Edit tour

Windows Analysis Report
new order.exe

Overview

General Information

Sample name:	new order.exe
Analysis ID:	1464860
MD5:	0c5a964f9cbf2fec077302e6baa7316f
SHA1:	d0593ff771d4cf489903b807aa93f29f5a51f0b5
SHA256:	dd93e71cdd590d9c74d24a1b822948e7501b7a38df590d4d52ddf3e862a0cb2d
Tags:	exeSnakeKeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Allocates memory in foreign processes

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

new order.exe (PID: 3696 cmdline: "C:\Users\user\Desktop\new order.exe" MD5: 0C5A964F9CBF2FEC077302E6BAA7316F)

MSBuild.exe (PID: 4020 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

WerFault.exe (PID: 7192 cmdline: C:\Windows\system32\WerFault.exe -u -p 3696 -s 1052 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "rightlut@valleycountysar.org", "Password": "fY,FLoadtsiF", "Host": "valleycountysar.org", "Port": "26"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1787678653.000001F69F237000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000002.4108863148.00000000030B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1484e:$a1: get_encryptedPassword 0x14b3a:$a2: get_encryptedUsername 0x1465a:$a3: get_timePasswordChanged 0x14755:$a4: get_passwordField 0x14864:$a5: set_encryptedPassword 0x15e37:$a7: get_logins 0x15d9a:$a10: KeyLoggerEventArgs 0x15a33:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18110:$x1: $%SMTPDV$ 0x18176:$x2: $#TheHashHere%& 0x1976d:$x3: %FTPDV$ 0x19861:$x4: $%TelegramDv$ 0x15a33:$x5: KeyLoggerEventArgs 0x15d9a:$x5: KeyLoggerEventArgs 0x19791:$m2: Clipboard Logs ID 0x199b1:$m2: Screenshot Logs ID 0x19ac1:$m2: keystroke Logs ID 0x19d9b:$m3: SnakePW 0x19989:$m4: \SnakeKeylogger\
00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xaae76:$a1: get_encryptedPassword 0xcb8be:$a1: get_encryptedPassword 0xab162:$a2: get_encryptedUsername 0xcbbaa:$a2: get_encryptedUsername 0xaac82:$a3: get_timePasswordChanged 0xcb6ca:$a3: get_timePasswordChanged 0xaad7d:$a4: get_passwordField 0xcb7c5:$a4: get_passwordField 0xaae8c:$a5: set_encryptedPassword 0xcb8d4:$a5: set_encryptedPassword 0xac45f:$a7: get_logins 0xccea7:$a7: get_logins 0xac3c2:$a10: KeyLoggerEventArgs 0xcce0a:$a10: KeyLoggerEventArgs 0xac05b:$a11: KeyLoggerEventArgsEventHandler 0xccaa3:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xae738:$x1: $%SMTPDV$ 0xcf180:$x1: $%SMTPDV$ 0xae79e:$x2: $#TheHashHere%& 0xcf1e6:$x2: $#TheHashHere%& 0xafd95:$x3: %FTPDV$ 0xd07dd:$x3: %FTPDV$ 0xafe89:$x4: $%TelegramDv$ 0xd08d1:$x4: $%TelegramDv$ 0xac05b:$x5: KeyLoggerEventArgs 0xac3c2:$x5: KeyLoggerEventArgs 0xccaa3:$x5: KeyLoggerEventArgs 0xcce0a:$x5: KeyLoggerEventArgs 0xafdb9:$m2: Clipboard Logs ID 0xaffd9:$m2: Screenshot Logs ID 0xb00e9:$m2: keystroke Logs ID 0xd0801:$m2: Clipboard Logs ID 0xd0a21:$m2: Screenshot Logs ID 0xd0b31:$m2: keystroke Logs ID 0xb03c3:$m3: SnakePW 0xd0e0b:$m3: SnakePW 0xaffb1:$m4: \SnakeKeylogger\
00000001.00000002.4108863148.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: new order.exe PID: 3696	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: new order.exe PID: 3696	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: new order.exe PID: 3696	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: new order.exe PID: 3696	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: new order.exe PID: 3696	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x28498:$a1: get_encryptedPassword 0x2877a:$a2: get_encryptedUsername 0x282ae:$a3: get_timePasswordChanged 0x283a9:$a4: get_passwordField 0x284ae:$a5: set_encryptedPassword 0x2a89e:$a7: get_logins 0x2a801:$a10: KeyLoggerEventArgs 0x2a49a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: new order.exe PID: 3696	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2a49a:$x5: KeyLoggerEventArgs 0x2a801:$x5: KeyLoggerEventArgs 0x2b0ef:$x5: KeyLoggerEventArgs 0x2b423:$x5: KeyLoggerEventArgs 0x2c9d1:$m2: Clipboard Logs ID 0x2cac8:$m2: Screenshot Logs ID 0x2cb1e:$m2: keystroke Logs ID 0x2cc53:$m3: SnakePW 0x2cab4:$m4: \SnakeKeylogger\
Process Memory Space: MSBuild.exe PID: 4020	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 4020	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: MSBuild.exe PID: 4020	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3b4a0:$a1: get_encryptedPassword 0x3b782:$a2: get_encryptedUsername 0x3b2b6:$a3: get_timePasswordChanged 0x3b3b1:$a4: get_passwordField 0x3b4b6:$a5: set_encryptedPassword 0x3d8a6:$a7: get_logins 0x3d809:$a10: KeyLoggerEventArgs 0x3d4a2:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: MSBuild.exe PID: 4020	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3d4a2:$x5: KeyLoggerEventArgs 0x3d809:$x5: KeyLoggerEventArgs 0x3e0f7:$x5: KeyLoggerEventArgs 0x3e42b:$x5: KeyLoggerEventArgs 0x3f9d9:$m2: Clipboard Logs ID 0x3fad0:$m2: Screenshot Logs ID 0x3fb26:$m2: keystroke Logs ID 0x3fc5b:$m3: SnakePW 0x3fabc:$m4: \SnakeKeylogger\
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.new order.exe.1f6af170e70.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.new order.exe.1f6af170e70.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.new order.exe.1f6af170e70.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c4e:$a1: get_encryptedPassword 0x12f3a:$a2: get_encryptedUsername 0x12a5a:$a3: get_timePasswordChanged 0x12b55:$a4: get_passwordField 0x12c64:$a5: set_encryptedPassword 0x14237:$a7: get_logins 0x1419a:$a10: KeyLoggerEventArgs 0x13e33:$a11: KeyLoggerEventArgsEventHandler
0.2.new order.exe.1f6af170e70.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a56b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1979d:$a3: \Google\Chrome\User Data\Default\Login Data 0x19bd0:$a4: \Orbitum\User Data\Default\Login Data 0x1ac0f:$a5: \Kometa\User Data\Default\Login Data
0.2.new order.exe.1f6af170e70.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137d6:$s1: UnHook 0x137dd:$s2: SetHook 0x137e5:$s3: CallNextHook 0x137f2:$s4: _hook
0.2.new order.exe.1f6af170e70.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16510:$x1: $%SMTPDV$ 0x16576:$x2: $#TheHashHere%& 0x17b6d:$x3: %FTPDV$ 0x17c61:$x4: $%TelegramDv$ 0x13e33:$x5: KeyLoggerEventArgs 0x1419a:$x5: KeyLoggerEventArgs 0x17b91:$m2: Clipboard Logs ID 0x17db1:$m2: Screenshot Logs ID 0x17ec1:$m2: keystroke Logs ID 0x1819b:$m3: SnakePW 0x17d89:$m4: \SnakeKeylogger\
0.2.new order.exe.1f6af170e70.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.new order.exe.1f6af170e70.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.new order.exe.1f6af170e70.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.new order.exe.1f6af170e70.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a4e:$a1: get_encryptedPassword 0x14d3a:$a2: get_encryptedUsername 0x1485a:$a3: get_timePasswordChanged 0x14955:$a4: get_passwordField 0x14a64:$a5: set_encryptedPassword 0x16037:$a7: get_logins 0x15f9a:$a10: KeyLoggerEventArgs 0x15c33:$a11: KeyLoggerEventArgsEventHandler
0.2.new order.exe.1f6af170e70.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c36b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b59d:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b9d0:$a4: \Orbitum\User Data\Default\Login Data 0x1ca0f:$a5: \Kometa\User Data\Default\Login Data
0.2.new order.exe.1f6af170e70.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155d6:$s1: UnHook 0x155dd:$s2: SetHook 0x155e5:$s3: CallNextHook 0x155f2:$s4: _hook
0.2.new order.exe.1f6af170e70.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18310:$x1: $%SMTPDV$ 0x18376:$x2: $#TheHashHere%& 0x1996d:$x3: %FTPDV$ 0x19a61:$x4: $%TelegramDv$ 0x15c33:$x5: KeyLoggerEventArgs 0x15f9a:$x5: KeyLoggerEventArgs 0x19991:$m2: Clipboard Logs ID 0x19bb1:$m2: Screenshot Logs ID 0x19cc1:$m2: keystroke Logs ID 0x19f9b:$m3: SnakePW 0x19b89:$m4: \SnakeKeylogger\
0.2.new order.exe.1f6af150428.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.new order.exe.1f6af150428.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.new order.exe.1f6af150428.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c4e:$a1: get_encryptedPassword 0x12f3a:$a2: get_encryptedUsername 0x12a5a:$a3: get_timePasswordChanged 0x12b55:$a4: get_passwordField 0x12c64:$a5: set_encryptedPassword 0x14237:$a7: get_logins 0x1419a:$a10: KeyLoggerEventArgs 0x13e33:$a11: KeyLoggerEventArgsEventHandler
0.2.new order.exe.1f6af150428.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a56b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1979d:$a3: \Google\Chrome\User Data\Default\Login Data 0x19bd0:$a4: \Orbitum\User Data\Default\Login Data 0x1ac0f:$a5: \Kometa\User Data\Default\Login Data
0.2.new order.exe.1f6af150428.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137d6:$s1: UnHook 0x137dd:$s2: SetHook 0x137e5:$s3: CallNextHook 0x137f2:$s4: _hook
0.2.new order.exe.1f6af150428.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16510:$x1: $%SMTPDV$ 0x16576:$x2: $#TheHashHere%& 0x17b6d:$x3: %FTPDV$ 0x17c61:$x4: $%TelegramDv$ 0x13e33:$x5: KeyLoggerEventArgs 0x1419a:$x5: KeyLoggerEventArgs 0x17b91:$m2: Clipboard Logs ID 0x17db1:$m2: Screenshot Logs ID 0x17ec1:$m2: keystroke Logs ID 0x1819b:$m3: SnakePW 0x17d89:$m4: \SnakeKeylogger\
1.2.MSBuild.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.MSBuild.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.MSBuild.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.new order.exe.1f6af150428.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.new order.exe.1f6af150428.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.new order.exe.1f6af150428.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.new order.exe.1f6af150428.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a4e:$a1: get_encryptedPassword 0x35496:$a1: get_encryptedPassword 0x14d3a:$a2: get_encryptedUsername 0x35782:$a2: get_encryptedUsername 0x1485a:$a3: get_timePasswordChanged 0x352a2:$a3: get_timePasswordChanged 0x14955:$a4: get_passwordField 0x3539d:$a4: get_passwordField 0x14a64:$a5: set_encryptedPassword 0x354ac:$a5: set_encryptedPassword 0x16037:$a7: get_logins 0x36a7f:$a7: get_logins 0x15f9a:$a10: KeyLoggerEventArgs 0x369e2:$a10: KeyLoggerEventArgs 0x15c33:$a11: KeyLoggerEventArgsEventHandler 0x3667b:$a11: KeyLoggerEventArgsEventHandler
1.2.MSBuild.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a4e:$a1: get_encryptedPassword 0x14d3a:$a2: get_encryptedUsername 0x1485a:$a3: get_timePasswordChanged 0x14955:$a4: get_passwordField 0x14a64:$a5: set_encryptedPassword 0x16037:$a7: get_logins 0x15f9a:$a10: KeyLoggerEventArgs 0x15c33:$a11: KeyLoggerEventArgsEventHandler
0.2.new order.exe.1f6af150428.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c36b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cdb3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b59d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bfe5:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b9d0:$a4: \Orbitum\User Data\Default\Login Data 0x3c418:$a4: \Orbitum\User Data\Default\Login Data 0x1ca0f:$a5: \Kometa\User Data\Default\Login Data 0x3d457:$a5: \Kometa\User Data\Default\Login Data
1.2.MSBuild.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c36b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b59d:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b9d0:$a4: \Orbitum\User Data\Default\Login Data 0x1ca0f:$a5: \Kometa\User Data\Default\Login Data
0.2.new order.exe.1f6af150428.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155d6:$s1: UnHook 0x3601e:$s1: UnHook 0x155dd:$s2: SetHook 0x36025:$s2: SetHook 0x155e5:$s3: CallNextHook 0x3602d:$s3: CallNextHook 0x155f2:$s4: _hook 0x3603a:$s4: _hook
0.2.new order.exe.1f6af150428.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18310:$x1: $%SMTPDV$ 0x38d58:$x1: $%SMTPDV$ 0x18376:$x2: $#TheHashHere%& 0x38dbe:$x2: $#TheHashHere%& 0x1996d:$x3: %FTPDV$ 0x3a3b5:$x3: %FTPDV$ 0x19a61:$x4: $%TelegramDv$ 0x3a4a9:$x4: $%TelegramDv$ 0x15c33:$x5: KeyLoggerEventArgs 0x15f9a:$x5: KeyLoggerEventArgs 0x3667b:$x5: KeyLoggerEventArgs 0x369e2:$x5: KeyLoggerEventArgs 0x19991:$m2: Clipboard Logs ID 0x19bb1:$m2: Screenshot Logs ID 0x19cc1:$m2: keystroke Logs ID 0x3a3d9:$m2: Clipboard Logs ID 0x3a5f9:$m2: Screenshot Logs ID 0x3a709:$m2: keystroke Logs ID 0x19f9b:$m3: SnakePW 0x3a9e3:$m3: SnakePW 0x19b89:$m4: \SnakeKeylogger\
1.2.MSBuild.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155d6:$s1: UnHook 0x155dd:$s2: SetHook 0x155e5:$s3: CallNextHook 0x155f2:$s4: _hook
1.2.MSBuild.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18310:$x1: $%SMTPDV$ 0x18376:$x2: $#TheHashHere%& 0x1996d:$x3: %FTPDV$ 0x19a61:$x4: $%TelegramDv$ 0x15c33:$x5: KeyLoggerEventArgs 0x15f9a:$x5: KeyLoggerEventArgs 0x19991:$m2: Clipboard Logs ID 0x19bb1:$m2: Screenshot Logs ID 0x19cc1:$m2: keystroke Logs ID 0x19f9b:$m3: SnakePW 0x19b89:$m4: \SnakeKeylogger\
Click to see the 28 entries

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 158.101.44.242, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 4020, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000001.00000002.4108863148.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "rightlut@valleycountysar.org", "Password": "fY,FLoadtsiF", "Host": "valleycountysar.org", "Port": "26"}

Multi AV Scanner detection for submitted file

Source: new order.exe	ReversingLabs: Detection: 47%
Source: new order.exe	Virustotal: Detection: 46%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: new order.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1787678653.000001F69F237000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new order.exe PID: 3696, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.0

Source: new order.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: new order.exe, 00000000.00000002.1787234938.000001F69D286000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: C:\Users\user\Desktop\new order.PDB source: new order.exe, 00000000.00000002.1786979817.0000005138CF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb9,f source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .VisualBasic.pdb0& source: new order.exe, 00000000.00000002.1786979817.0000005138CF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 5c561934e089\mscorlib.pdb source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbtl source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: new order.PDBMx source: new order.exe, 00000000.00000002.1786979817.0000005138CF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: .pdbHJ source: new order.exe, 00000000.00000002.1786979817.0000005138CF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbb source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: new order.exe, 00000000.00000002.1787618162.000001F69ED60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: new order.exe, 00000000.00000002.1787234938.000001F69D286000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: 8QpC:\Users\user\Desktop\new order.PDB source: new order.exe, 00000000.00000002.1786979817.0000005138CF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbiewCtl source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbure= source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbz source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\new order.PDB source: new order.exe, 00000000.00000002.1787618162.000001F69ED60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb- source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: C:\Users\user\Desktop\new order.exe.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: new order.exe, 00000000.00000002.1787618162.000001F69ED60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: new order.exe, 00000000.00000002.1787618162.000001F69ED60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: er.PDB source: new order.exe, 00000000.00000002.1786979817.0000005138CF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb94341 ByRef)< source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER97D0.tmp.dmp.4.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 014EF055h	1_2_014EEE68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 014EF9DFh	1_2_014EEE68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_014EE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 068B8945h	1_2_068B8608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 068B6171h	1_2_068B5EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 068B58C1h	1_2_068B5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 068B5D19h	1_2_068B5A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_068B33A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_068B33B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 068B6E79h	1_2_068B6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 068B65C9h	1_2_068B6320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 068B6A21h	1_2_068B6778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 068B0741h	1_2_068B0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 068B7751h	1_2_068B74A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 068B0B99h	1_2_068B08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 068B02E9h	1_2_068B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 068B72FAh	1_2_068B7050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 068B5441h	1_2_068B5198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 068B8459h	1_2_068B81B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 068B7BA9h	1_2_068B7900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 068B0FF1h	1_2_068B0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 068B8001h	1_2_068B7D58

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.new order.exe.1f6af170e70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new order.exe.1f6af150428.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:62989 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: MSBuild.exe, 00000001.00000002.4108863148.000000000304F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000003078000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.00000000030A6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000306A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000305D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: MSBuild.exe, 00000001.00000002.4108863148.000000000304F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000003078000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.00000000030A6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000306A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000305D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: MSBuild.exe, 00000001.00000002.4108863148.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: new order.exe, 00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: MSBuild.exe, 00000001.00000002.4108863148.0000000003078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgp
Source: MSBuild.exe, 00000001.00000002.4108863148.000000000304F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000003078000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.00000000030A6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000306A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000305D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: MSBuild.exe, 00000001.00000002.4108863148.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: MSBuild.exe, 00000001.00000002.4108863148.000000000304F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000003078000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.00000000030A6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000306A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000305D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: new order.exe, 00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: MSBuild.exe, 00000001.00000002.4108863148.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: MSBuild.exe, 00000001.00000002.4108863148.000000000304F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000003078000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.00000000030A6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000306A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000305D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.new order.exe.1f6af170e70.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.new order.exe.1f6af170e70.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.new order.exe.1f6af170e70.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.new order.exe.1f6af170e70.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.new order.exe.1f6af170e70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.new order.exe.1f6af170e70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.new order.exe.1f6af170e70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.new order.exe.1f6af170e70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.new order.exe.1f6af150428.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.new order.exe.1f6af150428.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.new order.exe.1f6af150428.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.new order.exe.1f6af150428.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.new order.exe.1f6af150428.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.new order.exe.1f6af150428.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.new order.exe.1f6af150428.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.new order.exe.1f6af150428.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: new order.exe PID: 3696, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: new order.exe PID: 3696, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: MSBuild.exe PID: 4020, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 4020, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: new order.exe

