f9eac1ebf0f8963aa1c9ca5515ddf5911bc3ecbc08
Opcode Fuzzy Hash: aaccf64866b83f9dc97981d720045eebfe2764b71743cb0b8e345411024fa723
Instruction Fuzzy Hash: 0C31C372004384AFE7229B60CD44FA6FFACEF05310F14849AF9859F192D374A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EBB36B Relevance: 1.6, APIs: 1, Instructions: 98
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00EBB421

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a4b2e2c42043ae0e3d30775ed64ba8668da19d17bfdf684ee1405ee71e855842
Instruction ID: f49b5edb26b1f8a136b6ef097b59b712e8eecf535c6847e11b084d41a4693230
Opcode Fuzzy Hash: a4b2e2c42043ae0e3d30775ed64ba8668da19d17bfdf684ee1405ee71e855842
Instruction Fuzzy Hash: 3D319EB1505380AFE722CF25DD44B62BFE8EF06314F08849AE9859B253E375E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05160763 Relevance: 1.6, APIs: 1, Instructions: 93
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 05160826

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: ea25a98d69d5f7ae4c8e06ac8fd65dba2d7f314e37694b2056f663ac598afb70
Instruction ID: f29b2c79950df2f866a5831533df7924d00780da241a36dd614f1f10d8b4a6db
Opcode Fuzzy Hash: ea25a98d69d5f7ae4c8e06ac8fd65dba2d7f314e37694b2056f663ac598afb70
Instruction Fuzzy Hash: 19317E7550D3C45FD7038B258C65AA2BFB4EF47614F1E84CBD8848F2A3E624A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05160CE6 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 05160D92

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9c4fdd21ceb7c110a576f9db780472988cc397fbc59ddc093d84487aa40ed024
Instruction ID: 989a4e78753273c288b3aac94d3d03dc81fd005dacbf2cef6c21e3539ce2e12b
Opcode Fuzzy Hash: 9c4fdd21ceb7c110a576f9db780472988cc397fbc59ddc093d84487aa40ed024
Instruction Fuzzy Hash: 7D31B1B6409780AFE7228B65DC45F66FFA8EF06310F08849BE9819F153D224A908C771

Uniqueness

Uniqueness Score: -1.00%

Function 05160665 Relevance: 1.6, APIs: 1, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAIoctl.WS2_32(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 05160719

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: f0e589406921b7ec3f61ece22759a07f405e392f00789efe55c48cec2e9766dc
Instruction ID: a39577dd981392d6e5fda5c045a07ac30fbe2805b94ca8602b54121e39d68feb
Opcode Fuzzy Hash: f0e589406921b7ec3f61ece22759a07f405e392f00789efe55c48cec2e9766dc
Instruction Fuzzy Hash: 28316175109780AFE7228F25DC44F92BFB8EF0A310F08859BE9858B162D335A919CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0516038C Relevance: 1.6, APIs: 1, Instructions: 91
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 05160429

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 75b2c419c425fa7716dfadc1b37f898637f00842207e3e1b77e6cd84aee7cdfb
Instruction ID: f6a18e9cf2910e4f8a0872df55424d5c8312df035c13758adeb71307f9a7b969
Opcode Fuzzy Hash: 75b2c419c425fa7716dfadc1b37f898637f00842207e3e1b77e6cd84aee7cdfb
Instruction Fuzzy Hash: B531B4725097806FE7228F25DC45FA6BFB8EF06310F08859BE985DF192D324A849C771

Uniqueness

Uniqueness Score: -1.00%

Function 05160585 Relevance: 1.6, APIs: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ioctlsocket.WS2_32(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 0516061B

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 0ff083bafa4072e0b99e82345925a2a8f36aac7bfb376c878e32e0197ab0aad6
Instruction ID: b0ebd6d0a2d5548305ef6afd82bfdb420e9dc222aa32fa15fb0cd030fdc00706
Opcode Fuzzy Hash: 0ff083bafa4072e0b99e82345925a2a8f36aac7bfb376c878e32e0197ab0aad6
Instruction Fuzzy Hash: B031E6724053846FE712CB25DC45F66BFB8EF46320F08C5ABE9449F192D325A909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00EBAA11 Relevance: 1.6, APIs: 1, Instructions: 90
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00EBAAC1

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ff9e79f3a8e519c4cb5fc3aa3699cf0305b47a23e35dac25124e7490abad0536
Instruction ID: 5d4711e98165e197df0245d17c66a6937a0ab0678119b44a66362ee0117b02cf
Opcode Fuzzy Hash: ff9e79f3a8e519c4cb5fc3aa3699cf0305b47a23e35dac25124e7490abad0536
Instruction Fuzzy Hash: D6318272504784AFE7228F15CD85FA7FFBCEF05310F08859BE9859B192D264A948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EBAB09 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 00EBABC4

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 99459879ea1ac3f77d80191ee587802838ecac035d719e8fa0b0908f2e492715
Instruction ID: db8ce0a465dbfc60d85ab0819210521ea728985a42a63afa30898d2b3703bec7
Opcode Fuzzy Hash: 99459879ea1ac3f77d80191ee587802838ecac035d719e8fa0b0908f2e492715
Instruction Fuzzy Hash: 1A3193751097846FEB22CF25CC85F93BFA8EF06314F18849AE985DB192D264E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EBBC7C Relevance: 1.6, APIs: 1, Instructions: 87
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNELBASE ref: 00EBBD2E