Source: C:\Users\user\Desktop\new order.exe	Code function: 0_2_00007FFD9B8A37DC	0_2_00007FFD9B8A37DC
Source: C:\Users\user\Desktop\new order.exe	Code function: 0_2_00007FFD9B8AB260	0_2_00007FFD9B8AB260
Source: C:\Users\user\Desktop\new order.exe	Code function: 0_2_00007FFD9B8A1608	0_2_00007FFD9B8A1608
Source: C:\Users\user\Desktop\new order.exe	Code function: 0_2_00007FFD9B8B423B	0_2_00007FFD9B8B423B
Source: C:\Users\user\Desktop\new order.exe	Code function: 0_2_00007FFD9B8AB641	0_2_00007FFD9B8AB641
Source: C:\Users\user\Desktop\new order.exe	Code function: 0_2_00007FFD9B8AE1C9	0_2_00007FFD9B8AE1C9
Source: C:\Users\user\Desktop\new order.exe	Code function: 0_2_00007FFD9B8A88A8	0_2_00007FFD9B8A88A8
Source: C:\Users\user\Desktop\new order.exe	Code function: 0_2_00007FFD9B970050	0_2_00007FFD9B970050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014E6108	1_2_014E6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014EC190	1_2_014EC190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014EB328	1_2_014EB328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014EC470	1_2_014EC470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014EC752	1_2_014EC752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014E9858	1_2_014E9858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014E6880	1_2_014E6880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014EBBD2	1_2_014EBBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014ECA32	1_2_014ECA32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014E4AD9	1_2_014E4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014EEE68	1_2_014EEE68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014EBEB0	1_2_014EBEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014EE379	1_2_014EE379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014EE388	1_2_014EE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014E3572	1_2_014E3572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014EB4F2	1_2_014EB4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068BB6E8	1_2_068BB6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B8608	1_2_068B8608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068BAA58	1_2_068BAA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068BD670	1_2_068BD670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068BC388	1_2_068BC388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B8BF2	1_2_068B8BF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068BB0A0	1_2_068BB0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068BA408	1_2_068BA408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068BD028	1_2_068BD028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B11A0	1_2_068B11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068BC9D8	1_2_068BC9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068BBD38	1_2_068BBD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B5EB8	1_2_068B5EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B5EC8	1_2_068B5EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068BB6D9	1_2_068BB6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B560B	1_2_068B560B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B5618	1_2_068B5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068BAA48	1_2_068BAA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068BD663	1_2_068BD663
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B5A60	1_2_068B5A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B5A70	1_2_068B5A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B33A8	1_2_068B33A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B33B8	1_2_068B33B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B6BC1	1_2_068B6BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B6BD0	1_2_068B6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068BA3F8	1_2_068BA3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B6313	1_2_068B6313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B6320	1_2_068B6320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B3730	1_2_068B3730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B676B	1_2_068B676B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B6778	1_2_068B6778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068BC378	1_2_068BC378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B0488	1_2_068B0488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B0498	1_2_068B0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B7497	1_2_068B7497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B74A8	1_2_068B74A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B08E0	1_2_068B08E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B08F0	1_2_068B08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B78F0	1_2_068B78F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B2807	1_2_068B2807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B0006	1_2_068B0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B2818	1_2_068B2818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068BD018	1_2_068BD018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B4430	1_2_068B4430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B0040	1_2_068B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B7040	1_2_068B7040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B7050	1_2_068B7050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B518B	1_2_068B518B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B5198	1_2_068B5198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B81A0	1_2_068B81A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B81B0	1_2_068B81B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068BC9C8	1_2_068BC9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B85F8	1_2_068B85F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B7900	1_2_068B7900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068BBD28	1_2_068BBD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B0D39	1_2_068B0D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B0D48	1_2_068B0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B7D48	1_2_068B7D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B7D58	1_2_068B7D58

Source: C:\Users\user\Desktop\new order.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3696 -s 1052

Source: new order.exe

Static PE information: No import functions for PE file found

Source: new order.exe, 00000000.00000002.1787438660.000001F69D310000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameEtisoculL vs new order.exe
Source: new order.exe, 00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs new order.exe
Source: new order.exe, 00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEtisoculL vs new order.exe
Source: new order.exe, 00000000.00000002.1788161334.000001F6AF28F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEtisoculL vs new order.exe
Source: new order.exe, 00000000.00000000.1643320161.000001F69CFA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIyiwutef@ vs new order.exe
Source: new order.exe	Binary or memory string: OriginalFilenameIyiwutef@ vs new order.exe

Source: 0.2.new order.exe.1f6af170e70.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.new order.exe.1f6af170e70.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.new order.exe.1f6af170e70.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.new order.exe.1f6af170e70.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.new order.exe.1f6af170e70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.new order.exe.1f6af170e70.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.new order.exe.1f6af170e70.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.new order.exe.1f6af170e70.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.new order.exe.1f6af150428.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.new order.exe.1f6af150428.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.new order.exe.1f6af150428.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.new order.exe.1f6af150428.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.new order.exe.1f6af150428.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.new order.exe.1f6af150428.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.new order.exe.1f6af150428.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.new order.exe.1f6af150428.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: new order.exe PID: 3696, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: new order.exe PID: 3696, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: MSBuild.exe PID: 4020, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 4020, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.new order.exe.1f6af170e70.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new order.exe.1f6af170e70.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new order.exe.1f6af170e70.3.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new order.exe.1f6af170e70.3.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new order.exe.1f6af150428.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new order.exe.1f6af150428.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new order.exe.1f6af150428.2.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new order.exe.1f6af150428.2.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: new order.exe, 00000000.00000002.1787618162.000001F69ED60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\new order.exe.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: new order.exe, 00000000.00000002.1787234938.000001F69D286000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@4/5@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3696

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\16611b92-a06e-42f0-800e-4012de6cb0df

Jump to behavior

Source: new order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\new order.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MSBuild.exe, 00000001.00000002.4108863148.000000000313C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000314A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000312C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: new order.exe	ReversingLabs: Detection: 47%
Source: new order.exe	Virustotal: Detection: 46%

Source: C:\Users\user\Desktop\new order.exe

File read: C:\Users\user\Desktop\new order.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\new order.exe "C:\Users\user\Desktop\new order.exe"
Source: C:\Users\user\Desktop\new order.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\Desktop\new order.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3696 -s 1052
Source: C:\Users\user\Desktop\new order.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\new order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\new order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\new order.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: new order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: new order.exe

Static file information: File size 1838240 > 1048576

Source: new order.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: new order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: new order.exe, 00000000.00000002.1787234938.000001F69D286000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: C:\Users\user\Desktop\new order.PDB source: new order.exe, 00000000.00000002.1786979817.0000005138CF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb9,f source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .VisualBasic.pdb0& source: new order.exe, 00000000.00000002.1786979817.0000005138CF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 5c561934e089\mscorlib.pdb source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbtl source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: new order.PDBMx source: new order.exe, 00000000.00000002.1786979817.0000005138CF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: .pdbHJ source: new order.exe, 00000000.00000002.1786979817.0000005138CF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbb source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: new order.exe, 00000000.00000002.1787618162.000001F69ED60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: new order.exe, 00000000.00000002.1787234938.000001F69D286000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: 8QpC:\Users\user\Desktop\new order.PDB source: new order.exe, 00000000.00000002.1786979817.0000005138CF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbiewCtl source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbure= source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbz source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\new order.PDB source: new order.exe, 00000000.00000002.1787618162.000001F69ED60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb- source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: C:\Users\user\Desktop\new order.exe.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: new order.exe, 00000000.00000002.1787618162.000001F69ED60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: new order.exe, 00000000.00000002.1787618162.000001F69ED60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: er.PDB source: new order.exe, 00000000.00000002.1786979817.0000005138CF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb94341 ByRef)< source: new order.exe, 00000000.00000002.1787234938.000001F69D2E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER97D0.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER97D0.tmp.dmp.4.dr

Source: new order.exe

Static PE information: 0x840105AF [Tue Mar 6 15:11:43 2040 UTC]

Source: C:\Users\user\Desktop\new order.exe	Code function: 0_2_00007FFD9B8A77F3 pushad ; retf	0_2_00007FFD9B8A789D
Source: C:\Users\user\Desktop\new order.exe	Code function: 0_2_00007FFD9B8A789E push eax; retf	0_2_00007FFD9B8A78AD
Source: C:\Users\user\Desktop\new order.exe	Code function: 0_2_00007FFD9B970050 push esp; retf 4810h	0_2_00007FFD9B970312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_068B3182 pushfd ; ret	1_2_068B3183

Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: new order.exe PID: 3696, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: new order.exe, 00000000.00000002.1787678653.000001F69F237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: new order.exe, 00000000.00000002.1787678653.000001F69F237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\new order.exe	Memory allocated: 1F69D1D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Memory allocated: 1F6B6EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 14E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599414	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597373	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597136	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 7894			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1925			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7292	Thread sleep count: 7894 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7292	Thread sleep count: 1925 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -599782s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -599414s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -597373s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -597136s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -597016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -596907s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -596782s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -596563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -596438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -596313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -596063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7288	Thread sleep time: -593985s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599414	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597373	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597136	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: new order.exe, 00000000.00000002.1787678653.000001F69F237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: new order.exe, 00000000.00000002.1787678653.000001F69F237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: new order.exe, 00000000.00000002.1787678653.000001F69F237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: new order.exe, 00000000.00000002.1787678653.000001F69F237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: new order.exe, 00000000.00000002.1787678653.000001F69F237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MSBuild.exe, 00000001.00000002.4108094825.00000000012DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: new order.exe, 00000000.00000002.1787678653.000001F69F237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: new order.exe, 00000000.00000002.1787678653.000001F69F237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: new order.exe, 00000000.00000002.1787678653.000001F69F237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: new order.exe, 00000000.00000002.1787678653.000001F69F237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: new order.exe, 00000000.00000002.1787678653.000001F69F237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: new order.exe, 00000000.00000002.1787678653.000001F69F237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\new order.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\new order.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\new order.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\new order.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\new order.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\new order.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: C30008	Jump to behavior

Source: C:\Users\user\Desktop\new order.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

Jump to behavior

Source: C:\Users\user\Desktop\new order.exe	Queries volume information: C:\Users\user\Desktop\new order.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\new order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.new order.exe.1f6af170e70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new order.exe.1f6af170e70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new order.exe.1f6af150428.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new order.exe.1f6af150428.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4108863148.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4108863148.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new order.exe PID: 3696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4020, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.new order.exe.1f6af170e70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new order.exe.1f6af170e70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new order.exe.1f6af150428.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new order.exe.1f6af150428.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new order.exe PID: 3696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4020, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.new order.exe.1f6af170e70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new order.exe.1f6af170e70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new order.exe.1f6af150428.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new order.exe.1f6af150428.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4108863148.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4108863148.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new order.exe PID: 3696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4020, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
new order.exe	47%	ReversingLabs	ByteCode-MSIL.Spyware.Snakekeylogger
new order.exe	47%	Virustotal		Browse
new order.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
reallyfreegeoip.org	0%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://checkip.dyndns.org/	1%	Virustotal		Browse
https://reallyfreegeoip.org	0%	Virustotal		Browse
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	Avira URL Cloud	safe
http://checkip.dyndns.orgp	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Avira URL Cloud	safe
http://checkip.dyndns.org	1%	Virustotal		Browse
http://checkip.dyndns.org/q	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/	0%	Avira URL Cloud	safe
http://reallyfreegeoip.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Virustotal		Browse
http://checkip.dyndns.org/q	0%	Virustotal		Browse
https://reallyfreegeoip.org/xml/	0%	Virustotal		Browse
http://reallyfreegeoip.org	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	0%, Virustotal, Browse	unknown
reallyfreegeoip.org	188.114.96.3	true	true	0%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.com	158.101.44.242	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	MSBuild.exe, 00000001.00000002.4108863148.000000000304F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000003078000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.00000000030A6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000306A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000305D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	MSBuild.exe, 00000001.00000002.4108863148.000000000304F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000003078000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.00000000030A6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000306A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000305D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://checkip.dyndns.orgp	MSBuild.exe, 00000001.00000002.4108863148.0000000003078000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	MSBuild.exe, 00000001.00000002.4108863148.000000000304F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000003078000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.00000000030A6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000306A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000305D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	MSBuild.exe, 00000001.00000002.4108863148.000000000304F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000003078000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.00000000030A6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000306A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000305D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 00000001.00000002.4108863148.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	new order.exe, 00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://reallyfreegeoip.org	MSBuild.exe, 00000001.00000002.4108863148.000000000304F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000003078000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.00000000030A6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000306A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.000000000305D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	new order.exe, 00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4108863148.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1464860
Start date and time:	2024-06-30 16:35:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	new order.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@4/5@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 88% Number of executed functions: 181 Number of non-executed functions: 24
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.126.31.73, 20.190.159.23, 20.190.159.64, 20.190.159.71, 20.190.159.75, 40.126.31.71, 20.190.159.73, 40.126.31.69, 199.232.214.172, 192.229.221.95, 20.42.73.29, 20.12.23.50, 13.95.31.18, 52.165.164.15, 20.242.39.171, 20.3.187.198, 131.107.255.255
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target MSBuild.exe, PID 4020 because it is empty
Execution Graph export aborted for target new order.exe, PID 3696 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:35:58	API Interceptor	13449020x Sleep call for process: MSBuild.exe modified
10:36:09	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	cL7A9wGE3w.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	445798cm.nyashka.top/ProviderEternalLinephpRequestSecurePacketprocessauthwordpress.php
	http://www.youkonew.anakembok.de/	Get hash	malicious	HTMLPhisher	Browse	www.youkonew.anakembok.de/cdn-cgi/challenge-platform/h/g/jsd/r/89b98144d9c843b7
	hnCn8gE6NH.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	yenot.top/providerlowAuthApibigloadprotectflower.php
	288292021 ABB.exe	Get hash	malicious	FormBook	Browse	www.oc7o0.top/2zff/?Hp=4L8xoD0W4Zo4sy87CvwWXXlmZfhaBYNiZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk6zzmBcbZOQR3Nr9VCMayuUBptQdoGcq8y485hKv0f5POEUdLprTAYpXY&5H=CtUlKhgP42a
	eiqj38BeRo.rtf	Get hash	malicious	FormBook	Browse	www.liposuctionclinics2.today/btrd/?OR-TJfQ=g2Awi9g0RhXmDXdNu5BlCrpPGRTrEfCXfESYZTVa1wMirmNXITW5szlP5E4EhRYb22U+Mw==&2dc=kvXd-rKHCF
	Purchase Order -JJ023639-PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/9a4iHwft/download
	Techno_PO LV12406-00311.xla.xlsx	Get hash	malicious	Unknown	Browse	qr-in.com/cpGHnqq
	Techno_PO LV12406-00311.xla.xlsx	Get hash	malicious	Unknown	Browse	qr-in.com/cpGHnqq
	QUOTATION_JUNQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/ygivXnVx/download
	NGL 3200-Phase 2- Strainer.exe	Get hash	malicious	FormBook	Browse	www.oc7o0.top/2zff/?oH=4L8xoD0W4Zo4sy87CvwWXXlmZfhaBYNiZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk7xznBNrfJyFZcb5vCPyKuUBo+l90Wdia8Y821KfsfreAbg==&ML=uVzXijwPkXTxAbN
158.101.44.242	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	IMG_2007_520073.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	PRODUCTS LIST.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Official PO.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Cargo details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	MV GOLDEN SCHULTE PARTICULARS.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	new contract.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	IMG_0071191023.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Baltic questionnaire.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	IMG_2007_520073.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	PRODUCTS LIST.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	PRODUCTS LIST.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Official PO.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
checkip.dyndns.com	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	IMG_2007_520073.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	Find-DscResource_QoS.ps1	Get hash	malicious	Unknown	Browse	132.226.8.169
	PRODUCTS LIST.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	PRODUCTS LIST.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
fp2e7a.wpc.phicdn.net	vjYcExA6ou.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	192.229.221.95
	https://bit.ly/3RPGSFw?lBj=IgAqyyGiOF?ehd=cNhnM3Ug7I	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://fhdqc8.fi59.fdske.com/ec/gAAAAABmfF3sPeQKBD_Act5bCCrkUMkGrd87GXE85ptSvU0h8H9S97li_YZ1W2sNi71P90U8x627NEH6e-kCa62tjlvXVsamrSGp1TAMFtfgRydM8D-QFp4rxbgAeEilnkMUdRVDSB2T_2Qfh0hQuA2S3kIGAGxxOhLGRZlimak4HvWAhPpr3cGXO1dkFMRkycppPQIWKMCxf7zn-Sf2FKVlkV3bIiKpv65JecmpKmv7K1YnibkbTtyYKjzM0RBpe8SGtfO5gpSHLvPTYqZjsrGpeXbXcWmlaR9PZhWomJ586b1OeF7psyrkOXu7PHMFbYVK6t7rkfnsF9FVAXEF_z9qYdd6yq7sZRqhCkgEwDqZaPg8lBDqiVI04is9Ux1ckCdi1zoggbpZr_i4tJ1iUVNzVnpUh4z0GQ==	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://carsales.au1.documents.adobe.com/public/esign?tsid=CBFCIBAACBSCTBABDUAAABACAABAAfnb-qPSyZecO9B5ZfywmNLbpLvp031ot7ln8fPgu7eWwZ19_ZPQHTOqDMGxjirJcrmCsSaiIDmPdIRas_zn4z1go8wNiaf6T7KGdMemdAI87j-2cWRTSM8MgKsIEHUt-&	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://track.unir.net/track/click/30530342/descargas.unir.net?p=eyJzIjoidHJHZnNhZE5kUkNYekRPckgyR3o3alV1Tkk0IiwidiI6MSwicCI6IntcInVcIjozMDUzMDM0MixcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvZGVzY2FyZ2FzLnVuaXIubmV0XFxcL2VzY3VlbGFkZWluZ2VuaWVyaWFcXFwvMDUlMjBTZWd1cmlkYWRfZGVsX1NvZnR3YXJlXFxcLzI3NzNlM2RjNTk0NzIyOTZjYjAwMjRiYTc3MTVhNjRlLnppcFwiLFwiaWRcIjpcIjY4YWI2MWQ5NDYzNTQwNmZhNzNlNzA5ODQ4YWU3NGI3XCIsXCJ1cmxfaWRzXCI6W1wiMjY5ZjJjYTk4MmEwODg4OTQ1YmM1MWViYzE0MDZlNmY1NTRmN2MxMlwiXX0ifQ	Get hash	malicious	Jigsaw	Browse	192.229.221.95
	_$phantom-SCV.cmd	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://hamids-worker.hamidyousefi93.workers.dev/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://t4ha7.shop/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://www.youkonew.anakembok.de/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://purchase-order-workers-playground-weathered-moon-6962.mslee.workers.dev/	Get hash	malicious	Unknown	Browse	192.229.221.95
bg.microsoft.map.fastly.net	https://fhdqc8.fi59.fdske.com/ec/gAAAAABmfF3sPeQKBD_Act5bCCrkUMkGrd87GXE85ptSvU0h8H9S97li_YZ1W2sNi71P90U8x627NEH6e-kCa62tjlvXVsamrSGp1TAMFtfgRydM8D-QFp4rxbgAeEilnkMUdRVDSB2T_2Qfh0hQuA2S3kIGAGxxOhLGRZlimak4HvWAhPpr3cGXO1dkFMRkycppPQIWKMCxf7zn-Sf2FKVlkV3bIiKpv65JecmpKmv7K1YnibkbTtyYKjzM0RBpe8SGtfO5gpSHLvPTYqZjsrGpeXbXcWmlaR9PZhWomJ586b1OeF7psyrkOXu7PHMFbYVK6t7rkfnsF9FVAXEF_z9qYdd6yq7sZRqhCkgEwDqZaPg8lBDqiVI04is9Ux1ckCdi1zoggbpZr_i4tJ1iUVNzVnpUh4z0GQ==	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://carsales.au1.documents.adobe.com/public/esign?tsid=CBFCIBAACBSCTBABDUAAABACAABAAfnb-qPSyZecO9B5ZfywmNLbpLvp031ot7ln8fPgu7eWwZ19_ZPQHTOqDMGxjirJcrmCsSaiIDmPdIRas_zn4z1go8wNiaf6T7KGdMemdAI87j-2cWRTSM8MgKsIEHUt-&	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://track.unir.net/track/click/30530342/descargas.unir.net?p=eyJzIjoidHJHZnNhZE5kUkNYekRPckgyR3o3alV1Tkk0IiwidiI6MSwicCI6IntcInVcIjozMDUzMDM0MixcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvZGVzY2FyZ2FzLnVuaXIubmV0XFxcL2VzY3VlbGFkZWluZ2VuaWVyaWFcXFwvMDUlMjBTZWd1cmlkYWRfZGVsX1NvZnR3YXJlXFxcLzI3NzNlM2RjNTk0NzIyOTZjYjAwMjRiYTc3MTVhNjRlLnppcFwiLFwiaWRcIjpcIjY4YWI2MWQ5NDYzNTQwNmZhNzNlNzA5ODQ4YWU3NGI3XCIsXCJ1cmxfaWRzXCI6W1wiMjY5ZjJjYTk4MmEwODg4OTQ1YmM1MWViYzE0MDZlNmY1NTRmN2MxMlwiXX0ifQ	Get hash	malicious	Jigsaw	Browse	199.232.214.172
	H46cOCmdk7.exe	Get hash	malicious	CobaltStrike	Browse	199.232.214.172
	http://purchase-order-workers-playground-weathered-moon-6962.mslee.workers.dev/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://cloudflare-workers-pages-vless-2gi.pages.dev/	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://www.services-nickel.yayra-food.com/	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://pub-a4db5d6837084a76bc5f6d9216e7e57d.r2.dev/a38.html	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://he110ca11he1lpn0wwb112.pages.dev/	Get hash	malicious	TechSupportScam	Browse	199.232.210.172
	https://sumydeko.blogspot.in/	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	cL7A9wGE3w.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	https://bit.ly/3RPGSFw?lBj=IgAqyyGiOF?ehd=cNhnM3Ug7I	Get hash	malicious	Unknown	Browse	188.114.97.3
	a.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	exe	Get hash	malicious	Unknown	Browse	172.67.159.30
	https://fhdqc8.fi59.fdske.com/ec/gAAAAABmfF3sPeQKBD_Act5bCCrkUMkGrd87GXE85ptSvU0h8H9S97li_YZ1W2sNi71P90U8x627NEH6e-kCa62tjlvXVsamrSGp1TAMFtfgRydM8D-QFp4rxbgAeEilnkMUdRVDSB2T_2Qfh0hQuA2S3kIGAGxxOhLGRZlimak4HvWAhPpr3cGXO1dkFMRkycppPQIWKMCxf7zn-Sf2FKVlkV3bIiKpv65JecmpKmv7K1YnibkbTtyYKjzM0RBpe8SGtfO5gpSHLvPTYqZjsrGpeXbXcWmlaR9PZhWomJ586b1OeF7psyrkOXu7PHMFbYVK6t7rkfnsF9FVAXEF_z9qYdd6yq7sZRqhCkgEwDqZaPg8lBDqiVI04is9Ux1ckCdi1zoggbpZr_i4tJ1iUVNzVnpUh4z0GQ==	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://carsales.au1.documents.adobe.com/public/esign?tsid=CBFCIBAACBSCTBABDUAAABACAABAAfnb-qPSyZecO9B5ZfywmNLbpLvp031ot7ln8fPgu7eWwZ19_ZPQHTOqDMGxjirJcrmCsSaiIDmPdIRas_zn4z1go8wNiaf6T7KGdMemdAI87j-2cWRTSM8MgKsIEHUt-&	Get hash	malicious	Unknown	Browse	162.247.243.29
	j05KsN2280.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3
	FIX_0x80070643_(Need_reboot).reg	Get hash	malicious	Unknown	Browse	172.67.201.134
	azl7lFUQ86.exe	Get hash	malicious	DCRat	Browse	104.20.3.235
ORACLE-BMC-31898US	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	IMG_2007_520073.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	paediatric neurologist medico legal 68003.js	Get hash	malicious	Unknown	Browse	158.101.87.136
	paediatric neurologist medico legal 68003.js	Get hash	malicious	Unknown	Browse	130.61.47.235
	PRODUCTS LIST.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	PRODUCTS LIST.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	IMG_2007_520073.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	30 - 3050324.scr.exe	Get hash	malicious	Remcos	Browse	188.114.96.3
	PRODUCTS LIST.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	PRODUCTS LIST.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_new order.exe_a0ae4b577917af373f82f0f155e6f5f1b3b83e3_63337e3c_36ee73ac-12c9-4d51-9463-803eac033cd6\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0103519843704405
Encrypted:	false
SSDEEP:	192:umorR1Mi0LCD3aWB9f0zuiFMZ24lO8AJ:HorRYLCD3am98zuiFMY4lO8AJ
MD5:	3AD2FDE90B5B233974E1A8F8F411AC42
SHA1:	3EA99818505A3E92F6C230F85877518A0680C2F8
SHA-256:	B99532EA64537B402496A9F726456A3B29882A3EBE608B40949D6ECD438FB406
SHA-512:	3BF060D8FAD37D5D4FA6015ACAD7D85DF0BB3D0E28E5B89BBDE8B7CBFDC9C46EF67C3F1256C318D5A195328209707A1C3FC7C4F15A86A99851F2A01BD3534DBB
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.2.3.1.7.5.5.9.8.7.3.0.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.2.3.1.7.5.7.0.0.2.9.3.2.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.6.e.e.7.3.a.c.-.1.2.c.9.-.4.d.5.1.-.9.4.6.3.-.8.0.3.e.a.c.0.3.3.c.d.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.3.8.2.5.b.a.e.-.3.0.1.b.-.4.7.b.8.-.9.e.2.d.-.b.c.b.c.a.f.e.a.6.1.a.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.n.e.w. .o.r.d.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.y.i.w.u.t.e.f.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.7.0.-.0.0.0.1.-.0.0.1.4.-.2.1.e.d.-.5.f.d.0.f.a.c.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.5.c.3.7.2.a.8.a.1.0.a.4.7.7.9.2.1.0.3.3.2.0.1.7.2.c.7.2.4.e.b.0.0.0.0.0.0.0.0.!.0.0.0.0.d.0.5.9.3.f.f.7.7.1.d.4.c.f.4.8.9.9.0.3.b.8.0.7.a.a.9.3.f.2.9.f.5.a.5.1.f.0.b.5.!.n.e.w. .o.r.d.e.r...e.x.e.....T.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER97D0.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Sun Jun 30 14:35:56 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	374824
Entropy (8bit):	3.19977256781427
Encrypted:	false
SSDEEP:	3072:YjE7XLsHSgxgKvhC2R5t4RNcSv1A1CCq4up3+v0tdN9tdN9tdN9tduxV:YjjHU4z8gq4e3Qjx
MD5:	B6B4786C3D908D7753D61EE539275BCF
SHA1:	277782103AEC28A07020EA1C335703A3C81C247E
SHA-256:	6A55CBE5968BC2B8075B959F82AF62362C8A1DFD197EBD63F496DD33B8D907FE
SHA-512:	80B2C50B957AD69FB37EB735EE5257F31A71CD1CE97BECFBCB4EF7A068DCCBA31F2DD22EBD899553A37D10216F8D0B9E83F0508BE4556FA9CC8BDB2881F3FE6E
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......Lm.f....................................$...............(........B...s..........l.......8...........T...........x)...............6...........8..............................................................................eJ......L9......Lw......................T.......p...Jm.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9967.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8620
Entropy (8bit):	3.700001010205921
Encrypted:	false
SSDEEP:	192:R6l7wVeJRLu6Y9ov5xRNgmfZjXpr089bjBDfmhm:R6lXJtu6YyvvRNgmftbjlfh
MD5:	9E16B33F6255E08B09C0FC28054540FD
SHA1:	97FE3A754F3309386C429D2D374D89D467125C72
SHA-256:	E08A203C72683A506C4F869DB48A9D64494EA8F1D7B7BD5613C553EDE02D5CC6
SHA-512:	38C51F3B1DDF022D5F86A941B571C7AA586801CA97AF0E8118A6DD432B970C37CC45104AE5ED45629529568486579DA77B39DDE5183892B514095B5E7500FB8D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B1D.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4808
Entropy (8bit):	4.485231918869779
Encrypted:	false
SSDEEP:	48:cvIwWl8zsYNJg771I9ftSWpW8VYTYm8M4J0E6Fe0yq8v0EjkT5qQq0d:uIjfYnI7UV7VjJ5L0W5Q1Nq0d
MD5:	8FFD57C32D7F95E72F5914B5BFD57EA8
SHA1:	A8FD054EBA481FD26167731BFB9C3FC0BE9D4C1B
SHA-256:	254E91B92B1E124EF5F2CC1AA62898DD600A059B5EF8F2B7ACE7849331157065
SHA-512:	13D115FD30BCBFD47CD545B11627F967F7BFCC3AC59F62F8AAADD9D75D2081AD383071D24C054F4378B2CFF9E7D7D404D90A1EDC6489A3D34C8088EE99A5DBF3
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="390578" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4659290662627456
Encrypted:	false
SSDEEP:	6144:LIXfpi67eLPU9skLmb0b49WSPKaJG8nAgejZMMhA2gX4WABl0uNldwBCswSb7:MXD949WlLZMM6YFHv+7
MD5:	2E2BC2A8903F1C1868FCA4366CEC29F6
SHA1:	FAB3F9A6048C0D0A69BFBCD0FB4EBADC0A663D26
SHA-256:	4F5AAAFCD7CEE5B122CFD672950C4641FABCC65317CE08229784EFA2748FE197
SHA-512:	512B98CB5371F739D18A3E22FD53807CDABEBD07510F20EF9DB64B6F0BB69711150262F9D6D709004A59374A432B298D3C591D45BEA586DA8FB0FED070351205
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmNR..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.938419313900058
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	new order.exe
File size:	1'838'240 bytes
MD5:	0c5a964f9cbf2fec077302e6baa7316f
SHA1:	d0593ff771d4cf489903b807aa93f29f5a51f0b5
SHA256:	dd93e71cdd590d9c74d24a1b822948e7501b7a38df590d4d52ddf3e862a0cb2d
SHA512:	4947d5c0632be00af4ae33700eb85a82daea3f2e1a373b8e454a7103a6959e7f31b973c135ae498b3c70da1c12cdf3482bf43ad3abf92ce7af3f3a54d47a6817
SSDEEP:	12288:g6R0Jt0zWWrUufKjFokZGX+KxITevb8OaAN:gi0Jt9W6FovBx3DV
TLSH:	02852202B99B8D57FEE094B0C4D633F625FE2E4BB5F9461FDF186C24482127E6260A34
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..4............... ....@...... ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x840105AF [Tue Mar 6 15:11:43 2040 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0xa6c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x53ea	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3406	0x3600	09ddecbeb982eda1d3ed592764ed6ee0	False	0.6270978009259259	data	6.079577354641394	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0xa6c	0xc00	d6e7ef7ee88bc4992523aef28ce46c8c	False	0.2698567708333333	data	4.3825560350023585	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x60b8	0x3e4	data			0.4819277108433735
RT_VERSION	0x649c	0x3e4	data	English	United States	0.48493975903614456
RT_MANIFEST	0x6880	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 30, 2024 16:35:51.324655056 CEST	49675	443	192.168.2.4	173.222.162.32
Jun 30, 2024 16:35:56.766865015 CEST	49731	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:35:56.773639917 CEST	80	49731	158.101.44.242	192.168.2.4
Jun 30, 2024 16:35:56.773718119 CEST	49731	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:35:56.773911953 CEST	49731	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:35:56.779274940 CEST	80	49731	158.101.44.242	192.168.2.4
Jun 30, 2024 16:35:57.538012981 CEST	80	49731	158.101.44.242	192.168.2.4
Jun 30, 2024 16:35:57.590204000 CEST	49731	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:35:57.881568909 CEST	49731	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:35:57.886477947 CEST	80	49731	158.101.44.242	192.168.2.4
Jun 30, 2024 16:35:58.255080938 CEST	80	49731	158.101.44.242	192.168.2.4
Jun 30, 2024 16:35:58.308979034 CEST	49731	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:35:58.335063934 CEST	49733	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:35:58.335086107 CEST	443	49733	188.114.96.3	192.168.2.4
Jun 30, 2024 16:35:58.335160971 CEST	49733	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:35:58.340595007 CEST	49733	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:35:58.340609074 CEST	443	49733	188.114.96.3	192.168.2.4
Jun 30, 2024 16:35:58.817337990 CEST	443	49733	188.114.96.3	192.168.2.4
Jun 30, 2024 16:35:58.817424059 CEST	49733	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:35:58.821871996 CEST	49733	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:35:58.821882010 CEST	443	49733	188.114.96.3	192.168.2.4
Jun 30, 2024 16:35:58.822199106 CEST	443	49733	188.114.96.3	192.168.2.4
Jun 30, 2024 16:35:58.862373114 CEST	49733	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:35:58.904548883 CEST	443	49733	188.114.96.3	192.168.2.4
Jun 30, 2024 16:35:58.972008944 CEST	443	49733	188.114.96.3	192.168.2.4
Jun 30, 2024 16:35:58.972094059 CEST	443	49733	188.114.96.3	192.168.2.4
Jun 30, 2024 16:35:58.972238064 CEST	49733	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:35:58.976824045 CEST	49733	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:35:58.979564905 CEST	49731	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:35:58.984397888 CEST	80	49731	158.101.44.242	192.168.2.4
Jun 30, 2024 16:35:59.622612000 CEST	80	49731	158.101.44.242	192.168.2.4
Jun 30, 2024 16:35:59.625644922 CEST	49736	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:35:59.625736952 CEST	443	49736	188.114.96.3	192.168.2.4
Jun 30, 2024 16:35:59.625822067 CEST	49736	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:35:59.626368999 CEST	49736	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:35:59.626405954 CEST	443	49736	188.114.96.3	192.168.2.4
Jun 30, 2024 16:35:59.668416977 CEST	49731	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:00.127298117 CEST	443	49736	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:00.168339968 CEST	49736	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:00.182668924 CEST	49736	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:00.182713985 CEST	443	49736	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:00.299540043 CEST	443	49736	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:00.299617052 CEST	443	49736	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:00.299680948 CEST	49736	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:00.300087929 CEST	49736	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:00.302546978 CEST	49731	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:00.303476095 CEST	49738	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:00.309492111 CEST	80	49731	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:00.309556961 CEST	49731	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:00.310286999 CEST	80	49738	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:00.310358047 CEST	49738	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:00.310446978 CEST	49738	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:00.316963911 CEST	80	49738	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:00.933969021 CEST	49675	443	192.168.2.4	173.222.162.32
Jun 30, 2024 16:36:02.391320944 CEST	80	49738	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:02.392359972 CEST	49741	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:02.392472982 CEST	443	49741	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:02.392553091 CEST	49741	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:02.392755985 CEST	49741	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:02.392792940 CEST	443	49741	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:02.433976889 CEST	49738	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:02.904330015 CEST	443	49741	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:02.912163973 CEST	49741	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:02.912260056 CEST	443	49741	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:03.066740036 CEST	443	49741	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:03.066852093 CEST	443	49741	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:03.066932917 CEST	49741	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:03.067259073 CEST	49741	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:03.070869923 CEST	49743	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:03.076853991 CEST	80	49743	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:03.076940060 CEST	49743	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:03.076991081 CEST	49743	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:03.082907915 CEST	80	49743	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:05.166853905 CEST	80	49743	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:05.167989016 CEST	49745	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:05.168040037 CEST	443	49745	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:05.168106079 CEST	49745	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:05.168379068 CEST	49745	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:05.168396950 CEST	443	49745	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:05.215236902 CEST	49743	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:05.663836956 CEST	443	49745	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:05.665215969 CEST	49745	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:05.665262938 CEST	443	49745	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:05.808213949 CEST	443	49745	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:05.808289051 CEST	443	49745	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:05.808368921 CEST	49745	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:05.808671951 CEST	49745	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:05.811642885 CEST	49743	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:05.812617064 CEST	49746	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:05.816948891 CEST	80	49743	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:05.817018032 CEST	49743	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:05.817456007 CEST	80	49746	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:05.817522049 CEST	49746	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:05.817599058 CEST	49746	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:05.822412968 CEST	80	49746	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:07.543121099 CEST	80	49746	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:07.544617891 CEST	49748	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:07.544658899 CEST	443	49748	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:07.544723034 CEST	49748	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:07.544990063 CEST	49748	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:07.545001030 CEST	443	49748	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:07.590367079 CEST	49746	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:08.039324999 CEST	443	49748	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:08.040751934 CEST	49748	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:08.040802002 CEST	443	49748	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:08.183006048 CEST	443	49748	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:08.183079958 CEST	443	49748	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:08.183242083 CEST	49748	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:08.183548927 CEST	49748	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:08.186237097 CEST	49746	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:08.187158108 CEST	49750	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:08.191265106 CEST	80	49746	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:08.191332102 CEST	49746	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:08.192035913 CEST	80	49750	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:08.192111015 CEST	49750	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:08.192173004 CEST	49750	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:08.196875095 CEST	80	49750	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:10.204152107 CEST	80	49750	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:10.205256939 CEST	49752	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:10.205318928 CEST	443	49752	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:10.205389977 CEST	49752	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:10.205631018 CEST	49752	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:10.205650091 CEST	443	49752	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:10.240447998 CEST	80	49750	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:10.240622044 CEST	49750	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:10.675332069 CEST	443	49752	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:10.677153111 CEST	49752	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:10.677210093 CEST	443	49752	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:10.802392006 CEST	443	49752	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:10.802526951 CEST	443	49752	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:10.802582979 CEST	49752	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:10.802915096 CEST	49752	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:10.805586100 CEST	49750	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:10.806637049 CEST	49753	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:10.810592890 CEST	80	49750	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:10.811361074 CEST	80	49753	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:10.811419964 CEST	49750	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:10.811448097 CEST	49753	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:10.811532021 CEST	49753	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:10.816226959 CEST	80	49753	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:12.614490032 CEST	80	49753	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:12.615835905 CEST	49754	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:12.615895033 CEST	443	49754	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:12.615973949 CEST	49754	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:12.616251945 CEST	49754	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:12.616270065 CEST	443	49754	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:12.668392897 CEST	49753	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:13.116287947 CEST	443	49754	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:13.118155956 CEST	49754	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:13.118196011 CEST	443	49754	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:13.240617037 CEST	443	49754	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:13.240840912 CEST	443	49754	188.114.96.3	192.168.2.4
Jun 30, 2024 16:36:13.240910053 CEST	49754	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:13.241278887 CEST	49754	443	192.168.2.4	188.114.96.3
Jun 30, 2024 16:36:13.245804071 CEST	49753	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:13.247189045 CEST	49755	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:13.251169920 CEST	80	49753	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:13.251240015 CEST	49753	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:13.252070904 CEST	80	49755	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:13.252150059 CEST	49755	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:13.252274036 CEST	49755	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:13.257318974 CEST	80	49755	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:15.825575113 CEST	80	49755	158.101.44.242	192.168.2.4
Jun 30, 2024 16:36:15.871588945 CEST	49755	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:36:16.660945892 CEST	62989	53	192.168.2.4	1.1.1.1
Jun 30, 2024 16:36:16.665894032 CEST	53	62989	1.1.1.1	192.168.2.4
Jun 30, 2024 16:36:16.666033030 CEST	62989	53	192.168.2.4	1.1.1.1
Jun 30, 2024 16:36:16.666127920 CEST	62989	53	192.168.2.4	1.1.1.1
Jun 30, 2024 16:36:16.670949936 CEST	53	62989	1.1.1.1	192.168.2.4
Jun 30, 2024 16:36:17.178252935 CEST	53	62989	1.1.1.1	192.168.2.4
Jun 30, 2024 16:36:17.178885937 CEST	62989	53	192.168.2.4	1.1.1.1
Jun 30, 2024 16:36:17.184207916 CEST	53	62989	1.1.1.1	192.168.2.4
Jun 30, 2024 16:36:17.184278011 CEST	62989	53	192.168.2.4	1.1.1.1
Jun 30, 2024 16:37:02.247169018 CEST	49723	80	192.168.2.4	93.184.221.240
Jun 30, 2024 16:37:02.247267008 CEST	49724	80	192.168.2.4	93.184.221.240
Jun 30, 2024 16:37:02.252938032 CEST	80	49723	93.184.221.240	192.168.2.4
Jun 30, 2024 16:37:02.252948046 CEST	80	49724	93.184.221.240	192.168.2.4
Jun 30, 2024 16:37:02.253007889 CEST	49723	80	192.168.2.4	93.184.221.240
Jun 30, 2024 16:37:02.253010988 CEST	49724	80	192.168.2.4	93.184.221.240
Jun 30, 2024 16:37:07.391824007 CEST	80	49738	158.101.44.242	192.168.2.4
Jun 30, 2024 16:37:07.391917944 CEST	49738	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:37:20.826083899 CEST	80	49755	158.101.44.242	192.168.2.4
Jun 30, 2024 16:37:20.826143026 CEST	49755	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:37:53.247245073 CEST	49755	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:37:53.547911882 CEST	49755	80	192.168.2.4	158.101.44.242
Jun 30, 2024 16:37:54.145571947 CEST	80	49755	158.101.44.242	192.168.2.4
Jun 30, 2024 16:37:54.145589113 CEST	80	49755	158.101.44.242	192.168.2.4
Jun 30, 2024 16:37:54.150219917 CEST	49755	80	192.168.2.4	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 30, 2024 16:35:56.746077061 CEST	64398	53	192.168.2.4	1.1.1.1
Jun 30, 2024 16:35:56.755206108 CEST	53	64398	1.1.1.1	192.168.2.4
Jun 30, 2024 16:35:58.325541019 CEST	62298	53	192.168.2.4	1.1.1.1
Jun 30, 2024 16:35:58.334506989 CEST	53	62298	1.1.1.1	192.168.2.4
Jun 30, 2024 16:36:16.660096884 CEST	53	56522	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 30, 2024 16:35:56.746077061 CEST	192.168.2.4	1.1.1.1	0xaa44	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jun 30, 2024 16:35:58.325541019 CEST	192.168.2.4	1.1.1.1	0xb643	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 30, 2024 16:35:56.755206108 CEST	1.1.1.1	192.168.2.4	0xaa44	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 30, 2024 16:35:56.755206108 CEST	1.1.1.1	192.168.2.4	0xaa44	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jun 30, 2024 16:35:56.755206108 CEST	1.1.1.1	192.168.2.4	0xaa44	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jun 30, 2024 16:35:56.755206108 CEST	1.1.1.1	192.168.2.4	0xaa44	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jun 30, 2024 16:35:56.755206108 CEST	1.1.1.1	192.168.2.4	0xaa44	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jun 30, 2024 16:35:56.755206108 CEST	1.1.1.1	192.168.2.4	0xaa44	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jun 30, 2024 16:35:58.334506989 CEST	1.1.1.1	192.168.2.4	0xb643	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jun 30, 2024 16:35:58.334506989 CEST	1.1.1.1	192.168.2.4	0xb643	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jun 30, 2024 16:35:58.910990000 CEST	1.1.1.1	192.168.2.4	0x1f79	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jun 30, 2024 16:35:58.910990000 CEST	1.1.1.1	192.168.2.4	0x1f79	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jun 30, 2024 16:35:59.434087038 CEST	1.1.1.1	192.168.2.4	0xdfbf	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 30, 2024 16:35:59.434087038 CEST	1.1.1.1	192.168.2.4	0xdfbf	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	158.101.44.242	80	4020	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 16:35:56.773911953 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 30, 2024 16:35:57.538012981 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 14:35:57 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 307d58429bba973233127ec61e3a5853 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jun 30, 2024 16:35:57.881568909 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jun 30, 2024 16:35:58.255080938 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 14:35:58 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 86e921b862dfd4049e6d39b664816d4f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jun 30, 2024 16:35:58.979564905 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jun 30, 2024 16:35:59.622612000 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 14:35:59 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 80702101e56f7478e98d5f76c8c25211 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	158.101.44.242	80	4020	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 16:36:00.310446978 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jun 30, 2024 16:36:02.391320944 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 14:36:02 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5a9a9950b1782889ef65318358fc4e29 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49743	158.101.44.242	80	4020	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 16:36:03.076991081 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 30, 2024 16:36:05.166853905 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 14:36:05 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5d8592375fe0177b5cee05ddadbc820c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49746	158.101.44.242	80	4020	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 16:36:05.817599058 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 30, 2024 16:36:07.543121099 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 14:36:07 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a6a60467e1464e9fcf9616b5139037dd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49750	158.101.44.242	80	4020	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 16:36:08.192173004 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 30, 2024 16:36:10.204152107 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 14:36:09 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e8d5c900e7f5741a2ad8c39c56e5f452 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jun 30, 2024 16:36:10.240447998 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 14:36:09 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e8d5c900e7f5741a2ad8c39c56e5f452 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49753	158.101.44.242	80	4020	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 16:36:10.811532021 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 30, 2024 16:36:12.614490032 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 14:36:12 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8b460f0ba65e2e9facfb4f8461220183 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49755	158.101.44.242	80	4020	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 16:36:13.252274036 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 30, 2024 16:36:15.825575113 CEST	730	IN	HTTP/1.1 502 Bad Gateway Date: Sun, 30 Jun 2024 14:36:15 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 2d18947090de5cacdeeae93130457eb9 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	188.114.96.3	443	4020	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 14:35:58 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-06-30 14:35:58 UTC	700	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 14:35:58 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 722 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XpjSvqWsRh9GMcJ71O4OINmON6g4EXEaT8PIVBilDhIvqDLpuG7JRkSqdnasnSFeIz5IZpnrO1M4f2fq3JshC2%2B04wfYHSo0LK0IyhR9OZifANTAh2rBkXHcGb5rMiDmI3ZyDdFF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bee2cd1f154269-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 14:35:58 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 14:35:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	188.114.96.3	443	4020	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 14:36:00 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-06-30 14:36:00 UTC	706	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 14:36:00 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 724 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p9Bw9%2FASZqRgmKi4B5tSLONexPoWaJpz3ORI0E1pwrOLPwY4qyrVux9eZHk3HofDJUCZmpl1hAs4r2q3BqBHzw%2FLjaCywkvW%2BNWWU%2Bp3S52DRd0oB4C2wgF99AkAj1OOOc2hFnez"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bee2d55bfd5e70-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 14:36:00 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 14:36:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	188.114.96.3	443	4020	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 14:36:02 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-06-30 14:36:03 UTC	710	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 14:36:02 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 726 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GiKDbFWrEGR31FsUm2Vnti1qA%2FVKJmq6puLcABZTFNzq4hiCs%2BR8dEoL7DSuip2GQwVwcFVinrSiq3hfKk%2F2%2Fq5ggB4LiOl7ZtmZK%2FzliPd49sa3BQ5wz1IB%2Bg4c15ANWjtV0Drf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bee2e69d6642a9-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 14:36:03 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 14:36:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49745	188.114.96.3	443	4020	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 14:36:05 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-06-30 14:36:05 UTC	700	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 14:36:05 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 729 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9dQHaGKaEuaWi1HImNgCwkxlQIyL5pSeohdruFmtVqflaE2HQsYs%2Fmyya9RG69yGrBKDw8jlbgLCilWQfKVeJFuJ42ubcT730APn1ETRFGTEdmui1gIgiT0BStn6CW4fSJWG5AWA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bee2f7cf2f437f-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 14:36:05 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 14:36:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49748	188.114.96.3	443	4020	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 14:36:08 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-06-30 14:36:08 UTC	704	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 14:36:08 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 732 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N5k0PQ6T8DldwFw5XuYSBfurONp2P6p0WXp%2FzHDnmDpK9eEJO1Ib3JRDpya2IL5dKfkT415JIpRI9M5vVRILxKBHP4A76YHq1boTnuPImIJ%2FydrE%2Be7hlQQBpO48UFjex6oxLBsI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bee306accb0f60-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 14:36:08 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 14:36:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49752	188.114.96.3	443	4020	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 14:36:10 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-06-30 14:36:10 UTC	708	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 14:36:10 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 734 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NDVenUQaysjEpU%2FRnwcAa16uYK5Yaa5FHWSEDXmSFaTDOpAp8zU0nV2ro7ZfnbhaCdNuGWd%2FKtXnzEI%2B9iaKDl2AfgxtwoqKmrTgoJunrseOp9HxpYwzTYPa1sfCsEd4%2Bt%2BoT6HQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bee3170f9541de-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 14:36:10 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 14:36:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49754	188.114.96.3	443	4020	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 14:36:13 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-06-30 14:36:13 UTC	702	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 14:36:13 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 737 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HbSDLFIp93Xz0NFin0J7BnvjVWb4iDHPQxoMqdyJEc0Uz5Hp1Or4KfB6rfY1Blv66hk7lypp8jaA8SjqOTa1iHIbC7u0YQd8BeJ343BDjRtRv9YVF9%2B5XYTavcBC5Ps0t%2BYXcOGc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bee32648ae43f7-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 14:36:13 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 14:36:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	10:35:54
Start date:	30/06/2024
Path:	C:\Users\user\Desktop\new order.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\new order.exe"
Imagebase:	0x1f69cfa0000
File size:	1'838'240 bytes
MD5 hash:	0C5A964F9CBF2FEC077302E6BAA7316F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1787678653.000001F69F237000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1788161334.000001F6AF0BA000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:35:55
Start date:	30/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Imagebase:	0xb30000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4108863148.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.4107554624.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4108863148.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	10:35:55
Start date:	30/06/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3696 -s 1052
Imagebase:	0x7ff63ba60000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFD9B970050 Relevance: 2.1, Instructions: 2101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789636226.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1508777ed516f4291208d9142392ddd2343d0cc373b6e78f48fcb8c31a5333c7
Instruction ID: 5da2f639c84e31cd9e94d6c7073bfc5b0cd029c4c605be48f4e790c06782914d
Opcode Fuzzy Hash: 1508777ed516f4291208d9142392ddd2343d0cc373b6e78f48fcb8c31a5333c7
Instruction Fuzzy Hash: 7CD26D71A1F7CA5FDB66CB6888A55A47FE0FF52700F0901FED089CB1A3DA246946C781