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 1828e6e46d807e2fb070a7d062cf0ffde627aed2d5c724ceee2fed550c6e9f01
Instruction ID: 950c3f50a8b2bb9534d70a1cb513745054050447ca9514f474e9546aeffc7845
Opcode Fuzzy Hash: 1828e6e46d807e2fb070a7d062cf0ffde627aed2d5c724ceee2fed550c6e9f01
Instruction Fuzzy Hash: 6231C472404780AFE722CF55DD45F96FFF8EF06320F04859AE9849B293D365A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 051600CD Relevance: 1.6, APIs: 1, Instructions: 85
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0516016D

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 9f194f61bacfb0141c5b9dd5a1da1dc96c4d0910304fe912e9afefdf0c1a0811
Instruction ID: 361764e97c642ac6b159d3610c8738c598dfd483cf570ca349a3aa887d602d08
Opcode Fuzzy Hash: 9f194f61bacfb0141c5b9dd5a1da1dc96c4d0910304fe912e9afefdf0c1a0811
Instruction Fuzzy Hash: FD316671509780AFE712CF25DD49F56FFE8EF05210F08849AE9858F292D365E944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05161436 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 051614DB

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 707314cf687f0d835f0fa015a89346ef0ea4b0bb9104d93921904d45778325c5
Instruction ID: b95da382d04850c261638bcbb82ea687f7fcebbc3cccfac361f26ac7fad6ff70
Opcode Fuzzy Hash: 707314cf687f0d835f0fa015a89346ef0ea4b0bb9104d93921904d45778325c5
Instruction Fuzzy Hash: 6C21BF72500244AEEB31DF65CD89FA6FBACEF04310F10885AFA459B182D774A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051609F8 Relevance: 1.6, APIs: 1, Instructions: 83
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenCurrentUser.KERNELBASE(?,00000E2C), ref: 05160A91

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: CurrentOpenUser
String ID:
API String ID: 1571386571-0
Opcode ID: 90e24552572b06a5837e23997250912aaf9361643e9bc677c97fb9bf0ebbd6bc
Instruction ID: 60dfd2b1fe75d3c9188722922c4c1559b6a9aa6e4823b197cf86834650f2e672
Opcode Fuzzy Hash: 90e24552572b06a5837e23997250912aaf9361643e9bc677c97fb9bf0ebbd6bc
Instruction Fuzzy Hash: 8521B1764093846FE7128B25DD45F66FFA8EF06310F09849BE9849F193D264A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EBACE0 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

RasEnumConnectionsW.RASAPI32(?,00000E2C,?,?), ref: 00EBAD8A

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: ConnectionsEnum
String ID:
API String ID: 3832085198-0
Opcode ID: 7a49be402ae179cce8378c28e3d0c88f009aa5bc930d006cf2c25291dd4e423a
Instruction ID: 1a3770e695ef6e91a874cdcb7f6d5aa09ae239b1d50ede47a6c9fd0b08df1f96
Opcode Fuzzy Hash: 7a49be402ae179cce8378c28e3d0c88f009aa5bc930d006cf2c25291dd4e423a
Instruction Fuzzy Hash: 43316D7544E3C05FC3138B358C65A62BFB4EF47624B0A81DBD884CF5A3D228A91AC772

Uniqueness

Uniqueness Score: -1.00%

Function 05160BF2 Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON

Download Yara Rule

APIs

RegNotifyChangeKeyValue.KERNELBASE(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 05160C9C

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: ChangeNotifyValue
String ID:
API String ID: 3933585183-0
Opcode ID: 1be8abb53ffcefb5bd71017349139853a32c881916b8943a5c910fcb27a64e06
Instruction ID: 557c39b8a4a82cfc66bbb09a5b97ae523550b888df46dbbbc51138ac91409518
Opcode Fuzzy Hash: 1be8abb53ffcefb5bd71017349139853a32c881916b8943a5c910fcb27a64e06
Instruction Fuzzy Hash: C721B072400644AFEB22CF65DC45FA7FBECEF0A310F14899AE945AB142D274A509CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 05160B1E Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 05160B9D

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a604360f6b07b0b268df16b3c06424eaa2cad567b76d626c740889eb93288337
Instruction ID: a4d3fc21c139703b5b722376453c36d8e29eeb984d6bbe904f12f3bfe7d11671
Opcode Fuzzy Hash: a604360f6b07b0b268df16b3c06424eaa2cad567b76d626c740889eb93288337
Instruction Fuzzy Hash: 79218E76500204AEE721DB55DD89F6BBBACEF08310F04885AE9459B242D674A5148A75

Uniqueness

Uniqueness Score: -1.00%

Function 05160C0B Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegNotifyChangeKeyValue.KERNELBASE(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 05160C9C

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: ChangeNotifyValue
String ID:
API String ID: 3933585183-0
Opcode ID: 45653ec4aca427bdaf7132408d3d84e4277994afbe5dcff9e735ce56ea6393e6
Instruction ID: 227c7c706e2c1ff2c0946db8d72d66d5d9edeb43dd3b6321636367339881c18d
Opcode Fuzzy Hash: 45653ec4aca427bdaf7132408d3d84e4277994afbe5dcff9e735ce56ea6393e6
Instruction Fuzzy Hash: 2B218172409784AFD7228F65DC45F97FFACEF46210F04889BE9859B192D264A508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00EBBB9A Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 00EBBC25

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: e6add3b456c7dc10cca8b58f3cc717364393d28789e637413f208b23419060e7
Instruction ID: 273095d00e1947fcc046377c7cf738b94d80260bb324e8b7a2cb1961566330c5
Opcode Fuzzy Hash: e6add3b456c7dc10cca8b58f3cc717364393d28789e637413f208b23419060e7
Instruction Fuzzy Hash: D9219FB1505380AFE722CB25CD45F66FFA8EF05310F0884AEE9859F292D375E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EBB478 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 00EBB50D

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: e482d19c6ddd4a7fc196b7f00ee208206d4537b1b7c3566d56da0b4d4e4cae20
Instruction ID: 84b5a4a326a58715231da2855c717d9a113e254f613456149092c98a3b75dcee
Opcode Fuzzy Hash: e482d19c6ddd4a7fc196b7f00ee208206d4537b1b7c3566d56da0b4d4e4cae20
Instruction Fuzzy Hash: 70213AB54087806FE7128B25DC40BA3BFB8EF46324F1880DBE9859F193D364A905C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00EBAC1A Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 00EBACB6

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 642eedbc4a6ff908108e47ed8a7972e62ee91c9e9d7c5c7edc6ab46667dad41f
Instruction ID: b2ceab8167cb4a82caf0566735b9fdad875cc0bc97516fd15079ba6b6d9f8458
Opcode Fuzzy Hash: 642eedbc4a6ff908108e47ed8a7972e62ee91c9e9d7c5c7edc6ab46667dad41f
Instruction Fuzzy Hash: 4221F8754093C06FD3138B25CC55B62BFB8EF47A10F0981CBE8848B653D225B919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00EBB8F2 Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 00EBB990

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: af998e60fc0130a1d24799ce1a400b52c9e1905b93785b94d7c031ff525c51b8
Instruction ID: 3c5786875c53da5c18d8db1533534df3c95a36287eaeb50c5df3b0970c260a17
Opcode Fuzzy Hash: af998e60fc0130a1d24799ce1a400b52c9e1905b93785b94d7c031ff525c51b8
Instruction Fuzzy Hash: 96217F72508780AFE721CF15CC84F97BFF8EF45310F08859AE9859B292D364E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EBB3A2 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00EBB421

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6c1700d3d5b5621f9dd3f81ccd544f9a9740071653020ec853d5f45a102ff437
Instruction ID: 09e1fdbcca75b669607a9eebf0d8eb54f16a8585bbd0c7352201db32f29a1427
Opcode Fuzzy Hash: 6c1700d3d5b5621f9dd3f81ccd544f9a9740071653020ec853d5f45a102ff437
Instruction Fuzzy Hash: 2221AE71500240AFEB21CF66CD45BA6FBE8FF08314F14846AE9859B252E3B1E808CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00EBAA42 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00EBAAC1

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c97596f3d37289b3648d416b59b3ffcbd77ded2593e926471d422034e4bfb57d
Instruction ID: 32f9f776e58e1bea142dafa09ed075f878449251a13e1356180107f75de32d96
Opcode Fuzzy Hash: c97596f3d37289b3648d416b59b3ffcbd77ded2593e926471d422034e4bfb57d
Instruction Fuzzy Hash: A321C972500604AFEB219F15CD85FA7FBECEF04310F14856AED45EB142D664E908CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 05160D1E Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 05160D92

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8818ab956b00af9621277c654c6989e52eb4d5864bb5829b05250177e78b5f78
Instruction ID: cb32757ffe79bdbef588184a0cb2ca220a6e4f4466e5ba7c62e138c4a9575578
Opcode Fuzzy Hash: 8818ab956b00af9621277c654c6989e52eb4d5864bb5829b05250177e78b5f78
Instruction Fuzzy Hash: 6821DE7A500204AFEB219F65DD49F6BFBA8EF08310F04896BED459B242D334E4188B75

Uniqueness

Uniqueness Score: -1.00%

Function 0516085E Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 051608E2

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: acdf378e21fd19f88c303f9b8e4830b0ad7cad405f67c2430964853e36e88a93
Instruction ID: c3b7bbc8234cd8430abae89e1d6f88f6b0f0694470543e3759231e865ca7ee1d
Opcode Fuzzy Hash: acdf378e21fd19f88c303f9b8e4830b0ad7cad405f67c2430964853e36e88a93
Instruction Fuzzy Hash: A42180724043846FE722CB65DC45F97BFACEF45210F0884ABE9459B192D274A508CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 051615E6 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 05161675

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 3e466ba292872d4ad1e150c37cc3c549aff3cb2d1839edf9ed328fe0d9fbe6c5
Instruction ID: b41dada249196cdf78998e8b79ea9265bbfbe4c609c4ffee9aff93043db4f0ca
Opcode Fuzzy Hash: 3e466ba292872d4ad1e150c37cc3c549aff3cb2d1839edf9ed328fe0d9fbe6c5
Instruction Fuzzy Hash: 3521A1754097806FE7228B11DC45FA6FFB8EF46310F08849BE9859F192C365A418CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA1F4 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 00EBA26C

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c87acb92c1d3af78a49eb8e2fa7fe7c0afb0ec69ab5f302fe454b175248253f7
Instruction ID: 249ebb0d56df7e414282484e9b67fe43d20db167606ada1b647616f301f051a9
Opcode Fuzzy Hash: c87acb92c1d3af78a49eb8e2fa7fe7c0afb0ec69ab5f302fe454b175248253f7
Instruction Fuzzy Hash: 62219D7140E3C05FD7138B25DC50692BFB49F03220F0D85EBD885CF6A3D2699908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0516069E Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 05160719

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: fc0363ca23b03a3c1643d97839923781b0b060d44c592af947b8074943d3096c
Instruction ID: f3e52af5b512baed50c8b0a599e0e3b7072ad3a1c7c09939ac7b00f227583ac9
Opcode Fuzzy Hash: fc0363ca23b03a3c1643d97839923781b0b060d44c592af947b8074943d3096c
Instruction Fuzzy Hash: B0216A75100604AFEB21DF55DC89FA6BBE8EF08710F04896AED868B251D775E418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 051600FA Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0516016D