Function 00007FFD9B8A1608 Relevance: 2.0, Strings: 1, Instructions: 704COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B8A433F

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 14ec4053f51ca11b1b3a7d51260405ba5fd84a8b570a3108de51d7a794697bb7
Instruction ID: 22c7a9eb761d57fa0ed0ab25d4c9f514682711ff81ca6281d7c86d21305a2b84
Opcode Fuzzy Hash: 14ec4053f51ca11b1b3a7d51260405ba5fd84a8b570a3108de51d7a794697bb7
Instruction Fuzzy Hash: 58128930B0EA4A0FEB6CDB6894A157177D1EF49310B0942BED49EC71A7EE24F8438391

Function 00007FFD9B8A37DC Relevance: 1.7, Strings: 1, Instructions: 469COMMON

Download Yara Rule

Strings

fish, xrefs: 00007FFD9B8A3830

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID: fish
API String ID: 0-1064584243
Opcode ID: 47c35ab7bda07ae3501814583989c63494e1205684a8336705af03e38b4561fd
Instruction ID: e06781d10c6e28f49abefe7f0ac561ec82bba922d6f07a65285b63734adc0fe9
Opcode Fuzzy Hash: 47c35ab7bda07ae3501814583989c63494e1205684a8336705af03e38b4561fd
Instruction Fuzzy Hash: D0D14B31B1DB8D0FE76DAB68986557977E1EF9A310B0541BFD48BC31E3DD28A8068381

Function 00007FFD9B8AE1C9 Relevance: 1.6, Instructions: 1590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12121efb64171d084d9cdd51c6a072ec3c2a504c383ad70968a6796c95fe6221
Instruction ID: ae578ea6ceb2b3baccf9e134ab727a1f5ecebfe9da64dfc65adf3499bbdc4a81
Opcode Fuzzy Hash: 12121efb64171d084d9cdd51c6a072ec3c2a504c383ad70968a6796c95fe6221
Instruction Fuzzy Hash: 8FB2873070DB494FD329DB68C4A04B5B7E1FF99301B1449BEE48AC72A6EE34E946C791

Function 00007FFD9B8AB641 Relevance: 1.5, Instructions: 1456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7686b0e2b1134519e80f384a4f22f8b5b698565aaaa2722f34cc30df66ea278
Instruction ID: 13a46618ebeccd7b7a50f3a7fa3f2f7c8663cf7c58eb428cef2518e3433ce836
Opcode Fuzzy Hash: d7686b0e2b1134519e80f384a4f22f8b5b698565aaaa2722f34cc30df66ea278
Instruction Fuzzy Hash: B7A2583060DB8A8FD359DF78C4A44B5BBE1FF99300B1545BED08AC72A6EA34E946C750

Function 00007FFD9B8A88A8 Relevance: .9, Instructions: 866COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865c3c1f81ba656b61d604541a0587ecf278fdac1fe027636761813e33fec2a0
Instruction ID: adf82f6a1ed2b249df8e68d5ba967105b1628cd0dbd3401fe8b8ff5752a1cc3a
Opcode Fuzzy Hash: 865c3c1f81ba656b61d604541a0587ecf278fdac1fe027636761813e33fec2a0
Instruction Fuzzy Hash: DF42D630B09A0D4FDB68DB68D865A7977E1FF59300F1501BEE44EC72A2DE24ED428B91

Function 00007FFD9B8AB260 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88310a8bcd9162349fb264c16cda54ed56f651a4b730b32961caaeafe89429b7
Instruction ID: d3187c7951e86e74e1cf0ba25e142c2b2b6cac7d47540ca8f9668d6f5431214a
Opcode Fuzzy Hash: 88310a8bcd9162349fb264c16cda54ed56f651a4b730b32961caaeafe89429b7
Instruction Fuzzy Hash: 22C1BE3160DB894FE32DCB6984A11B5B7E1FF96301B0546BED4C6C72B1DE38A542C791

Function 00007FFD9B8B423B Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8130eddf14788e6c119afae030315eab5dd1653c4978853171f4be0085bddf61
Instruction ID: e07340fdd73d72275641d22161553574ba9c7f870e1d48e4ccd6e8e8717a9ab2
Opcode Fuzzy Hash: 8130eddf14788e6c119afae030315eab5dd1653c4978853171f4be0085bddf61
Instruction Fuzzy Hash: 47418B32A0D28D0FD71E9B7898260B53BD5DB87320B1682BFD08BC75E7DD24590786D1

Function 00007FFD9B8AD6C4 Relevance: 2.0, Strings: 1, Instructions: 760COMMON

Download Yara Rule

Strings

GL_H, xrefs: 00007FFD9B8ADD70

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID: GL_H
API String ID: 0-455295749
Opcode ID: 7bb5366ce5a24a496b8ca43ab1294b10f7730d8efa3061d46ce1438df5c89b5f
Instruction ID: c688cdb182c3f0e16e19149f640ad72b0a9468c52c7859e62449d8bc00a181c2
Opcode Fuzzy Hash: 7bb5366ce5a24a496b8ca43ab1294b10f7730d8efa3061d46ce1438df5c89b5f
Instruction Fuzzy Hash: 86322862F0FA4A4FE7B89B98486617477D1EF98310B1505BED48DC72E3ED18B90783A1

Function 00007FFD9B8A19F9 Relevance: 1.8, Strings: 1, Instructions: 582COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B8A20A4

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 4e2e74d4dd24cfe329bb92ebdd5150ad98b0cd48978ee9602841b28bf563aa76
Instruction ID: 377d2af08b2f9c9becc561924773393481f07a2066e1991d431e6abd050c31ad
Opcode Fuzzy Hash: 4e2e74d4dd24cfe329bb92ebdd5150ad98b0cd48978ee9602841b28bf563aa76
Instruction Fuzzy Hash: 7E020431B1EA494FE7A9EB588465A7477E1EF9A300B0601FAD05EC71A3DE24BD42C351

Function 00007FFD9B8A06F8 Relevance: 1.6, Strings: 1, Instructions: 375COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B8A20A4

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 07c9160e651420b180d491affeda3efcaab1dc2089b6b16fa7cf91ece333acd8
Instruction ID: a1ce8078504e57bd1aa4c3343d95c94a09ab02807912291d83064e8ac69c2023
Opcode Fuzzy Hash: 07c9160e651420b180d491affeda3efcaab1dc2089b6b16fa7cf91ece333acd8
Instruction Fuzzy Hash: 34B11E30B18A094FE379EB58D4A1971B3E1FF59310B1046B9D49FC36AAEE25F8438780

Function 00007FFD9B8A04C0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

4M_E, xrefs: 00007FFD9B8A0A6F

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID: 4M_E
API String ID: 0-500849405
Opcode ID: 87dff2880cc462dce8d41dc044ed86f89a3a97a290b21e27e4a1af8c76bb84ba
Instruction ID: ac5014d59dcd9436beaa5f895e17b5dcd8c477497f9031141a7521d5ff3e5823
Opcode Fuzzy Hash: 87dff2880cc462dce8d41dc044ed86f89a3a97a290b21e27e4a1af8c76bb84ba
Instruction Fuzzy Hash: AB516921B2E64E0FE729ABB8A8222B57B81DF46724F0601BDC4DEC71D7D91978438391

Function 00007FFD9B8A8EC0 Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

#, xrefs: 00007FFD9B8A913D

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-3629985089
Opcode ID: 742fe2729d08cb05d89030da54422a79447e3c4fce2724b9eaabf4de10c6d5a1
Instruction ID: ca062863238b63673862d33a2c66f753905cd8b4b4327add94eb3565633ae84d
Opcode Fuzzy Hash: 742fe2729d08cb05d89030da54422a79447e3c4fce2724b9eaabf4de10c6d5a1
Instruction Fuzzy Hash: 2B516B30A1DB494FE729DB6888695B17BE0EF1A30074644BEC4DBC75E3D929BC038791

Function 00007FFD9B8A2DE0 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B8A433F

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 31e77a93b29dd635808463f8fc7dbef6dbaa52082368b138ca12b16366184c09
Instruction ID: a8b8e210f97026503cd1bb7b22224696f52c1cb90823e7f8119d383daf9e2723
Opcode Fuzzy Hash: 31e77a93b29dd635808463f8fc7dbef6dbaa52082368b138ca12b16366184c09
Instruction Fuzzy Hash: 1151C230A19A094BDB6CEF48C4A193573D1FF59304B1901BCD95EC72A7DE24F953C691

Function 00007FFD9B8B3B29 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FFD9B8B3B96

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 95eb34906b83dd409710fc4c2fe0d24943d28809e10e6e8817ced8b63a5cb2a2
Instruction ID: 53146ce84267765d0b44eeb4d9200654cd3325e9d0d9f20024107e571c849cb7
Opcode Fuzzy Hash: 95eb34906b83dd409710fc4c2fe0d24943d28809e10e6e8817ced8b63a5cb2a2
Instruction Fuzzy Hash: 5F514C3270E7890FD31E967C9C661607FE1DB8722071982BFD086CB2B7E9186C078791

Function 00007FFD9B8A09E5 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

4M_E, xrefs: 00007FFD9B8A0A6F

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID: 4M_E
API String ID: 0-500849405
Opcode ID: 75b8eb375e58f4c277b76feb1e2459cd679d490ed2f0ccb51543b46e35953ff7
Instruction ID: 879c030250a37f1156e781518b2d2f6f7ff7c55d93910872eebd8f4f2758e9de
Opcode Fuzzy Hash: 75b8eb375e58f4c277b76feb1e2459cd679d490ed2f0ccb51543b46e35953ff7
Instruction Fuzzy Hash: 78316D52E2FA4D1FE765A6B458272B53BC0DF57620F1A02BDC8CEC71A7E848B8034391

Function 00007FFD9B8A905E Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 00007FFD9B8A906B, 00007FFD9B8A913D

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-3629985089
Opcode ID: 81e47919d059c76c17e3d8085dfe1db88a2fe8a71944fd0e32d61304b9986a1d
Instruction ID: a30d911d95b1af29eb8a9111291e44b09cc17917f4661359a15ea166e2da33bd
Opcode Fuzzy Hash: 81e47919d059c76c17e3d8085dfe1db88a2fe8a71944fd0e32d61304b9986a1d
Instruction Fuzzy Hash: 14315630A1DA084FE769EB1C89465B0B7E0EF48300B5149BDC49F83AA7DD29B95387C1

Function 00007FFD9B8B405D Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

_t~, xrefs: 00007FFD9B8B4126

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID: _t~
API String ID: 0-2958133298
Opcode ID: c1fc801d2bdaf878eceea34a9de3c616f1d156c578afdefd78c70911447776fb
Instruction ID: 29de7bdf26a7401d41f6f4027d2813f4d0cec7a12fe09d032a23b5010cf74942
Opcode Fuzzy Hash: c1fc801d2bdaf878eceea34a9de3c616f1d156c578afdefd78c70911447776fb
Instruction Fuzzy Hash: 8931002164E7CA4FD317977488605A07FB1EF97320B0A02EBC095CB1E7EA1C2946C7A2

Function 00007FFD9B8A0DA9 Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

1M_H, xrefs: 00007FFD9B8A0DBF

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID: 1M_H
API String ID: 0-1421203058
Opcode ID: 99c39ba08d11c8b6bfaedb91566c981634502adb6f29a821567eec7a06d641f6
Instruction ID: f797c5c98ead4c170d50f692695a6416c40df85e3c483699b09be2e6ef986100
Opcode Fuzzy Hash: 99c39ba08d11c8b6bfaedb91566c981634502adb6f29a821567eec7a06d641f6
Instruction Fuzzy Hash: 0DD05E9062BAC95BD343A3304D623283AC09F56209F1604DCCC598B5E2C609290A8312

Function 00007FFD9B8A88B0 Relevance: 1.0, Instructions: 971COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde0416f6a77f6d3ad562cf944feaf7ca81ce94381bcbacce0d3dec2999f31aa
Instruction ID: bbb69185b9824055928a7eb9c56eb614de5648246b2b6a50f6e883b32697bcb2
Opcode Fuzzy Hash: cde0416f6a77f6d3ad562cf944feaf7ca81ce94381bcbacce0d3dec2999f31aa
Instruction Fuzzy Hash: 2E62587071EA598FD7A8DB68D46167977E1FF99700F0100BEE48AC72B2DE24ED418B81

Function 00007FFD9B8B31C5 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205e2415c81c2e02a5fd169efbda20e84ec17ae8dda6c2f4c0785315fdef9203
Instruction ID: 9305400c7688b9881f6008eacf7fe8a5f1edfd841ed295a4644933972778e64e
Opcode Fuzzy Hash: 205e2415c81c2e02a5fd169efbda20e84ec17ae8dda6c2f4c0785315fdef9203
Instruction Fuzzy Hash: 5CF13571A1EA9E4FE379D77C98262657BC0EF9D310F0502BAD48DC71F2DA18A9064BC1

Function 00007FFD9B8A3331 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2b7fd42834162b6f7d605cee672356a4277e51b3f03fc9800d86f70ba4358e
Instruction ID: 2391163d64a96ac1f7fd7e539578a7e22e860308217db6910d18b99b98a28367
Opcode Fuzzy Hash: 7b2b7fd42834162b6f7d605cee672356a4277e51b3f03fc9800d86f70ba4358e
Instruction Fuzzy Hash: 03C18C21B1EA4A4FE7399BA4D8A11B977D1FF95300F19417ED08BC32E6DE2CB9438250

Function 00007FFD9B8A6620 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c46b535e5772093703d36b455803b3dce254f493971f5c172d697a94948ee5
Instruction ID: 73ea2c612a9f8d6370af090c6b08d904ad72efd9347737e0c1b3a73b768d57c8
Opcode Fuzzy Hash: d7c46b535e5772093703d36b455803b3dce254f493971f5c172d697a94948ee5
Instruction Fuzzy Hash: BDC1AA71B1EA0A8BEB2C9B2884A11B5B3C1EF99310F1501BDD49FC74EADD18F846C790

Function 00007FFD9B8A72D3 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1471a955eca1a554a09991684898a84a674db2778e5c7023c4e5ee0ef9d1234
Instruction ID: 69d313e0b643edcdb9a8dd774dfaf94d14e93a2fa3305d40c04c0aa609a0d7d5
Opcode Fuzzy Hash: b1471a955eca1a554a09991684898a84a674db2778e5c7023c4e5ee0ef9d1234
Instruction Fuzzy Hash: 1EA12771F0E68D8FDB45EBA8D865AEC7BF0FF59310F0500BAD049DB1A2DA24A905C750

Function 00007FFD9B8AAE9F Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24d4035050786d06427f01dc39946936397e6c95f53b56b3b32740a2b9441a4
Instruction ID: a46c77be08e069df6ed178049926cda8f3da6306e5005a2425aae47ff929e344
Opcode Fuzzy Hash: d24d4035050786d06427f01dc39946936397e6c95f53b56b3b32740a2b9441a4
Instruction Fuzzy Hash: 7F819C70B1DB890FE32DC75948A11757BD2EFC9301F04867EE4DAC32A5D934A9028791

Function 00007FFD9B8A7F98 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0b6a8882848f14b8ce8f6223d002770dd69e7772e1babc07a01a37560779f7
Instruction ID: 06190b798a01ee290349e1998989d249754c1aa3a683effdc10c90d78d0b47f6
Opcode Fuzzy Hash: 9f0b6a8882848f14b8ce8f6223d002770dd69e7772e1babc07a01a37560779f7
Instruction Fuzzy Hash: D7713431B0D94D4FDB59EB58E865BB87BE0EF58311F0501BEE44EC31A6DE24A902C741

Function 00007FFD9B8B2465 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471bb6b1ceb0a8033189501580d3df498940a95c89c64ba2d37ce2bba51545e0
Instruction ID: 8c83e3792cffd6a67ca4e37f887393e8f3d1dbffecdddca0e1500a474eed0196
Opcode Fuzzy Hash: 471bb6b1ceb0a8033189501580d3df498940a95c89c64ba2d37ce2bba51545e0
Instruction Fuzzy Hash: 7A711631B0D98C4FDB59EF68E865BB97BE1EF59300F0501AED44DC71A6DE24A902CB81

Function 00007FFD9B8A04B8 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 338c01ed29067dda7b2bb2c5a5fc89b61010f2b9712ba982ee5c505c38dd656a
Instruction ID: 0e8b2f7df041d8b68ee0edddc85dd2ceaa869dd557b0d65352c9be205ffcbe65
Opcode Fuzzy Hash: 338c01ed29067dda7b2bb2c5a5fc89b61010f2b9712ba982ee5c505c38dd656a
Instruction Fuzzy Hash: B071D530B29A0D4FE768A7B894257B9B6D2EFCD714F15407AD00EC32E6DD28A9428251

Function 00007FFD9B8ACA3A Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97644a03a593f6a2789d3472618a65a11b7c0b4d6631145d2163393e99747ef3
Instruction ID: ab9fcd08cc476a83ab252e30165e6dcead290f3b065ce4fb33417a71e509576d
Opcode Fuzzy Hash: 97644a03a593f6a2789d3472618a65a11b7c0b4d6631145d2163393e99747ef3
Instruction Fuzzy Hash: 9661E771B0990D4FDBB8DB6CD86967977D5EF5C301B0500BEE08EC72A2DE24AD428B91

Function 00007FFD9B8B0690 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b1dc7d06488327cd343d51ac2d4810d79a456cae0e27526389432f94c90fe2
Instruction ID: 6ce9636b881e6eb8ea25d07a157406cf084f8eee536d7aff28901370d79d0d18
Opcode Fuzzy Hash: 50b1dc7d06488327cd343d51ac2d4810d79a456cae0e27526389432f94c90fe2
Instruction Fuzzy Hash: E8716B71A2E75E8FE3748B79982667477D0EF9A710B0501FEC04DC71A3ED196A068BC1

Function 00007FFD9B8B2480 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e140dc5103412d2d61f59c1abf1d316685ff850d2d35480ee20bb1a0f562ab54
Instruction ID: bb9e8d6d1204cee0a1dc1f15996ae795d4ca671d897bfc0600e943d73797bcc0
Opcode Fuzzy Hash: e140dc5103412d2d61f59c1abf1d316685ff850d2d35480ee20bb1a0f562ab54
Instruction Fuzzy Hash: F261E531B09D8D4FDB58EF6CE465AB97BE1EF59300F04016ED44DC32A6DE20A902CB81

Function 00007FFD9B8A6066 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8dd41a9587b9d69b3090ee6a2fc2aaaaaee77e524863d992461f31972ce21a
Instruction ID: eff997e3e6c21a6f183239407205420e4525b89ebe7e49aee5f77ad7d052b9b6
Opcode Fuzzy Hash: 5a8dd41a9587b9d69b3090ee6a2fc2aaaaaee77e524863d992461f31972ce21a
Instruction Fuzzy Hash: 97710475A1991E8FEF98DF58C460AF877E1FF98304B11017DC41ADB1AADA35E642CB80

Function 00007FFD9B8A1698 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba4ece63aba235f2d5d0f476f9aa40ac74eee37aa2979ef1696f0dd875e2043
Instruction ID: 039b44fd6ca76a93a710966b0a0b969bd82903706efd37fd4be15207a8601589
Opcode Fuzzy Hash: 2ba4ece63aba235f2d5d0f476f9aa40ac74eee37aa2979ef1696f0dd875e2043
Instruction Fuzzy Hash: 7D51D620B19A0D4FE768B7A894257BDB6D2EFCD714F15417AE40EC32E7DD28AD028261

Function 00007FFD9B8AC6ED Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf85784d75fa25d677aebcae163d63d7f0efa23d35f689fdf9a8f4c853642a4
Instruction ID: b13cc66534c7090704af6fd97828d4d84e29ab7422b0b2f9b034b02db297bbe0
Opcode Fuzzy Hash: 9bf85784d75fa25d677aebcae163d63d7f0efa23d35f689fdf9a8f4c853642a4
Instruction Fuzzy Hash: A551493161E79D4FD369976C8865476BBE1FF8A710B0503BEE0CBC32D2DD29A9028791

Function 00007FFD9B8B2F85 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaff3b02a139b6e412f3a22ef1e3b6b5e0b94327c0d8de420431c6296fc65a39
Instruction ID: 6b833e3debbdfbd6facfcb158f20df9a9f6cbfa35885ee26a9fdfda86f5b199d
Opcode Fuzzy Hash: eaff3b02a139b6e412f3a22ef1e3b6b5e0b94327c0d8de420431c6296fc65a39
Instruction Fuzzy Hash: 7251077090AA8D8FDF55EB78C465BA97FF0EF19301F0901AED409D72F2CA25A841CB81

Function 00007FFD9B8B0604 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e65580abf2f635ae8ea3e7131584fe57604319478f00eb33f7ab6d09fb16fb
Instruction ID: eed69442e5d63883b1623d1edaa07d7ec2fd7edd3b208949c99f0f148981754c
Opcode Fuzzy Hash: 75e65580abf2f635ae8ea3e7131584fe57604319478f00eb33f7ab6d09fb16fb
Instruction Fuzzy Hash: 8651283172E75D8FD374DB68942167477D0EF99710F0501BED08EC71A2EE25AA468BC1

Function 00007FFD9B8A29ED Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81fdb9c414e9c5bca61f15e6eb810b28054156a69b8b352866a77fec83f8d56d
Instruction ID: 3a2f6b00f26ad15adf09b2160cd8251b4a399536fa36eb3570cac88e3d8b9004
Opcode Fuzzy Hash: 81fdb9c414e9c5bca61f15e6eb810b28054156a69b8b352866a77fec83f8d56d
Instruction Fuzzy Hash: 89411721B0AE4D4FDB68EBBC5C656B877D1FF9D351B0502BAD00EC32E6DE28A8018351

Function 00007FFD9B8A7344 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b12ceaa6ee605c0ec2747ef5979f96131ce79c90bdca0700704daaaa48500dc
Instruction ID: 431d52afd7c83cd4bf233f71bddaf3ce0d8df03d2d32a1dbaa080349fa4a2422
Opcode Fuzzy Hash: 4b12ceaa6ee605c0ec2747ef5979f96131ce79c90bdca0700704daaaa48500dc
Instruction Fuzzy Hash: 0B31A531A0EB8D4FDF55DB5CC865AAC7BF1EF55300F0500A6D44DDB1A2DA24A940CB51

Function 00007FFD9B8A31C9 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c492eb55c730e4ce12e22d49d1804cfad3791c4b1449557f3fa2fcafae9c36
Instruction ID: a4b1053ab52f5c28a9c0f1a6aa96f92741bf8f321df5da620164d9c9be75808b
Opcode Fuzzy Hash: 43c492eb55c730e4ce12e22d49d1804cfad3791c4b1449557f3fa2fcafae9c36
Instruction Fuzzy Hash: 5C414812B0EA8E0FE76997AC98753B83BD1EF99211F0901BBE04DC71E3DD0C59858352

Function 00007FFD9B8A8468 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0fce715bb2eb0e251d48a295f0cebfb22a30efa21577800bbd8ba175b26aad
Instruction ID: ccba8eec9af989dddb17cade69d5fdc131ba308b8211f7061e78f3ce874b63d8
Opcode Fuzzy Hash: ec0fce715bb2eb0e251d48a295f0cebfb22a30efa21577800bbd8ba175b26aad
Instruction Fuzzy Hash: F741E370A09A4D8FDF98EF68C465BAD7BE0EF5D301F0501AED40AD72E1CB25A841CB81

Function 00007FFD9B9710C9 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789636226.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6caf3a05b8450df1940de0bf9d173448f748000ec6cb2cdbc5b06c7980d3dbdc
Instruction ID: c2ac36d3ad38de41ea8b55d7dac083088c0db2f4cec26015425a5fd650416fb2
Opcode Fuzzy Hash: 6caf3a05b8450df1940de0bf9d173448f748000ec6cb2cdbc5b06c7980d3dbdc
Instruction Fuzzy Hash: 4F418B31A1E7DD5FDB56DF24C8A45A87FE0FF65308B0601FAD089CB1A3CA25A945C340

Function 00007FFD9B8B36F0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bbd601b5b216257ec9e4b377ceb192771f5e8092ffb5ccb65048b986ce8c0a6
Instruction ID: a8fd71dcc26f6335ab9c01233146215ee3b55cbde34dfad664d09daf76e09e00
Opcode Fuzzy Hash: 0bbd601b5b216257ec9e4b377ceb192771f5e8092ffb5ccb65048b986ce8c0a6
Instruction Fuzzy Hash: B341C252A1DBC64FE75AA77408719A1ABA1EF65210B0942FBD09EC34E7FC1C68068752

Function 00007FFD9B8AF219 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c17af87d1b506f6c7408839c221f20f31799f87371f87970249ff05cbcafb5
Instruction ID: 1744deb2b945b0c2d776b95c616f7fab328a9e17685c10f0d80f8889e3cb75ed
Opcode Fuzzy Hash: 72c17af87d1b506f6c7408839c221f20f31799f87371f87970249ff05cbcafb5
Instruction Fuzzy Hash: 7641F652B1EB8A0BE759567C1C7A7B57BD1EFA9200F0501BEA449C72E3ED186C064391

Function 00007FFD9B8A3E3D Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704c4cbc4cd5d5b23e780472a87c7e21ead7827641cfbccb78efba43452dd271
Instruction ID: 3c8204c4a51c0c423376163196459237ddd2798162a769ae0ac006081bfa8c5d
Opcode Fuzzy Hash: 704c4cbc4cd5d5b23e780472a87c7e21ead7827641cfbccb78efba43452dd271
Instruction Fuzzy Hash: 6941367060EA994FD71A9B2888745757BE0FF9A300B0905FED08ACB2F7DA1DE645C351

Function 00007FFD9B8A7FCF Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763430ce91f24aa5e2f3f8c8ff80d5449bac4810f5896c52aedc614110b0343d
Instruction ID: 8d316f495e604b2c2ac67d5012ee72cccea39190f844559f51280704328c43af
Opcode Fuzzy Hash: 763430ce91f24aa5e2f3f8c8ff80d5449bac4810f5896c52aedc614110b0343d
Instruction Fuzzy Hash: BE413752B1DA8A4BF769967C1C7A7B177C2EFA9300F1501BEE44DC32E7ED582C0642A1

Function 00007FFD9B8A7FA0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c2da75b2a8acecccda69bb85db5cb1b64196484e82621a8e6b1018957ef2a97
Instruction ID: 2866f2402476da3df6ca0f8ddbdde93257e17cd9f308522e4a57a37e4f925510
Opcode Fuzzy Hash: 9c2da75b2a8acecccda69bb85db5cb1b64196484e82621a8e6b1018957ef2a97
Instruction Fuzzy Hash: 62412762B1DA8A4BE76D967C1C7A7B177C2EF99200F0501BEA44DC32E7ED586C064291

Function 00007FFD9B8A86E8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 942e2806c5e562444c971373e242a3015d99971bdff822a492933fd84395d9c2
Instruction ID: 3f98d4f979cc5d729195bbd3c0dd17d87c4ba6624fde6ebb915bc15b58956f84
Opcode Fuzzy Hash: 942e2806c5e562444c971373e242a3015d99971bdff822a492933fd84395d9c2
Instruction Fuzzy Hash: 49315A52B1EE4E0BE7A8D7AC28797B566C2EFAC250F0541BBE44DC32E6DC156C424391

Function 00007FFD9B8AB418 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a19ab0929bbee51b037ed67758ac97a06c5fe1fb5fbe875ece9c6d9fe2e5d8
Instruction ID: 73ca3f205516b59bb56be099c6a9d6ac6b88ebe7cf490ca22143e3ab5265cd34
Opcode Fuzzy Hash: 28a19ab0929bbee51b037ed67758ac97a06c5fe1fb5fbe875ece9c6d9fe2e5d8
Instruction Fuzzy Hash: 0D41263060DB894FD358CB1884A15B9BBE2FBD9301F15867EE0CAC32B1DA34E541C792

Function 00007FFD9B8B42A8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4897aea6390d5aa259b324682f2456b3421f8d439210eb073cca1f810e255bd0
Instruction ID: 985b0f0b91edb4679e1fd0ea6bddb320012b3f3010c8b8b94a3a2f7c2d414f76
Opcode Fuzzy Hash: 4897aea6390d5aa259b324682f2456b3421f8d439210eb073cca1f810e255bd0
Instruction Fuzzy Hash: AD317A31A0D78D0FD72E9B7488255A53FA4EB47310F1A82BFD08AC75E7DD5859068392

Function 00007FFD9B8A8460 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f0c38c4e69300bca2643682b120999761ea890128d86f5d32183012af583de
Instruction ID: 4fd82ac43df50329712dbf9ab554964f5fd3e1eb61a56de57940e8aad7e078cc
Opcode Fuzzy Hash: 93f0c38c4e69300bca2643682b120999761ea890128d86f5d32183012af583de
Instruction Fuzzy Hash: BA41A270A0AA5D8FDB59EB78C8197A97BE0FF19301F0505BDD80AD71B1DB7599008B80

Function 00007FFD9B8AB3C8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5986589ef0d885bea00d3cc0dc3c55b1faa1d458ba8939ba6bce7127b24c33c5
Instruction ID: cd656a7245eb67265f5ff769c2f8b6b455d09c51dc2e9e484d27ce970a983250
Opcode Fuzzy Hash: 5986589ef0d885bea00d3cc0dc3c55b1faa1d458ba8939ba6bce7127b24c33c5
Instruction Fuzzy Hash: 7831073170CB854BE318DB2C84A15B5BBE2FBD9301B158A7EE4DAC32B5DA34E541C791