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 32755e28784aa7368a5368150a32b40824ec13b5959584b83b95211c73bfd1be
Instruction ID: ec396719bb4f659158cf6989de54b3f698b148fae43effe0cc953b27e3333f3e
Opcode Fuzzy Hash: 32755e28784aa7368a5368150a32b40824ec13b5959584b83b95211c73bfd1be
Instruction Fuzzy Hash: FF219F71504240AFE721DF25DD89B66FBE8EF08310F1484AAED498B282E775E504CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA2B3 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00EBA32E

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6b38349175b25b08c1263514b1b9a244721b71f9da7f3138d33d0d7debb605a1
Instruction ID: 11c187d50d417df539e1b35077f52ea9489a753708ee11628f73d435c5dc290f
Opcode Fuzzy Hash: 6b38349175b25b08c1263514b1b9a244721b71f9da7f3138d33d0d7debb605a1
Instruction Fuzzy Hash: 1721B3725093809FDB128B65DC85B97BFE8AF06210F0D80EBD885CF253D224E808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0516092C Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

RasConnectionNotificationW.RASAPI32(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 051609BB

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: ConnectionNotification
String ID:
API String ID: 1402429939-0
Opcode ID: f0657432df7c590ceaee3961744d645347668b60e8cb677087bd673dd51c7f95
Instruction ID: d6aa0bc7f140b8d0cec4f6e486ae74e4e7d3e9c73f481a340d6c7666ffe4ffe6
Opcode Fuzzy Hash: f0657432df7c590ceaee3961744d645347668b60e8cb677087bd673dd51c7f95
Instruction Fuzzy Hash: 9C21C2714093846FE7228B25DC45F66FFB8EF46310F09849BE9849B193D264A908CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00EBB75A Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 00EBB7D9

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: ae6e9bae2017acc320ac424de13c96229c0fc26389707e4f54a3ac54ead9712b
Instruction ID: 3075e168a2b0ea1b82bc7cf2d03f2cc8b2711f7008a939caa0c843e143943317
Opcode Fuzzy Hash: ae6e9bae2017acc320ac424de13c96229c0fc26389707e4f54a3ac54ead9712b
Instruction Fuzzy Hash: DD216F72405380AFEB228F55DC45F97BFB8EF45710F0884ABE9459F192D364A408CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 051616B2 Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05161736

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 90adde4c6aa37139480b13a35bec5fc3a99936d6f48a729d1f8306dc381940a6
Instruction ID: 88ef082523e6362a44095ca9adf238f4899bbe3546dc9af8b105192be9477eba
Opcode Fuzzy Hash: 90adde4c6aa37139480b13a35bec5fc3a99936d6f48a729d1f8306dc381940a6
Instruction Fuzzy Hash: 9E218E75409380AFDB228F61DC44A92BFF4EF06210F0984DAE9858F163D375A819DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EBAB4A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 00EBABC4

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 680eef0a80f85fbee367d2d7b68fb66b3d985c3ba514d2791f675ca6facd1f3c
Instruction ID: a6cc82e3c33edfb9f5e8c18b8c980e1c395303a6b1215d9f7471691baa78f168
Opcode Fuzzy Hash: 680eef0a80f85fbee367d2d7b68fb66b3d985c3ba514d2791f675ca6facd1f3c
Instruction Fuzzy Hash: 36218E72500604AFEB20CE15CC84FA7FBECEF04710F1885AAE9459B291D764E844CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 00EBBBBA Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 00EBBC25

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 79ca0dda7772a3d60096814bec514aecbb5c84bafe9a3a3bd858d8849b83fc87
Instruction ID: 6de57d7fcd94d6781acf4054603e9f9a9c7f88186f634c911e5c46a6e5d4b228
Opcode Fuzzy Hash: 79ca0dda7772a3d60096814bec514aecbb5c84bafe9a3a3bd858d8849b83fc87
Instruction Fuzzy Hash: FD21C0B1504240AFE721DF29CD85BAAFFE8EF04320F14846AED459B242D7B5E804CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA598 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00EBA604

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0445969d034b032cb75afd89d4559ba7e56461088a01e01eb8e3dbb251ae0adb
Instruction ID: aefa60ad91d28515ed3815744727d010d70dc449943d2cddf7a869f570c56bbe
Opcode Fuzzy Hash: 0445969d034b032cb75afd89d4559ba7e56461088a01e01eb8e3dbb251ae0adb
Instruction Fuzzy Hash: DB2193765093C05FDB128B25DC55692BFB4AF17324F0D84DBEC858F663D274A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EBADFA Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 00EBAE66

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: e4a716af47b88fc970ce070f2d46e09306616421f20910991a46543125643a94
Instruction ID: 32a3366d8a1503d8933e6fc6589471927c6d4326a7e00851e4152f078b16002e
Opcode Fuzzy Hash: e4a716af47b88fc970ce070f2d46e09306616421f20910991a46543125643a94
Instruction Fuzzy Hash: 0321CD71400240AFEB22CF65DD44BA6FBE8EF08310F18886EE9859B242D371E408CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EBBCBA Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 00EBBD2E

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: f74541fefef99dba7ea798dfc441feaacafce0d92cf253d3f8580fa82a088ab3
Instruction ID: dca34b58c144d282fb30f93dbd68f9d4bc8aa87f0037695a4a482e2e7099df53
Opcode Fuzzy Hash: f74541fefef99dba7ea798dfc441feaacafce0d92cf253d3f8580fa82a088ab3
Instruction Fuzzy Hash: 3621A171500244AFE722CF55CD85F96FBE8EF08310F14845EE9859B252D375A508CB66

Uniqueness

Uniqueness Score: -1.00%

Function 05160A2E Relevance: 1.6, APIs: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenCurrentUser.KERNELBASE(?,00000E2C), ref: 05160A91

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: CurrentOpenUser
String ID:
API String ID: 1571386571-0
Opcode ID: ee16117f96eb70c3341341fdfb013fa68ad27d2513b2afbebb672597073a2cce
Instruction ID: 9f803aae682215ed34070cf8a0a43d48261a59671b22c9f5777231b6577ebf4a
Opcode Fuzzy Hash: ee16117f96eb70c3341341fdfb013fa68ad27d2513b2afbebb672597073a2cce
Instruction Fuzzy Hash: 9E11D376400244AFE721DF65DD49F6AFB98EF04310F14846BED449B282D274A5048AB5

Uniqueness

Uniqueness Score: -1.00%

Function 05160C32 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegNotifyChangeKeyValue.KERNELBASE(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 05160C9C

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: ChangeNotifyValue
String ID:
API String ID: 3933585183-0
Opcode ID: 9efb61532d5d168406928b55ad715d10d89cae85ab03b1ce68571f664bc0bf36
Instruction ID: 99cd8570bafee5c15a2fdd5a6a3fcd6511d7e519732645de967a3b9496d5367d
Opcode Fuzzy Hash: 9efb61532d5d168406928b55ad715d10d89cae85ab03b1ce68571f664bc0bf36
Instruction Fuzzy Hash: 55118172400604AFEB21CF55DD45FAAFBECEF48320F1488ABE9459B285D774A408CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00EBB91E Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 00EBB990

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 894dea0d053293fe23f93fe41e39c6968e6d71ccd3ddf2ede2dedf2d7fe1b8a7
Instruction ID: 03e6984f4787e451d5297ab4fb0c5da1fb0a7165c75fff6d107da840a68e1ff3
Opcode Fuzzy Hash: 894dea0d053293fe23f93fe41e39c6968e6d71ccd3ddf2ede2dedf2d7fe1b8a7
Instruction Fuzzy Hash: 9411D371500200AFE720CF55CC80FA7FBECEF44710F14855AEA459B291D7A4E804CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 051603CA Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 05160429

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: ffbaed9033666b0aa9e82e263fa28e54481b830cad6dcd9700eb85bd5a6a24f3
Instruction ID: 76a3ae548d49d6e8953999045d1203f688cd7b6de95e5dfaa321604505e2c459
Opcode Fuzzy Hash: ffbaed9033666b0aa9e82e263fa28e54481b830cad6dcd9700eb85bd5a6a24f3
Instruction Fuzzy Hash: 23119072504200AFEB31CF55DC85F6AFBA8EF48720F14846BED458B291D774A818CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 0516117C Relevance: 1.6, APIs: 1, Instructions: 64networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 051611F4

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 1f3ca0f3392bb87391a8ec7edd92f52de11a82db7ac9581a27f3181c5e9ad1c7
Instruction ID: a8f2355a32e0d63089f9b1fae4b252a7057e6db5b6762f428f7fa6d3c310b964
Opcode Fuzzy Hash: 1f3ca0f3392bb87391a8ec7edd92f52de11a82db7ac9581a27f3181c5e9ad1c7
Instruction Fuzzy Hash: DC11D6715443846FE7118B15DC45F56FFA8EF45320F18C09BE9449F192C268A448CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0516087E Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 051608E2

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 284f268c83e18668aaee636761df4f6cefc92a5a9d1e2015974c50c51b0b95cc
Instruction ID: 4a31868de76faa51de64bb779dcfa597a46fabdb26c3e16e04da56ff82b71c33
Opcode Fuzzy Hash: 284f268c83e18668aaee636761df4f6cefc92a5a9d1e2015974c50c51b0b95cc
Instruction Fuzzy Hash: 8E11B272400204AFE721CF55DC85FA6FBACEF48320F1484ABE9499B285D674A504CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00EBB0DE Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00EBB148

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 587f455b745d9dfc3bfc0f847ac9b534bfe229363e4b74a25828a5488940e26a
Instruction ID: 0442bf41c45e0885326af7383cfcbced9df7daa4e587b5590de82e3a0400af0a
Opcode Fuzzy Hash: 587f455b745d9dfc3bfc0f847ac9b534bfe229363e4b74a25828a5488940e26a
Instruction Fuzzy Hash: 5F117C754093C09FDB128B25DC55B92BFB4EF06214F0984DBED849F263D265A909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EBB77A Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 00EBB7D9

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 7aa0d54e65313d0ab972c8c15f2c941d0f6eec76471598d0f301ecd04fd52b79
Instruction ID: c558ccd22a355cde3888ed2f1cb66f598d8bd701361be4c02f5ca52159f2fef3
Opcode Fuzzy Hash: 7aa0d54e65313d0ab972c8c15f2c941d0f6eec76471598d0f301ecd04fd52b79
Instruction Fuzzy Hash: 0411BF71400240AFEB218F55DC41BA7FBA8EF48720F14C4ABE945AB242D7B4A408CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 051605C2 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 0516061B

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 97dee1b1c06859b6c685366a21cc8777c3bea72935c3c52a2aae0f1ca54a0174
Instruction ID: 89b66dbc1a4c4df8d34d4b23717fc867f3006bffe18d91684b694f715197a78c
Opcode Fuzzy Hash: 97dee1b1c06859b6c685366a21cc8777c3bea72935c3c52a2aae0f1ca54a0174
Instruction Fuzzy Hash: 2B11A071404244AFEB21CF56DC85F66FBA8EF48320F14C4ABEE499B281D775A404CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 05161616 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 05161675