Function 00007FFD9B8A0F31 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e71a2d19a7884f0915ec00fb52dc5d7dd6f0761d8deb6b7d8ffd2e4731677d6
Instruction ID: 703ec7466a4a36a7a93e691492c8026cfa9eb46fc90542ce9923ede7b9987ce1
Opcode Fuzzy Hash: 6e71a2d19a7884f0915ec00fb52dc5d7dd6f0761d8deb6b7d8ffd2e4731677d6
Instruction Fuzzy Hash: 7231D231A19A985FDB55EB78D869AE9BBB1FF49700F0400EEE04DC72D6DE249802C741

Function 00007FFD9B8A0C29 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea0476faf67e71a67143d0426b06bf97d0b4f9780a435331611b65b8f525bc7
Instruction ID: 793abb2d96f5c4af619f0fbdaee64768bfe24791098eec98862f4522ca31806b
Opcode Fuzzy Hash: bea0476faf67e71a67143d0426b06bf97d0b4f9780a435331611b65b8f525bc7
Instruction Fuzzy Hash: 7921A721F2EE8E0FE765D7AC98612B977E2EF89600F1602B7E04DC32E2DD285D414391

Function 00007FFD9B8A3055 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c07faa7366df3c7390cfc97cdd78644c4e99bf23ac946756dabd7b1119bf49
Instruction ID: 8fc3b0c3c7fea67299303e2f837826adf42858dc487fb8fd81b481a1bd5089d6
Opcode Fuzzy Hash: b1c07faa7366df3c7390cfc97cdd78644c4e99bf23ac946756dabd7b1119bf49
Instruction Fuzzy Hash: 2531B171A0EB8D4FDB5697785C663A97FA0EF4A205F0501FFD44AC72E3CA28190583A2

Function 00007FFD9B8AAEFF Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72cb93a6e67d659660509030d0573d1ef58aa8811f1bf3a173ead36513576cf0
Instruction ID: bfe65ac912174932f952f971e6d78148bd3c8f59729294ec040c195e9423b85a
Opcode Fuzzy Hash: 72cb93a6e67d659660509030d0573d1ef58aa8811f1bf3a173ead36513576cf0
Instruction Fuzzy Hash: A531083070CB854BE318CB188491575BBE2FBC9301F148A7EE5DAC33A6DA34E545C791

Function 00007FFD9B8B0469 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47eec522ef9fa4ec55ff29eee9abdf0d2ea2b6604c1cecdb358809064d445ab
Instruction ID: 87053442b8dd2d5dadf18d4c5cfdc996b1c348c833a5e8f490c433f6dc93109b
Opcode Fuzzy Hash: b47eec522ef9fa4ec55ff29eee9abdf0d2ea2b6604c1cecdb358809064d445ab
Instruction Fuzzy Hash: FE31E07071DA498FD749E72C98A57397BE1EF99201F0500BDE48AC72B2DA24E8418B81

Function 00007FFD9B8A6C89 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be90f575b89882a5302e3785463dc1d5dbee074eb60a5f8f5bfab68ccdd4677
Instruction ID: 1e75708eb2a98ae5aa0afd5d45b6e4573e1bd6723b24ee0afc52a2dacba2d190
Opcode Fuzzy Hash: 8be90f575b89882a5302e3785463dc1d5dbee074eb60a5f8f5bfab68ccdd4677
Instruction Fuzzy Hash: 4F21773160E69A0FE752973498251F53BD1EF89314B0A01BAE08CCB1E6CA1DDB82C3A1

Function 00007FFD9B8A04D8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 570aca4f901389fa018c2f8eca84a46bd5727ffa3f98c88a019ba28668716c63
Instruction ID: 44c0b41572921eccca838ccd6a87d7c5aefd0048038358efbec4474e6be08c54
Opcode Fuzzy Hash: 570aca4f901389fa018c2f8eca84a46bd5727ffa3f98c88a019ba28668716c63
Instruction Fuzzy Hash: 7A318071F299589FDB55EB68D869AADBBA2EF58700F0400ADE04ED32D5DE34A802C741

Function 00007FFD9B8A0DD5 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c6f7025ab90b6ed6098ba05564b5287b917e255b009e9f9c8fa13c1fc82084
Instruction ID: 17c4f7f96fb708da303cf0cd24309a11b5bfaed25593e84aa9956d39c7821e67
Opcode Fuzzy Hash: 08c6f7025ab90b6ed6098ba05564b5287b917e255b009e9f9c8fa13c1fc82084
Instruction Fuzzy Hash: 86210662B2EE8C4FE7A5E37C58253286AC2EF5E655F0602FAD44DC72E3DD18AC018351

Function 00007FFD9B8AC008 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f252af0fa76b05f3607144062660abfa5b804257163e34a1513b39222ae7a5de
Instruction ID: de4a20a9daba1e676f1abf7ca13d89863689e37e0ce0c3d69a65ade3d2901c01
Opcode Fuzzy Hash: f252af0fa76b05f3607144062660abfa5b804257163e34a1513b39222ae7a5de
Instruction Fuzzy Hash: 5921C535619B494BE354DB38C4A40B1B7E1FB983097244ABEE49DC32A6EE35E982C750

Function 00007FFD9B8B2ED9 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9ee37c56a6b98d0aa8d60c0d563fd05ce26d09a9baef69d9df03b513db03a5
Instruction ID: 6ff223001b14ac80f086b86f252f084bb1cbc580bfbee1af4e7fbc56ebcc0264
Opcode Fuzzy Hash: 6b9ee37c56a6b98d0aa8d60c0d563fd05ce26d09a9baef69d9df03b513db03a5
Instruction Fuzzy Hash: 46210421A0D95D4FE351EBB8D4242B97BD0FF5D300F0501BAD48CD72F2DE18AA828781

Function 00007FFD9B8A0620 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd8cacaec1cb7e8543f3806be93a95e6d65c34edf8178666627254bd8e20a90
Instruction ID: 9063730d9fa0f77fc49af505282a872976c0d400de59296074b551ef484eee5c
Opcode Fuzzy Hash: dcd8cacaec1cb7e8543f3806be93a95e6d65c34edf8178666627254bd8e20a90
Instruction Fuzzy Hash: 05110622A1FACE0BE366677448717A57AE1DF97240F4E41FED489871E3ED0C6906C351

Function 00007FFD9B8A2BA2 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c00be071aad7460fa765c01e28e8b6e3607e6319d4217cf7a5cfd956c0d0405a
Instruction ID: bbc4a0889932d8a3b8f513bbe6375c5c7ae2f0348412d75195874b7349df9772
Opcode Fuzzy Hash: c00be071aad7460fa765c01e28e8b6e3607e6319d4217cf7a5cfd956c0d0405a
Instruction Fuzzy Hash: DB21276190E7CE1FD7539BB49C696A97FF0EF46250F0400EBD898CA0A3E969154A8312

Function 00007FFD9B8A0939 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665909ce3640c54bdac3bec89263f494eb880f34e36effa3983e563cb1d7c002
Instruction ID: 877a5ae478b81d778beedc604708dfc6bd918d4eda5beaf938309efc6c2fa8e1
Opcode Fuzzy Hash: 665909ce3640c54bdac3bec89263f494eb880f34e36effa3983e563cb1d7c002
Instruction Fuzzy Hash: 2811B46151F6C94FE712A7B488627E5BF90EF4B214F0A01FED58DC70E3DA1C25068362

Function 00007FFD9B8A103A Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee23d11e63293ea50835c0008348a98c505d7beb5f85b8f150c816f35970fb0
Instruction ID: bfaef5d11eb17bfcd862533446e0d24597ebea9ba70ee32b45bb5ee56ed88ad2
Opcode Fuzzy Hash: 4ee23d11e63293ea50835c0008348a98c505d7beb5f85b8f150c816f35970fb0
Instruction Fuzzy Hash: 35113C31B0990D4FDF95EB9894A2AECB7A2EF5D310F41113AD00EE3296CE25A942C790

Function 00007FFD9B8A8458 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc89a066af32d463855a8d3d06601d9d771777a008252ce70b769c767f8a04d
Instruction ID: 47813046139f3d7eba7227ad6522e1f4af4b07fa8e700ccd604a6a7f5cc0eed2
Opcode Fuzzy Hash: cfc89a066af32d463855a8d3d06601d9d771777a008252ce70b769c767f8a04d
Instruction Fuzzy Hash: 3801D412F1AD2F0BEAA9A26D24B527926C7DFDC60071A41B5A84CC22AADC559D424380

Function 00007FFD9B8A8888 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78234938da4ffdf5105e487f55f4cdfbee00e903dc568970e5eaadd46b278eec
Instruction ID: b71b34cdbc367082a2f28cb4d21326d3ebc590f91854a520e24ed48cb34e2e36
Opcode Fuzzy Hash: 78234938da4ffdf5105e487f55f4cdfbee00e903dc568970e5eaadd46b278eec
Instruction Fuzzy Hash: 6F11A330A09A0A8BD768EB28D4A497A73E1EF98315B55053EE44EC32A1DE38E941C751

Function 00007FFD9B8A4665 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5919e940b600f2151796cec988c0937a3b7dfc1890697da0a50d15ff226e40cd
Instruction ID: 41a1e440e2d809be0088c7b0c237f4b878294ae6a0e89931285df6ac5b1b3a4a
Opcode Fuzzy Hash: 5919e940b600f2151796cec988c0937a3b7dfc1890697da0a50d15ff226e40cd
Instruction Fuzzy Hash: BF11593150DBC84FDB92DB2884645653FF1EFAE320B1D02ABE4C8C72A3DA24A945C752

Function 00007FFD9B8B356F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f7d892fd1fec8c9bf1da905d36b1400192418210a1c7aec23126899479d5174
Instruction ID: 6221736dde2ff41d1b094a07bce0a507cabd5e400d099dcda265c1af4bf9b6b0
Opcode Fuzzy Hash: 7f7d892fd1fec8c9bf1da905d36b1400192418210a1c7aec23126899479d5174
Instruction Fuzzy Hash: F7012822B1DA1E0FE61DBAAC583A6B422C6E769710F16423FD44AC72E3EC1498420680

Function 00007FFD9B8ADF0C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff04bb0a457e78c9bbc318ecaedc139feaf2d683b9674ddea6d30f33ca7b7f7
Instruction ID: 5823e624d8f7932f3e42b6003959f63aed61692b1a60eb8edaad387001ec8f4f
Opcode Fuzzy Hash: 1ff04bb0a457e78c9bbc318ecaedc139feaf2d683b9674ddea6d30f33ca7b7f7
Instruction Fuzzy Hash: EBF04C53F0FEAA0AE7B542DC28752A61BD1DF9D650B0981FBD59CC21F6EC495C8243C1

Function 00007FFD9B8AC8A1 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b511df16db12b9e43c5b2787ff03203af9a811ae5c0ef6b5effca1658a0e024
Instruction ID: cc5e12a0ccae0af11cc73c97d49de990e84ba6042e23bedb51be1434e4145b29
Opcode Fuzzy Hash: 3b511df16db12b9e43c5b2787ff03203af9a811ae5c0ef6b5effca1658a0e024
Instruction Fuzzy Hash: E3F04C3160EF8D0FC766DB3C8854461BBF0FFA921030902EBC09AC76A6DE14E8478380

Function 00007FFD9B8A86F0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09f78ec56769ec178eaad708233d6bfb96711e63d6a2554dffc691256c83fed
Instruction ID: 00d27dabc2f4aa4ea5fa016076ab735d516fd9bae997664964cc288bd091f13f
Opcode Fuzzy Hash: e09f78ec56769ec178eaad708233d6bfb96711e63d6a2554dffc691256c83fed
Instruction Fuzzy Hash: A5F0BE63F1ED2E06E7B4829C38652BA12C2DF9C650B0681B7E85CC22E9ED566C4203D4

Function 00007FFD9B8A2999 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b358e73850e7b02f292762c106c74fa0be9d432ddae61149fa5c823f2624ab86
Instruction ID: 467f084855759d63a487870b1dd30e6814e781570c40f206756740aa12074742
Opcode Fuzzy Hash: b358e73850e7b02f292762c106c74fa0be9d432ddae61149fa5c823f2624ab86
Instruction Fuzzy Hash: 83F0B421B0EB484FC799B77C58655547BE1EF5E31078A01F6E008CB2E3ED18DC428351

Function 00007FFD9B8A04C8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f178bb4dd70c2a59a97be4712afc468c4c2f1618726b60d7d531b9c9319ef6
Instruction ID: 413e4e013f23fb39dd77f34029b971dc6039056fc939d04aff079855304d8e05
Opcode Fuzzy Hash: 49f178bb4dd70c2a59a97be4712afc468c4c2f1618726b60d7d531b9c9319ef6
Instruction Fuzzy Hash: 59016791A2F6CD5FEB52B77849253646FD1AF1A305F1A04F9E44DCB1E3D51458058312

Function 00007FFD9B8A2CD8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ded2626ef24bf659a84c688e008a1c97dbb2af1ff69095014fe7fc68b67c8ce
Instruction ID: 312295227922eaa3a602bcbd85714bc8a06cb1160f937e31e91c07a2f40d1414
Opcode Fuzzy Hash: 1ded2626ef24bf659a84c688e008a1c97dbb2af1ff69095014fe7fc68b67c8ce
Instruction Fuzzy Hash: 78F08235618D0D5F87B8EA2C9854962B3E1EBA831031506BAD45AC3668DE24E8428780

Function 00007FFD9B8A3543 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f359c75c4c85c22149bd8f18d1ff5c85cf5a4ed6caf030ee6660c93128f2795
Instruction ID: b7595e0e504e040a30d3de66b01f2fce7fd4628b49f5edde73e20dc9695e169c
Opcode Fuzzy Hash: 2f359c75c4c85c22149bd8f18d1ff5c85cf5a4ed6caf030ee6660c93128f2795
Instruction Fuzzy Hash: 3CE09B3374D6090AE61C4958F8121B9B3C0E78A135B51253DD5CBC1591ED2A65931145

Function 00007FFD9B8B3602 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a644fb73e65d04d7fa7266585e7be0e66a06772b5260b0cf9c15dd6b414900cd
Instruction ID: 6c21df0d11046a2ea954597e14be55e367c82ad4264d38ecd58caa4f081a7641
Opcode Fuzzy Hash: a644fb73e65d04d7fa7266585e7be0e66a06772b5260b0cf9c15dd6b414900cd
Instruction Fuzzy Hash: 32F0EC3270811E8FD71DBEB848298743687E359750B25417FD846CB3F5EC64D95246C4

Function 00007FFD9B8B3E2E Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b2aaae4cdb8b3707ed13d5ad199603baf3e2635b015ed9f1d7eed245316d02
Instruction ID: 0c0a5ba58a3990ed9e9647ca626b94d24079220ab70d6769ed262172e58d42d2
Opcode Fuzzy Hash: 65b2aaae4cdb8b3707ed13d5ad199603baf3e2635b015ed9f1d7eed245316d02
Instruction Fuzzy Hash: 57F08921B1D90E47D7288A789CA15AAB382DB983147144377D016C2AE4ED34A9074AC0

Function 00007FFD9B8A29B0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd9bfa20fa78b40194a25e5eb31fc40fc38f0f9fa2bc60593aae33ffaf5c3a4b
Instruction ID: ecbdfb42359807be6de1437eb52429252cea55365864282d36a7c7af4b9d1782
Opcode Fuzzy Hash: fd9bfa20fa78b40194a25e5eb31fc40fc38f0f9fa2bc60593aae33ffaf5c3a4b
Instruction Fuzzy Hash: EFE04F30B15D1C4FCB98B77CA81956872D5EF8E31178505F5F40DC72A6ED28DC418390

Function 00007FFD9B8AF5E7 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bccf1a82ac4de39877290e2b0f278bb539ee7e9f85a6f41ebcf008a34b4dee1d
Instruction ID: 03706a199d611b2a714266b014fb3319f15793fb3830171a0804c847fafc9bbf
Opcode Fuzzy Hash: bccf1a82ac4de39877290e2b0f278bb539ee7e9f85a6f41ebcf008a34b4dee1d
Instruction Fuzzy Hash: 72F0F870A1884C8FDB85EB68C855F88BBF0EF5A304F190098D049DB2A6C624D882CB00

Function 00007FFD9B8A0CFE Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 547c118e43a80aed61dd2a957ac42f1ecf6304075ab955852925949c6111252a
Instruction ID: c5fe0e6e1f1f65701cee7d2e14c051611bcf6f402f9926c2098ac7c50da004a3
Opcode Fuzzy Hash: 547c118e43a80aed61dd2a957ac42f1ecf6304075ab955852925949c6111252a
Instruction Fuzzy Hash: A0E07D3650D98C0BDB80EB58AC214D67BA0FBC9308F01069AF55CC7251D6115515C341

Function 00007FFD9B8A0906 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a40339a011705cc30947dc44bc915e0b766e672870ff79364a6bbc22947a670
Instruction ID: a3febaf738480ee468b1985d07daf9b2dca1d91ad9a3517312a1eeefcf0cda86
Opcode Fuzzy Hash: 8a40339a011705cc30947dc44bc915e0b766e672870ff79364a6bbc22947a670
Instruction Fuzzy Hash: 8CE02B3294EE4C4BCB44EB6D6C610C677A4FF5D348F05065AF55CC3192F7269A61C382

Function 00007FFD9B8B4155 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf86defee36e4e8357ea352db0d391a8e0d7362ea0b6ef0ff040212343f4a38
Instruction ID: 50f633727170791d12dfef550201e7617b57a1b416671c6656e3cc59abed52e5
Opcode Fuzzy Hash: cdf86defee36e4e8357ea352db0d391a8e0d7362ea0b6ef0ff040212343f4a38
Instruction Fuzzy Hash: BDE0923470D60E8BD72CEFA0C5A10797293E798361B14867EC207872B1ED68AA058A88

Function 00007FFD9B8AA48C Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1bcb0c669a5af3c9121f8ace5cd531d5d263705bc83e3d453a55c7f5fd4c616
Instruction ID: fce6e427fc6ebae4e9127c0e109cd7319926773f3388dd80a718732e785840e7
Opcode Fuzzy Hash: c1bcb0c669a5af3c9121f8ace5cd531d5d263705bc83e3d453a55c7f5fd4c616
Instruction Fuzzy Hash: E9E0C27040B7C90FDB175B7048653827FE09F07218FAD04DEDCC49A2A3D26E515A8302

Function 00007FFD9B8B4853 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d789476a1f191c47435e1524304304e53e8cda8def1982566dd81e1754485e6
Instruction ID: c58c0d32b08fa88d44260c3500c49bf9cc6c3eb8ddaa7ce0c4bfca7b81ed97b4
Opcode Fuzzy Hash: 7d789476a1f191c47435e1524304304e53e8cda8def1982566dd81e1754485e6
Instruction Fuzzy Hash: 3FE02B7550A60A8FE750EB74C405599B3B2FF18344F110679D059CB162DB31E641DB41

Function 00007FFD9B8A46EF Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf010af8b4258a77295bbc93523ea2aa9a463dabe5ec71be5a02ad79f26db052
Instruction ID: fb0319936369df96ffc023d38fd6979d20c807529b2548b4720cc58ca5a1a8a6
Opcode Fuzzy Hash: cf010af8b4258a77295bbc93523ea2aa9a463dabe5ec71be5a02ad79f26db052
Instruction Fuzzy Hash: B8D01213B9ED1C0B455465CC7C1217CB3C1D7CE536740037BD44DC2258D91A594282C3

Function 00007FFD9B8B453F Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b7dca7cb48f0320125f5956256d05039ace2ca29a239a591904d0c92ce4fe5
Instruction ID: 044ad423cc9419dbf77968e43823d289745b0de1af013fdbeadbf2e823e6ee59
Opcode Fuzzy Hash: 71b7dca7cb48f0320125f5956256d05039ace2ca29a239a591904d0c92ce4fe5
Instruction Fuzzy Hash: 74E0EC71B2DB064BC22CDE2CC466426B3E6FBDD704B155A2DE5C787256CA21B8018A86

Function 00007FFD9B8B4A9C Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5b855ac597b642e9c35f056fc668c17144015dc2b20237fb3d4d416232357a
Instruction ID: 8ea0a3d197c6f53c79f720dcbe2aba62fab4e6adcfdea16f33acd59d04797487
Opcode Fuzzy Hash: ce5b855ac597b642e9c35f056fc668c17144015dc2b20237fb3d4d416232357a
Instruction Fuzzy Hash: F9E0C23111A65A8FD358EB54C0229BAF7E8FF89305F29866EA087870A6CB34A141C751

Function 00007FFD9B8A4010 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367fb8b9de0dadef33767175bcc6543de8594cba4be55ad31257b66a85c73575
Instruction ID: 4aca5244fedc497bbca9aa846cd172e85f8dd02a70da4ef0a1ccddfdac9add65
Opcode Fuzzy Hash: 367fb8b9de0dadef33767175bcc6543de8594cba4be55ad31257b66a85c73575
Instruction Fuzzy Hash: 09D02E7080F2CC0BCB262B3048653167FD09F0A218FE800EDEC840A2A7D22E515A8302

Function 00007FFD9B8B47FD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7797eb0f97b38f778213fec03cc9f67fe921a6421bf925765bf9a785b551ef
Instruction ID: d6096ce6be37d7d3561b7237383c6ce914a63bedae902d45024b5b75bbe2d6b4
Opcode Fuzzy Hash: 2b7797eb0f97b38f778213fec03cc9f67fe921a6421bf925765bf9a785b551ef
Instruction Fuzzy Hash: 97D0123474AA0987D228565C555213472D59B4D714714103CE14FC2762CC29A9424945

Function 00007FFD9B8A1575 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9abfb88946d9d92a762bbf63b930def042fa36916b34344e9d2096f8bcf167b
Instruction ID: 017fd69324eb9c9d2473267a88eb5eedc55a8bd620e081d50998a787c1844e78
Opcode Fuzzy Hash: e9abfb88946d9d92a762bbf63b930def042fa36916b34344e9d2096f8bcf167b
Instruction Fuzzy Hash: B5C0805670B7E91AC313326CAC264E9BF14DD4322530B03FBD15945453D504127AC3A1

Non-executed Functions

Function 00007FFD9B8A86D3 Relevance: 5.2, Strings: 4, Instructions: 153COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD9B8A87C2
L_^, xrefs: 00007FFD9B8A8762
L_^, xrefs: 00007FFD9B8A8722
L_^, xrefs: 00007FFD9B8A86C2

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-2357752022
Opcode ID: cc5cb8e99ebdba82af335f365e86b6ea0611b262da15aac618332d7e92b3cab9
Instruction ID: 774b54db340da0f1578ab0fafe29ca09c1e28a5f59fa52791e1627683f95f1a2
Opcode Fuzzy Hash: cc5cb8e99ebdba82af335f365e86b6ea0611b262da15aac618332d7e92b3cab9
Instruction Fuzzy Hash: 744128B3A0A69A4BE71B5B6DAC764ED37D0EF1011C70941B6C5A88B183FF24754F4191

Function 00007FFD9B8A84F2 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD9B8A84F2
L_^, xrefs: 00007FFD9B8A857A
L_^, xrefs: 00007FFD9B8A852A
L_^, xrefs: 00007FFD9B8A856A

Memory Dump Source

Source File: 00000000.00000002.1789454647.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_new order.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-3393518990
Opcode ID: ff759d006c44bff590a30fb76146f6902f80ae20ca82a5877403b10f8d4efc0d
Instruction ID: 9a3fa9219ea43ed9e0d29028c099d43f094746d28b90ecccf67e880a75f73e0f
Opcode Fuzzy Hash: ff759d006c44bff590a30fb76146f6902f80ae20ca82a5877403b10f8d4efc0d
Instruction Fuzzy Hash: D53124B3A0A5675BE61A5B2A9C264C97790FF2021C30952B6C5A88B1D3FF24B40B4595

Analysis Process: MSBuild.exePID: 4020, Parent PID: 3696COMMON

Executed Functions

Function 014EB328 Relevance: 6.6, Strings: 5, Instructions: 351COMMON

Download Yara Rule

Strings

LjAp, xrefs: 014EB6CF
LjAp, xrefs: 014EB6E5
PH^q, xrefs: 014EB747
0oAp, xrefs: 014EB562
PH^q, xrefs: 014EB758

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: a5bf6824d8ff61dffff2ea669c56d2d804460b28655971db8114420eef685705
Instruction ID: 71e9ea5ec086e121aefa117bd61a2068cc0a18c92475374309a1b80fce90df9a
Opcode Fuzzy Hash: a5bf6824d8ff61dffff2ea669c56d2d804460b28655971db8114420eef685705
Instruction Fuzzy Hash: 42E1FA75E00219CFDB14CFA9D988A9EBBF1FF48311F15846AE919AB361DB30A841CF51

Function 014EBEB0 Relevance: 6.4, Strings: 5, Instructions: 193COMMON

Download Yara Rule

Strings

LjAp, xrefs: 014EC0A5
PH^q, xrefs: 014EC107
PH^q, xrefs: 014EC118
LjAp, xrefs: 014EC08F
0oAp, xrefs: 014EBF22

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: fa4dda32a74c6f07b45a66923a757d18d21e90e735f269c81cf47f61239d1e14
Instruction ID: f2db88fe7e5267e7ce29905d2c54a5e76b47be9b66cb1fa6cc2daa9bdd50d4ed
Opcode Fuzzy Hash: fa4dda32a74c6f07b45a66923a757d18d21e90e735f269c81cf47f61239d1e14
Instruction Fuzzy Hash: DC91B8B4D00258CFDB14DFAAD984A9DBBF2BF89301F14C06AE509AB365DB319981CF51

Function 014EC752 Relevance: 6.4, Strings: 5, Instructions: 191COMMON

Download Yara Rule

Strings

0oAp, xrefs: 014EC7C2
LjAp, xrefs: 014EC945
PH^q, xrefs: 014EC9A7
PH^q, xrefs: 014EC9B8
LjAp, xrefs: 014EC92F

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 149b33708feb06230522ae316d99016eedf2c2f4fbc9bc77401c06ee40564e7d
Instruction ID: dbee1fbcb5dd4d5c05d314a6a76da1cab8c36f1b02f292f9a70ce8eb4f4ebcc8
Opcode Fuzzy Hash: 149b33708feb06230522ae316d99016eedf2c2f4fbc9bc77401c06ee40564e7d
Instruction Fuzzy Hash: 0581B874E00218DFDB14DFAAD988A9DBBF2BF88311F14C56AE409AB365DB349941CF10

Function 014EC190 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

0oAp, xrefs: 014EC202
LjAp, xrefs: 014EC36F
LjAp, xrefs: 014EC385
PH^q, xrefs: 014EC3E7
PH^q, xrefs: 014EC3F8

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: ba735176b8d5e299d94eb151075b06845242fd74dc1f1a934d100ad2231017b5
Instruction ID: dbd0442d704b03200faf6bf3bc10b2c0c5659dbcc4359ba883d8cefb6ee012ea
Opcode Fuzzy Hash: ba735176b8d5e299d94eb151075b06845242fd74dc1f1a934d100ad2231017b5
Instruction Fuzzy Hash: B181B774E00218CFDB14DFAAD984A9DBBF2BF89301F14C06AE419AB365DB309945CF50

Function 014EC470 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

0oAp, xrefs: 014EC4E2
LjAp, xrefs: 014EC665
PH^q, xrefs: 014EC6C7
LjAp, xrefs: 014EC64F
PH^q, xrefs: 014EC6D8

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: df03d4aa51d483b9ba0f5cbb639ec304ceddfce977deb31d2342891b985b9e0c
Instruction ID: b2b0fb76ea8003f3d340f4a3acd424dcf91b3274c2e70d36472d1eb80b8534a5
Opcode Fuzzy Hash: df03d4aa51d483b9ba0f5cbb639ec304ceddfce977deb31d2342891b985b9e0c
Instruction Fuzzy Hash: 6081B974E00218DFDB14DFAAD984A9EBBF2BF88301F14D56AE419AB365DB346941CF10

Function 014E4AD9 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

0oAp, xrefs: 014E4B4A
PH^q, xrefs: 014E4D41
PH^q, xrefs: 014E4D30
LjAp, xrefs: 014E4CB8
LjAp, xrefs: 014E4CCE

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: e90eb8b8285ddc0fcde2ae9da46eec6bb6fa2fdc1b68f22fe3ccd81e875de392
Instruction ID: d0939153f793d01a0ad5a463052625ccfb08dac339d9469f66ec7319a79129a8
Opcode Fuzzy Hash: e90eb8b8285ddc0fcde2ae9da46eec6bb6fa2fdc1b68f22fe3ccd81e875de392
Instruction Fuzzy Hash: 5C81B874E00218DFDB14DFAAD984A9DBBF2BF88301F15D16AE419AB365DB349981CF10

Function 014EBBD2 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

0oAp, xrefs: 014EBC42
PH^q, xrefs: 014EBE38
LjAp, xrefs: 014EBDAF
PH^q, xrefs: 014EBE27
LjAp, xrefs: 014EBDC5

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: aaed1aad5bfcb7c3ea1e16c25f7e7333dc0a40053f69d87891d8be7b678f107f
Instruction ID: 32d905f2d60357a797360666c9ca8756c78dfff0fee5ad4e2cc351c60f051739
Opcode Fuzzy Hash: aaed1aad5bfcb7c3ea1e16c25f7e7333dc0a40053f69d87891d8be7b678f107f
Instruction Fuzzy Hash: 2C81A474E00218CFDB14DFAAD984A9DBBF2FF88311F14806AE509AB365DB355941CF11

Function 014ECA32 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

PH^q, xrefs: 014ECC87
LjAp, xrefs: 014ECC25
PH^q, xrefs: 014ECC98
LjAp, xrefs: 014ECC0F
0oAp, xrefs: 014ECAA2

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 39dd3bc254244087063677a2de4001e5085d310d6073657c1f3fd2532a62f3d9
Instruction ID: 4095e2e8a9d2aa706ace47b18b0e78a9209eea15803f3d20c1bff2366c71c4f9
Opcode Fuzzy Hash: 39dd3bc254244087063677a2de4001e5085d310d6073657c1f3fd2532a62f3d9
Instruction Fuzzy Hash: 8A81A874E00218DFDB18DFAAD984A9DBBF2BF88301F14C06AE519AB365DB349941CF10

Function 014E6880 Relevance: 5.3, Strings: 4, Instructions: 336COMMON

Download Yara Rule

Strings

,bq, xrefs: 014E6A00
,bq, xrefs: 014E69F2
(o^q, xrefs: 014E6988
(o^q, xrefs: 014E697A

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 58b1e66f611cf41b4671f39474ba6ced06d8f779cbd474bd38a5d0fc78283a36
Instruction ID: b82183789c4d31cb4773ca7bc2eb24dc77c010356191e0b08694224f2988b02d
Opcode Fuzzy Hash: 58b1e66f611cf41b4671f39474ba6ced06d8f779cbd474bd38a5d0fc78283a36
Instruction Fuzzy Hash: EED13970A001199FDB15CFA9C988AAEBBF6FF99301F16806AE515AB375D730E841CB50

Function 014EB4F2 Relevance: 3.9, Strings: 3, Instructions: 159COMMON

Download Yara Rule

Strings

PH^q, xrefs: 014EB747
0oAp, xrefs: 014EB562
PH^q, xrefs: 014EB758

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp$PH^q$PH^q
API String ID: 0-4194141968
Opcode ID: c60a920fbf56a18c972afbfe75eac254ec4be298d8bf0105afb0bb981d07ef32
Instruction ID: f31dd2cb49aa5e84baa1d74fef62588c9686e9d5c1ab7cfea249faa7f2b7f55a
Opcode Fuzzy Hash: c60a920fbf56a18c972afbfe75eac254ec4be298d8bf0105afb0bb981d07ef32
Instruction Fuzzy Hash: 5F61E474E002588FDB18DFAAD984A9EBBF2FF89300F14C06AE508AB365DB745941CF11

Function 014E9858 Relevance: 3.4, Strings: 2, Instructions: 856COMMON

Download Yara Rule

Strings

(o^q, xrefs: 014E9C78
4'^q, xrefs: 014EA273

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: 719c8aade5dbf2769806fe3356a338593193ddf245e9c322065236b47ea6a519
Instruction ID: 5f304e7f3a40816db50ad7de2ffd481b5814bcce47812a6e4306f323ff6dc199
Opcode Fuzzy Hash: 719c8aade5dbf2769806fe3356a338593193ddf245e9c322065236b47ea6a519
Instruction Fuzzy Hash: C472A470A00209DFCB16CF68C988AAEBBF2FF88316F158556E9159B3B5D730E945CB50

Function 014E6108 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

(o^q, xrefs: 014E6642
Hbq, xrefs: 014E650E

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: 2cacce7351d0cd15db36f4ee6a73a46165363473324a1feacb054b5dd84a78ce
Instruction ID: 86f64d40ad03e1cf187fb6aeab26c6e5250f3e30178c488829249dea55347352
Opcode Fuzzy Hash: 2cacce7351d0cd15db36f4ee6a73a46165363473324a1feacb054b5dd84a78ce
Instruction Fuzzy Hash: 7512C270A002198FDB19DF69C854AAEBBF6FF88301F15856AE509DB3A5DF309C46CB50

Function 014E3572 Relevance: 3.0, Strings: 2, Instructions: 474COMMON

Download Yara Rule

Strings

$^q, xrefs: 014E3596
Xbq, xrefs: 014E35AF

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: be967aff7d985e4b55a1109e0527e89e6b5ffaed07a2d94448ccc4becc2a5909
Instruction ID: 4232fa7d5fc454578d6024c46a9dac640f962e7f30a258fe6f972d103b7121c2
Opcode Fuzzy Hash: be967aff7d985e4b55a1109e0527e89e6b5ffaed07a2d94448ccc4becc2a5909
Instruction Fuzzy Hash: BF029474E01259CFDB19DF79D4945AEBBF2FF88311B14856AE406AB368DF349802CB81

Function 068B8BF2 Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

PH^q, xrefs: 068B8E9A
PH^q, xrefs: 068B8EAB

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 32fc1c1f45d654080214cd1f84c96ddc2d36910385f17f77891a8f4e83c09253
Instruction ID: 30d2a87168c01ca1becd78d30c5a6267c986887a47de63cda0191b4b983ca715
Opcode Fuzzy Hash: 32fc1c1f45d654080214cd1f84c96ddc2d36910385f17f77891a8f4e83c09253
Instruction Fuzzy Hash: CF9113B0E00218CFDB68CFA9D894AEDBBF2BF89300F24916AD459AB354DB745941CF50

Function 068B11A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9828c07a34280900b3f1fc38fbcd4d62a68fc08cd78219740220cfd0bae5e481
Instruction ID: 1c237283d32533bf7592f2b55f7be334454ad5a9068ca0b37d9bf52ef50f7b3c
Opcode Fuzzy Hash: 9828c07a34280900b3f1fc38fbcd4d62a68fc08cd78219740220cfd0bae5e481
Instruction Fuzzy Hash: 21826D74E012288FDB65DF69D998BDDBBB2BB89300F1081EA950DA7364DB315E85CF40

Function 014EEE68 Relevance: .7, Instructions: 714COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0fcb7791cc720772cc982164086f887c3b32ed4e5253f168e5e0074b2aa8d7
Instruction ID: 729b7b44ea801977a4b0ce0f0eb09e89b45b00d63fca1f013a56af8daacefdf6
Opcode Fuzzy Hash: 8c0fcb7791cc720772cc982164086f887c3b32ed4e5253f168e5e0074b2aa8d7
Instruction Fuzzy Hash: 2872DF74E012298FDB65DF29C984BE9BBF2BB49301F1491EAD508A7365DB309E85CF40

Function 068B8608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e56cec48e269e9bfd54d8491f1a7dbb1fbeafdc355beacee61d715847cf669d7
Instruction ID: f98bc8fbd22ae04e7c2e1a59a65427aadabd3e793f11f2ec9f8dcaebdadb1891
Opcode Fuzzy Hash: e56cec48e269e9bfd54d8491f1a7dbb1fbeafdc355beacee61d715847cf669d7
Instruction Fuzzy Hash: E0E1C3B4E01218CFEB64DFA5C954BDDBBB2BF88304F2081A9D508A7394DB355985CF54

Function 068BB6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38696e5f3ccca507fc9e79aa01ba43d0d1192a7962a43c582f8586f30e9b7f05
Instruction ID: 8ff7aad2adff381834f062419cecbdc752bdf605b596cee94ec5c35ba50b1d4f
Opcode Fuzzy Hash: 38696e5f3ccca507fc9e79aa01ba43d0d1192a7962a43c582f8586f30e9b7f05
Instruction Fuzzy Hash: FEA1A070E012288FEB68CF6AD944BDDFAF2AF89300F14D1AAD509A7254DB345A85CF50

Function 068BD670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64976d4e678793867bc1e41d7981bfe5b963b380537d37deba94f9d1692736a
Instruction ID: 2642decd49452c4eae2645c9e1e26537d7553a5e301d4ebdb59e5e4c6def1233
Opcode Fuzzy Hash: e64976d4e678793867bc1e41d7981bfe5b963b380537d37deba94f9d1692736a
Instruction Fuzzy Hash: EDA1AF74E012289FEB68CF6AD944BDDBBF2AF89300F14D0AAD50DA7254DB345A85CF50

Function 068BC388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf4000d972af362bc37fe08b6a42841fda63a60c04d6ae006dbb6fd27a687d9
Instruction ID: 0cb96b898fdae08633c4fbe968158800a39607c27094a5f161f560759a771668
Opcode Fuzzy Hash: bcf4000d972af362bc37fe08b6a42841fda63a60c04d6ae006dbb6fd27a687d9
Instruction Fuzzy Hash: 72A1A270E012288FEB68CF6AD944BDDBAF2BF89300F14D0AAD50DA7254DB305A85CF54

Function 068BA408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95498833ba7f3dc3f09e32c83004e763ef733c1f1f399d1690cdb0aedf96389
Instruction ID: 94361300d877e78bac14ec533a366217b59572bcaac4c972c6eac8fda9fcbae3
Opcode Fuzzy Hash: e95498833ba7f3dc3f09e32c83004e763ef733c1f1f399d1690cdb0aedf96389
Instruction Fuzzy Hash: 52A1A374E012288FEB68CF6AD944BDDBBF2AF89300F14D1AAD50DA7254DB305A85CF51

Function 068BC9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2995f66d1b091e4b2ba4784454282170bf90335cb5de00976fac648c9a7d771f
Instruction ID: 04afb1bf908f79f14810793f7d888fcd007f6832896a3aa865d631c7042e1dc7
Opcode Fuzzy Hash: 2995f66d1b091e4b2ba4784454282170bf90335cb5de00976fac648c9a7d771f
Instruction Fuzzy Hash: 5DA1A174E012288FEB68CF6AD944BDDFAF2AF89300F14D1AAD50DA7254DB705A85CF50

Function 068BBD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0575dbac67a7613e193a40373ee92e438b941efa53b5265aa1dabe800af6665d
Instruction ID: 60471eee08817b613f2d8663ff5f7f47c3324efc2098fc5cbfd3a52b13316020
Opcode Fuzzy Hash: 0575dbac67a7613e193a40373ee92e438b941efa53b5265aa1dabe800af6665d
Instruction Fuzzy Hash: A8A1BF74E012288FEB68CF6AD944B9DFBF2BF89300F14D0AAD509A7255DB705A85CF50

Function 068BAA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b68caa405b653843d107d09fd91ece1a432e451166d85ac45000b9f4a6551d
Instruction ID: fb8ba264bb33e61f6681c657d24a3e0a5dc3d681267e0cdc08d383d50191e4f8
Opcode Fuzzy Hash: a1b68caa405b653843d107d09fd91ece1a432e451166d85ac45000b9f4a6551d
Instruction Fuzzy Hash: BCA1AF74E012288FEB68CF6AD944BDDFBF2AF89300F14D1AAD509A7254DB345A85CF50