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 52c8d11d9422b2b8e934c6310b60b79d628d02daf3bc03ec5e169da0714fb3c8
Instruction ID: 4f75ae78eaa909cff2e0359d9e2d161da5dbda3f8b81fd404ed491db9828bcb9
Opcode Fuzzy Hash: 52c8d11d9422b2b8e934c6310b60b79d628d02daf3bc03ec5e169da0714fb3c8
Instruction Fuzzy Hash: CD110276400204AFEB20CF16CC40FA6FBA8EF04320F08C49BED454B291C3B4A418CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 05160962 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RasConnectionNotificationW.RASAPI32(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 051609BB

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: ConnectionNotification
String ID:
API String ID: 1402429939-0
Opcode ID: 2d85a66e40a8889111e747e1877ab601975791b4f16cd70fc3507340d9f6b4b4
Instruction ID: 6499d727fb1b3442c414f1b689086f3f57a8cc0635f5e450c9694fac43180e71
Opcode Fuzzy Hash: 2d85a66e40a8889111e747e1877ab601975791b4f16cd70fc3507340d9f6b4b4
Instruction Fuzzy Hash: C0110471404204AFFB20CF15DC85F66FBA8EF08320F14C4ABED499B281C774A804CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA078 Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 00EBA0D5

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 1d8cc8b6a8381845eb1915e50f488cfba29237fea791ebab5ec6834de76a0abd
Instruction ID: bc1978b5bbc553a6bce651e0136629b62da363809854ba3326a2711874563896
Opcode Fuzzy Hash: 1d8cc8b6a8381845eb1915e50f488cfba29237fea791ebab5ec6834de76a0abd
Instruction Fuzzy Hash: A1118F75409780AFDB22CF15DC44B52FFB4EF45224F08C4ABED858F252D275A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0516119E Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 051611F4

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 6f4485f1063876dcd2a436a7555d85c0586a68c9bd2c567ea8f2c0cc4e62aaa9
Instruction ID: 7a71d9987499d09a38363e21db56a949c4d40fa582bdf98cb541b83b6a64afc9
Opcode Fuzzy Hash: 6f4485f1063876dcd2a436a7555d85c0586a68c9bd2c567ea8f2c0cc4e62aaa9
Instruction Fuzzy Hash: 41010471540204AFEB20CF16DC81FAAFBE8EF04321F14C09BED059B281C374A504CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA2E6 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00EBA32E

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: ea52bdc8ffad7934816533be50722cb53c8177950ea09ca27857df4c48943ee2
Instruction ID: 2dc155c9f4f0e4f826f7766e58dfc841dd476fb88b45687aaa4fc199676a6f0d
Opcode Fuzzy Hash: ea52bdc8ffad7934816533be50722cb53c8177950ea09ca27857df4c48943ee2
Instruction Fuzzy Hash: 4C115E71A042409FDB60CF69DC85B9BFBE8EF14724F08D4BADD49DB252D674E804CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA982 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00EBA9E0

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0a39e06d9e2cc4ecd5a2092f58ec63ff7ea0656743f2860437caec6e893a386c
Instruction ID: a1b0361ad6ff20554b7c2df150a90278a6400dd9ed082ce5354d7f8f534405cd
Opcode Fuzzy Hash: 0a39e06d9e2cc4ecd5a2092f58ec63ff7ea0656743f2860437caec6e893a386c
Instruction Fuzzy Hash: F01191754093C09FDB228B25DC54A92BFB4DF17224F0D80DBDD858F263D265A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00EBB4BA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,CE3C9969,00000000,00000000,00000000,00000000), ref: 00EBB50D

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: f0abae8094fa21c6cd77ae636d14598fc70c43f7c1757f7ccb86b901c8b5d5f6
Instruction ID: 2fc51631ddc1df09c5e320de5ed658729e54e268befcd7f2b48ddbe7d1e43834
Opcode Fuzzy Hash: f0abae8094fa21c6cd77ae636d14598fc70c43f7c1757f7ccb86b901c8b5d5f6
Instruction Fuzzy Hash: 6701D271505204AFE720CB16DC85BABFB9CDF44720F14C0ABED05AF285C7B8A904CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 051616EA Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05161736

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 0c3fdd0407c325341d0c82c6e70ecf8b52fda2fd072ccfca13bf6ea40fcebaa9
Instruction ID: d7174b650476977f6be50bbe995e9cd3cd2028dc3a99e122375bd8109cc7d7e4
Opcode Fuzzy Hash: 0c3fdd0407c325341d0c82c6e70ecf8b52fda2fd072ccfca13bf6ea40fcebaa9
Instruction Fuzzy Hash: 24117C75404644AFDB20DF55D844B66FBE5FF08310F08C8AAED4A8B612D371E418CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 051607D6 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 05160826

Memory Dump Source

Source File: 00000000.00000002.319974691.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_3EqRILOXx1.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 666d35da1d3cc040b698cfb8c0169abe2b98658e23dcb169175fc43aa1ab6d69
Instruction ID: dc205655950011990f5143be77b1375fab74d189b56ac995e95363eb519160bd
Opcode Fuzzy Hash: 666d35da1d3cc040b698cfb8c0169abe2b98658e23dcb169175fc43aa1ab6d69
Instruction Fuzzy Hash: F101B171500200ABD310DF16DD86B26FBA8EB88B20F14C12AED089B742E331F915CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00EBAC66 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 00EBACB6

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 04d7b1a0e710f47c429ba75fa7e1ffc80033b640e28626be2893201d9991cb8b
Instruction ID: 799cace97f5aca1ffce425ba5c6798d6eb6b050f00a8cea14f64ce3e0aeb671d
Opcode Fuzzy Hash: 04d7b1a0e710f47c429ba75fa7e1ffc80033b640e28626be2893201d9991cb8b
Instruction Fuzzy Hash: 9C01AD71500200ABD310DF1ADD86B26FBA8FB88B20F14C11AED089B742E371F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA5D2 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00EBA604

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f25aece6ab6e7738d6176d547d2ae977ba9d4406c2a8cce8407394837af02aae
Instruction ID: 0a268493ad9a78b0058d34bd8eb65116cf98c77f54d140ad22c15e181e1e52a9
Opcode Fuzzy Hash: f25aece6ab6e7738d6176d547d2ae977ba9d4406c2a8cce8407394837af02aae
Instruction Fuzzy Hash: 1401BCB55052409FDB208F29E884796FBE4EF04320F08C0ABDC4A9F246D675A848CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA23A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 00EBA26C

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: cbd9501f6dde49539dd2ceb3fe473c20a780eeb276645e76fdc976a9c87a1389
Instruction ID: 7d58a3c89a9d5badd54980369e2917e9f76326b59b35e1330b2978052fe31b2f
Opcode Fuzzy Hash: cbd9501f6dde49539dd2ceb3fe473c20a780eeb276645e76fdc976a9c87a1389
Instruction Fuzzy Hash: 1E018F759042408FDB208F59DC857A6FBA4EF44320F18D4BBDD099F752D675A808CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EBAD3A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

RasEnumConnectionsW.RASAPI32(?,00000E2C,?,?), ref: 00EBAD8A

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: ConnectionsEnum
String ID:
API String ID: 3832085198-0
Opcode ID: adee0f30f030d8610f45c197f2bae2f5757130b6ee20a0df2b43c30cd95d69e8
Instruction ID: ad7c6c87670f4a94008199eb27fa0df460d6f650ad4f89a8d73499dde62fd1e6
Opcode Fuzzy Hash: adee0f30f030d8610f45c197f2bae2f5757130b6ee20a0df2b43c30cd95d69e8
Instruction Fuzzy Hash: B2016275500600ABD350DF1ADD86B26FBA8FB88B20F14C15AED085B742E771F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00EBB116 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00EBB148

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 290f310347e9dbac2cb385fbbba7b6f22a8f3cb972221e74d4ee3dc66382c824
Instruction ID: e98b1c3c0c492cdbeb6833b494a65f4b28649de1e4c62990025650428ee09e49
Opcode Fuzzy Hash: 290f310347e9dbac2cb385fbbba7b6f22a8f3cb972221e74d4ee3dc66382c824
Instruction Fuzzy Hash: E001AD708052408FDB20CF1ADC857A6FBA4EF04321F18D4ABDD099F252D3B5A448CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA9AE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00EBA9E0

Memory Dump Source

Source File: 00000000.00000002.319107547.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eba000_3EqRILOXx1.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d116d2b6258235a8aa3c885441ee1b6817bdff3ae144fdf9c94a3548c6ec2561
Instruction ID: 517f7d31e321d30b304225fdcf16ad4ad42403e740287dd50b5008b9efa81f12
Opcode Fuzzy Hash: d116d2b6258235a8aa3c885441ee1b6817bdff3ae144fdf9c94a3548c6ec2561
Instruction Fuzzy Hash: C7F0AF758042848FDB208F05E9857A2FBA4EF44321F18D0ABDD495B352D3B5A848DEB3

Uniqueness

Uniqueness Score: -1.00%

Function 02B40239 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319501776.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b40000_3EqRILOXx1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71654104466001798b399ec30850a58736136e5d3552d3dd6f51f1d00411495e
Instruction ID: b1c5341b1778e9b149fcb8458be2c9c169fd9296545f62f056744f362a592160
Opcode Fuzzy Hash: 71654104466001798b399ec30850a58736136e5d3552d3dd6f51f1d00411495e
Instruction Fuzzy Hash: DEB11D70A1021ACFCB14EFB9E98199D7BB2FF49704B20863AE505BB259DB306D06CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02B40248 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319501776.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b40000_3EqRILOXx1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9c8814b64036fbddb64105e17f84a1c308e871f45da4fb2d648a17bd8950ac
Instruction ID: d684a61d776e9861a9781e8ae76eac84bb06729b4b7fdac438cff6ba3ea2564f
Opcode Fuzzy Hash: bc9c8814b64036fbddb64105e17f84a1c308e871f45da4fb2d648a17bd8950ac
Instruction Fuzzy Hash: BDB11E30A1021ACFCB14EFB9E98199D7BB2FF49705B20863AE515BB259DB306D06CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02B40BC9 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319501776.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b40000_3EqRILOXx1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693b41d8fa06990104fd38b1a85ab291ba9e8d2a28e6fedc56b7e369dfa0b647
Instruction ID: 33c3e92a8712b3c0c349bedea61152d44e8d7e63c9fb204ee7df9652dba126ce
Opcode Fuzzy Hash: 693b41d8fa06990104fd38b1a85ab291ba9e8d2a28e6fedc56b7e369dfa0b647
Instruction Fuzzy Hash: B551A174E11218DFCB09DFBAD58099DBBF2FF89300B24856AD909AB314DB31A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B40006 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319501776.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b40000_3EqRILOXx1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde726ac881eafc4c4f664141256f2ca13b0cc485de7b3f4fbd83e7ef7fab01d
Instruction ID: 9311489cca2343867dca48772aacde776c7bd54418296e3fb62bf04c7a7a1c9e
Opcode Fuzzy Hash: dde726ac881eafc4c4f664141256f2ca13b0cc485de7b3f4fbd83e7ef7fab01d
Instruction Fuzzy Hash: 2D119A6644E3C14FC3275BB498A65907FB06E2321474F04DBC0C4DB1A3D6684A4ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 02B40B37 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319501776.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b40000_3EqRILOXx1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9dcd65126527cbc38927e82eaa457da2c718f022dea0b5f5995be272b5afc0
Instruction ID: c2efcd9d108a8c4e6babf7e33de1c0f16e4c5d870485b01993963e3217c2c5ed
Opcode Fuzzy Hash: ef9dcd65126527cbc38927e82eaa457da2c718f022dea0b5f5995be272b5afc0
Instruction Fuzzy Hash: 4F11F274D042099FCF05DFA9C8809EEBBF1EF49304F1544AAD604A7220EB715A55DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02B705D5 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319509861.0000000002B70000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b70000_3EqRILOXx1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803105da8d6de4612e0f751c992bfe46340371020339c7cb70a091b135f28408
Instruction ID: d68f85864a88a750bb1189b751e87df15f417db5c3323afc65c6734edd383de2
Opcode Fuzzy Hash: 803105da8d6de4612e0f751c992bfe46340371020339c7cb70a091b135f28408
Instruction Fuzzy Hash: F7F0A9765097806FD7128F16DC40863FFB8DF86630709C49FEC498B652D225B808CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02B705F6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319509861.0000000002B70000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b70000_3EqRILOXx1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948540c74f22aeb3cbd00fe62f1b6e924a00e3729b6197809b17ac25330ea66d
Instruction ID: 9235b2024084ef10bbf6b3a3cb47679905e25e79dd3a0d189148f1508acd8449
Opcode Fuzzy Hash: 948540c74f22aeb3cbd00fe62f1b6e924a00e3729b6197809b17ac25330ea66d
Instruction Fuzzy Hash: 7CE092766006005BD750DF0AEC41452F7D8EB88630718C07FDC0D8B701D675F508CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 00EB23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319097839.0000000000EB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb2000_3EqRILOXx1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b2c6fd2a50727756337facfa9fbb797c9a7ebf412c5feac62744fa04cb6441
Instruction ID: b6a73e8d5bbc26c5a9a27cbf842f04dcd4d19c8279200b7d015504df3c9d6ef8
Opcode Fuzzy Hash: b9b2c6fd2a50727756337facfa9fbb797c9a7ebf412c5feac62744fa04cb6441
Instruction Fuzzy Hash: 47D05B752056D14FD3169A1CC164BD53F94AF51B05F4654FDD8408B663C754D981D100

Uniqueness

Uniqueness Score: -1.00%

Function 00EB23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319097839.0000000000EB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb2000_3EqRILOXx1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24df6bd0b4c97ca95e36c55a623471b8bb8912bfbaca57db5180badc422f3996
Instruction ID: 3068ec2998d180b3e7f8e68d5c194a28dc637a4eab3164c2106d725f7dbc092a
Opcode Fuzzy Hash: 24df6bd0b4c97ca95e36c55a623471b8bb8912bfbaca57db5180badc422f3996
Instruction Fuzzy Hash: 89D05E342002824BCB16DB0CD594F9A37D4AF41B04F0654EDAC009B362C3A9DCC1C600

Uniqueness

Uniqueness Score: -1.00%

Function 02B40070 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319501776.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b40000_3EqRILOXx1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376b3b753175d3bcaad647e75482b17ce9b22619473e46b7bebc3b3c7feb4051
Instruction ID: c7da4c3b213daaeabe3be71378ef72286eb5ec62921da81b5b805a9c3b418a21
Opcode Fuzzy Hash: 376b3b753175d3bcaad647e75482b17ce9b22619473e46b7bebc3b3c7feb4051
Instruction Fuzzy Hash: B6B09B310456084FC51D37D9A9097A5765C6741705F404074560D615724FF26569D5E7

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3EqRILOXx1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_3EqRILOXx1.exe_ee11ed3d42939d22332a8251e19e2f7a90e88_00000000_1906d41a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5266.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5390.tmp.xml

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Windows Analysis Report
3EqRILOXx1.exe

Function 05160AE6 Relevance: 1.6, APIs: 1, Instructions: 111
registryCOMMON

Function 00EBADB4 Relevance: 1.6, APIs: 1, Instructions: 102
networkCOMMON

Function 05161403 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 00EBB36B Relevance: 1.6, APIs: 1, Instructions: 98
fileCOMMON

Function 05160763 Relevance: 1.6, APIs: 1, Instructions: 93
windowCOMMON

Function 05160CE6 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Function 05160665 Relevance: 1.6, APIs: 1, Instructions: 92
networkCOMMON

Function 0516038C Relevance: 1.6, APIs: 1, Instructions: 91
timeCOMMON

Function 05160585 Relevance: 1.6, APIs: 1, Instructions: 90
COMMON

Function 00EBAA11 Relevance: 1.6, APIs: 1, Instructions: 90
registryCOMMON

Function 00EBAB09 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Function 00EBBC7C Relevance: 1.6, APIs: 1, Instructions: 87
fileCOMMON

Function 051600CD Relevance: 1.6, APIs: 1, Instructions: 85
synchronizationCOMMON

Function 05161436 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Function 051609F8 Relevance: 1.6, APIs: 1, Instructions: 83
registryCOMMON