Function 068BB0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc8b52f876f2c48d304878a0ccf48071254640173beddbdd3ba9c9007a71f0f
Instruction ID: 423047fe7a91195ffd1adbb0df6aa9f9192c2534e9755fba523b7a1bbd4f5700
Opcode Fuzzy Hash: 1cc8b52f876f2c48d304878a0ccf48071254640173beddbdd3ba9c9007a71f0f
Instruction Fuzzy Hash: 91A1AE74E012288FEB68CF6AD944B9DFAF2BF89300F14D1AAD508A7254DB305A85CF50

Function 068BD028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4c7f0b322240c6ce2aa686614a2a5b736bf5ce8d3e1659af98df1246c00227
Instruction ID: 9c31425ce4fde0f3c1c3fc60e7512f2c7e8a90c54e481d6e7300fc46e04c67e1
Opcode Fuzzy Hash: ae4c7f0b322240c6ce2aa686614a2a5b736bf5ce8d3e1659af98df1246c00227
Instruction Fuzzy Hash: BCA19074E012289FEB68CF6AD944B9DFAF2AF89300F14D0AAD50CA7255DB305A85CF51

Function 068BD018 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab846ada5663e1579ad0282433f352e556aef567ea9813f3d03501ccdade0b7
Instruction ID: 5ba825c4919f83bf3634ec45f97e4d850a1e8225f3f095119fe533758c4bd9ae
Opcode Fuzzy Hash: dab846ada5663e1579ad0282433f352e556aef567ea9813f3d03501ccdade0b7
Instruction Fuzzy Hash: C681A570E016189FEB68CF6AC944B9EFBF2AF89300F14D1AAD50DA7255DB304A85CF51

Function 068BAA48 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2aa772f53f623289ae3766ecc64bb416f2141866c135f1eb21970abd4b8afd
Instruction ID: ee8c2e688ba783d2cff7c4836800810cbf7024e2619a8caeac9b0f28d4ff179b
Opcode Fuzzy Hash: 4f2aa772f53f623289ae3766ecc64bb416f2141866c135f1eb21970abd4b8afd
Instruction Fuzzy Hash: B471A570E006288FEB68CF6AC944B9DFBF2AF89300F14D1AAD50DA7254DB345A85CF51

Function 068BC378 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a7deae8d2c0711c8f1f38a2f4e48e6f6b073fc2dfcfb76134b26317dc87b8b
Instruction ID: b76742e9e3788aed2abeb38ff4dbdec9cb9b5021fd03623210b304932ab9ed62
Opcode Fuzzy Hash: 40a7deae8d2c0711c8f1f38a2f4e48e6f6b073fc2dfcfb76134b26317dc87b8b
Instruction Fuzzy Hash: 9D51B7B1D016588FEB58CF6BC9557CAFBF3AFC9204F14C0AAC54CA6265DB740A868F10

Function 068B85F8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a3e10e425d3773bd4ba069e64b0da7625643ac86e009ac337d1ef0eec6d0e7
Instruction ID: e6eb900ffd15f15947c6a3aac43f4505e497242174424c574e0e964b30e03ac6
Opcode Fuzzy Hash: 51a3e10e425d3773bd4ba069e64b0da7625643ac86e009ac337d1ef0eec6d0e7
Instruction Fuzzy Hash: 7C41C2B0E016088FEB58DFAAC8547DEBBF6AF88304F14D16AC418AB294DB354946CF54

Function 068BD663 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb00ec532ab335c169b1892a9a043f758a027c950f7ab8549a2aca273905b67
Instruction ID: 6d2330be416f2a8f0e22ac7afd3378e3e3479f4aa0454ba016abdba2dc0a981f
Opcode Fuzzy Hash: 1bb00ec532ab335c169b1892a9a043f758a027c950f7ab8549a2aca273905b67
Instruction Fuzzy Hash: 784178B1D016188FEB58CF6BC9457DAFAF3AFC9300F14C1AAC54CA6264DB740A868F51

Function 068BBD28 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ffb26a5ba42cfef2c2c4fe4d61710e5155d9b621822ec4b37c101e6b43d9cb7
Instruction ID: 2bb392d5e7efad7588a63ee5e909311f7c4eba19a1a8e0dce5563055dd94140a
Opcode Fuzzy Hash: 2ffb26a5ba42cfef2c2c4fe4d61710e5155d9b621822ec4b37c101e6b43d9cb7
Instruction Fuzzy Hash: FE416871D016188BEB58CF6BD9457C9FAF3AFC9300F14C1AAC54CA6254DB740A868F51

Function 068BA3F8 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6cfa37e0f9040900e09e30f802b9177fabed61608750ff647101c9ed490527d
Instruction ID: a8a75e1796324307b173dd3298440bfca43c76c2cb2ae9cece394621e4065594
Opcode Fuzzy Hash: b6cfa37e0f9040900e09e30f802b9177fabed61608750ff647101c9ed490527d
Instruction Fuzzy Hash: F34177B1E016189FEB58CF6BD9457CAFAF3AFC8310F14C1AAD50CA6264DB740A858F51

Function 068BB6D9 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6349f6af29e874cba15d8d70f64ba6d1f8834a8c848d0482b935cbc6523439c
Instruction ID: edaed3271b5673a417333fc3d8962c8431ffbf60b43afa8ffc5f6616aac03879
Opcode Fuzzy Hash: a6349f6af29e874cba15d8d70f64ba6d1f8834a8c848d0482b935cbc6523439c
Instruction Fuzzy Hash: 394168B1D016188BEB58CF6BD9457D9FAF3AFC8304F14C1AAC54CA6264EB740A868F51

Function 068BC9C8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b295acdae5da8275eb583719fe770bc938c1bd89aa4849d0d03b5ad2b7895f4
Instruction ID: 841ebe7cacb27f158bf43e4912ee762e811e1c83b358892e0941d431369cbc63
Opcode Fuzzy Hash: 2b295acdae5da8275eb583719fe770bc938c1bd89aa4849d0d03b5ad2b7895f4
Instruction Fuzzy Hash: 224168B1E016188BEB58CF6BD9557C9FAF3AFC9304F14C1AAC50CA6264DB740A868F51

Function 014E6E58 Relevance: 10.5, Strings: 8, Instructions: 475COMMON

Download Yara Rule

Strings

,bq, xrefs: 014E7308
(o^q, xrefs: 014E701A
(o^q, xrefs: 014E7377
(o^q, xrefs: 014E6E96
(o^q, xrefs: 014E6F51
(o^q, xrefs: 014E7367
,bq, xrefs: 014E72F8
(o^q, xrefs: 014E6F7D

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 50dac40ea32592dbbe9a7432a787fdd128c3ef136e5993acbfd0584948be7f29
Instruction ID: 34fb0d18a4e1ebbf3be704499d5a0a86a91a0a0c1c8825d60dd92eb0d0213416
Opcode Fuzzy Hash: 50dac40ea32592dbbe9a7432a787fdd128c3ef136e5993acbfd0584948be7f29
Instruction Fuzzy Hash: F7124C30A002099FCB15CF69D988A9EBBF2FF48326F15855AE919DB361D730ED45CB90

Function 014E77F0 Relevance: 3.2, Strings: 2, Instructions: 690COMMON

Download Yara Rule

Strings

$^q, xrefs: 014E8314
$^q, xrefs: 014E8337

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 345465d8c34ffc8e6725cb9a81e9c15a4384abfad46a8e1d19945155dedd98e0
Instruction ID: 13628799794adcd8837fd686ec123dc15512a4f3230b27a4bec79a1f2501d518
Opcode Fuzzy Hash: 345465d8c34ffc8e6725cb9a81e9c15a4384abfad46a8e1d19945155dedd98e0
Instruction Fuzzy Hash: 83525774A50229CFEB15DBA4C854BAEBBB6FF84300F1081A9C10A6B3A5CF355D85DF51

Function 014E87E9 Relevance: 2.8, Strings: 2, Instructions: 328COMMON

Download Yara Rule

Strings

4'^q, xrefs: 014E8837
4'^q, xrefs: 014E8811

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: e5608aa21b47be0159920c52281bb7acebf6646ecc68fae2b61098aa48cb8e0c
Instruction ID: 7a514d4eef7a6133d5addd5da68e57717bb3a31c9219d14d6df73905cbb21d6b
Opcode Fuzzy Hash: e5608aa21b47be0159920c52281bb7acebf6646ecc68fae2b61098aa48cb8e0c
Instruction Fuzzy Hash: C5B151707505028FEF159B2DC95CB3A3ADAEF85606F1544ABE546CF3B1EA39CC428742

Function 014E56A8 Relevance: 2.8, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

Hbq, xrefs: 014E57C6
Hbq, xrefs: 014E5793

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: dbbf16da90fc2bc212c7f493c823dfdc63b4772843f0e7daab550f9d47da0c74
Instruction ID: b2544ca6c8e6a0644399046d79849eec319f35b8b122f5d73f159c429759030e
Opcode Fuzzy Hash: dbbf16da90fc2bc212c7f493c823dfdc63b4772843f0e7daab550f9d47da0c74
Instruction Fuzzy Hash: A3B1BD397042558FDB269F38C898B7B7BE2BB8821AF15452AE406CF3A5DF74C805C790

Function 014E5C08 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

,bq, xrefs: 014E5CE8
,bq, xrefs: 014E5CDE

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: acfa271ff813a1609aca2f4091b9d614de2206dcf058c238f657e6a08603eb3d
Instruction ID: 79d7be5ce0eeaf077ce4e63314eb98f2706c9124f4caf41170085e8cc1e38128
Opcode Fuzzy Hash: acfa271ff813a1609aca2f4091b9d614de2206dcf058c238f657e6a08603eb3d
Instruction Fuzzy Hash: B3818D38A001058FDB14DF6DC89C9AABBF6BF8921AB14C56AD506DF375D731E842CB90

Function 068B9510 Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

(&^q, xrefs: 068B962B
(bq, xrefs: 068B96EA

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID: (&^q$(bq
API String ID: 0-1294341849
Opcode ID: dcb9c4afc653298d484f036d72d9aa626b6af4372428cc790d1053e4146304bc
Instruction ID: 3caf7b785a1b1c700b335e3351d2aa3b991e07e997dfbc88d841d2328906ef33
Opcode Fuzzy Hash: dcb9c4afc653298d484f036d72d9aa626b6af4372428cc790d1053e4146304bc
Instruction Fuzzy Hash: 60718D31F102599BDF59DFB9C850AAEBBB2AF89700F148529E505EB380DE309D06CB95

Function 014E3428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xbq, xrefs: 014E3435
Xbq, xrefs: 014E345E

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: be4c042e767fc03fa606fe10963c2dba15762cb462777414cb839db8e7e6f3f4
Instruction ID: 7180e4140f7f831e400c39748a542ae6026d540058213bf7a423554f18059164
Opcode Fuzzy Hash: be4c042e767fc03fa606fe10963c2dba15762cb462777414cb839db8e7e6f3f4
Instruction Fuzzy Hash: 7731F539B003258BEF2B8E6E459C27FA5EABBC4212F14453BE906C33A4DB74CC458791

Function 014E0C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

LR^q, xrefs: 014E0E5E

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 13ddcd4fe0bab8c6df14c2c7431194383f06539f59a4505463d84e9fe424a178
Instruction ID: be0603d31f3936afd2d2585acdbe019968b1ecf537c8837f264a900dae952fa2
Opcode Fuzzy Hash: 13ddcd4fe0bab8c6df14c2c7431194383f06539f59a4505463d84e9fe424a178
Instruction Fuzzy Hash: D8221478A0121ACFCB65EF65E984B9DBBB1FF88305F1086A9D509A7318DB706D85CF40

Function 014E0CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR^q, xrefs: 014E0E5E

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: b8031ccef1a157a9811e8652ad04b064f1c77c9c2ac458c38e58d35f93fe825a
Instruction ID: cefa3e57dd46ca2d6b9a595b1237104e9580a38963f0159093e09ba22fd27fb9
Opcode Fuzzy Hash: b8031ccef1a157a9811e8652ad04b064f1c77c9c2ac458c38e58d35f93fe825a
Instruction Fuzzy Hash: F1220478A0121ACFCB65EF65E984B9DBBB1FF88305F1086A9D509A7318DB706D85CF40

Function 014EA650 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

(o^q, xrefs: 014EA7D9

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 2a6821ccd20ae4e1251e69538e3706f616a7c0d5801b10857aac39ba99bc4103
Instruction ID: 088659903b11939d195286e1a815f596f451256a1441141bb2de90137419f13c
Opcode Fuzzy Hash: 2a6821ccd20ae4e1251e69538e3706f616a7c0d5801b10857aac39ba99bc4103
Instruction Fuzzy Hash: 4D41E4357002549FCB199F78D818AAE7BF6BFC8311F244569D516DB3A1CE348C05CB90

Function 014EA818 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c36750ba27ebabdc1a1288158c7eb88e7adf50136eb1fbb852776feca5562e
Instruction ID: aaf586bae68ca1640c6c38c81785c519e009fa3534694ac3e38a17c0951c068e
Opcode Fuzzy Hash: 47c36750ba27ebabdc1a1288158c7eb88e7adf50136eb1fbb852776feca5562e
Instruction Fuzzy Hash: 50F12F75A002148FCB15CF6DC9889AEBBF6FF88311B2A855AE515AB371C735EC81CB50

Function 014E7438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ef62a20bf44564165ef7bade72025793b3a661dd031d62a8e2c08079eef95d
Instruction ID: 15a4b81eca19532c9da83ad0eb99d2f0987208e69ebbf857f46e27eac8f3be12
Opcode Fuzzy Hash: 41ef62a20bf44564165ef7bade72025793b3a661dd031d62a8e2c08079eef95d
Instruction Fuzzy Hash: A2710A347002458FDB25DF2DC498AAE7BE5AF89626F1540AAE516CB3B1DB70DC42CB90

Function 068B1191 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b691aa85913802234ed52e8e5a096fd1b85bceb4e1633d8f8e7358bb94ce226
Instruction ID: a2517764a399b233becd11e8d1b45599d898ae64972afff0b8bcff9c5da1782d
Opcode Fuzzy Hash: 8b691aa85913802234ed52e8e5a096fd1b85bceb4e1633d8f8e7358bb94ce226
Instruction Fuzzy Hash: C081B074E012299FDB65DF29D894BDDBBB2BB89300F1081EAD949A7354DB305E81CF80

Function 014ED378 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64f3dc2b683d19b3a466a0c0f4572a73f9d5bb28f9934b7c39f16e7be6507588
Instruction ID: 4f0a75853d05e7c4eab62c3beabae8b30f29e144793b8aa6d9247be57b47c5a3
Opcode Fuzzy Hash: 64f3dc2b683d19b3a466a0c0f4572a73f9d5bb28f9934b7c39f16e7be6507588
Instruction Fuzzy Hash: B45199750217969FC3263FA4B1EC23ABBB1FB0F3677426D00A42E8940CCB791488EB50

Function 014EE137 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062c97d96e6aac2520f028586e9d645859e6529739ec67d2471e20b374a13cbd
Instruction ID: 5971635200e8c00207a1a43c5f9a9260292ed9a9df3953dca1bb25f597aa15b7
Opcode Fuzzy Hash: 062c97d96e6aac2520f028586e9d645859e6529739ec67d2471e20b374a13cbd
Instruction Fuzzy Hash: 04510374D01218DFDB15DFA5D854AADBBB2FF88304F208929D809BB358DB35598ACF40

Function 014ED032 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502facceded0a3f5ff05b80ec29a27edc3cdefe9a5b8050d8b631ede6bade06e
Instruction ID: 8f246ae8172129579c67196042452899a3b2dd0e232c06782402b3b6aa7f5028
Opcode Fuzzy Hash: 502facceded0a3f5ff05b80ec29a27edc3cdefe9a5b8050d8b631ede6bade06e
Instruction Fuzzy Hash: 56519274E01218DFDB58DFA9D98499DBBF2FF89300F24816AE419AB364DB30A905CF50

Function 068BDCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e94fa6705e88cc1d7ba4fa75c4eb06a14898f292f536ff17762d3b92450c89
Instruction ID: 902bf48ba628bd99edeba0e811df275e9b78d409b84fa4c031c1be66b4703d58
Opcode Fuzzy Hash: 05e94fa6705e88cc1d7ba4fa75c4eb06a14898f292f536ff17762d3b92450c89
Instruction Fuzzy Hash: 48416E3590131DDFDB14AFA1E0AC7EE7BB5EB8A316F005929D20667294CB781A44CF91

Function 014E3908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 014103593b36175b76eb28673e181dc7ac46893f92d255c678773c22c9e4bc6c
Instruction ID: 7d6254bb4dbcb7e8e58b42eda5b6de4df6081d0c4d240e6a6b975e60450f2456
Opcode Fuzzy Hash: 014103593b36175b76eb28673e181dc7ac46893f92d255c678773c22c9e4bc6c
Instruction Fuzzy Hash: C051B674E01219CFCB08DFAAD49489DBBF2FF89311B209569E805AB324DB31AD46CF40

Function 014E9A63 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172b67c4305400d6d8f2867a17d86f48ff24c0c432881b6c288cc0140627dd48
Instruction ID: a074792b0b3e531404c8c5dc9387df7be24a091fbf5da17b97527ad5f8b38a7e
Opcode Fuzzy Hash: 172b67c4305400d6d8f2867a17d86f48ff24c0c432881b6c288cc0140627dd48
Instruction Fuzzy Hash: 7241AF31A00289DFCF16CFA9C848A9EBFF2BF89315F048556E9159B3A1D334D954CB90

Function 068B9A49 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3a6caf47767fc09c7c3d74d06534a80e9214abb34fdeb1e32ac3e22a4917cb
Instruction ID: 828d2500dff5457fe69e3d9d11c88c49c6db1cf602f537d1033997f2cbd60c2a
Opcode Fuzzy Hash: ba3a6caf47767fc09c7c3d74d06534a80e9214abb34fdeb1e32ac3e22a4917cb
Instruction Fuzzy Hash: 52410F78E013188FCF15DFA8D4986EDBBB2BF89300F20912AD519A7394DB74594ACF50

Function 068B9500 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8ee392c7566f4df1ba03ca8375843d6ea5e2a227379bda366c0c63b9e602f6
Instruction ID: 4a16060934ca09272e8d019406ba449c5b76e76b43bd36e72482958e47dab182
Opcode Fuzzy Hash: 8c8ee392c7566f4df1ba03ca8375843d6ea5e2a227379bda366c0c63b9e602f6
Instruction Fuzzy Hash: 6D415131E002199BDF54DFA5C880AEEBBF5BF89700F149129E615F7340EB70A946CB91

Function 014E6730 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f628baa1f71ba305461cd1ac6a67adc0a37d02dff2eece29c21a45b77e2d0a5
Instruction ID: 71ff42801678fc6a8a4fb2a72f6865261ba0dcc5731ee8ed2e25145fa44af02c
Opcode Fuzzy Hash: 7f628baa1f71ba305461cd1ac6a67adc0a37d02dff2eece29c21a45b77e2d0a5
Instruction Fuzzy Hash: 2841B170A00218DFDB15CF69C808BAB7BF6FB94305F05846AE8159B352DB74DC45CB91

Function 068B9A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb33c1517a6429afe57b388dd974f9154f74e37b33b0560a0a5b8681ebefeadf
Instruction ID: 6a617d96d0e4206932e4edf1d965a3d69655068d37bfdbcd09d18b5979be6eab
Opcode Fuzzy Hash: eb33c1517a6429afe57b388dd974f9154f74e37b33b0560a0a5b8681ebefeadf
Instruction Fuzzy Hash: EB41EE74E01218CFCF44DFA9D5886EDBBB2BF89300F20912AD519A7394EB345A4ACF50

Function 014E4DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b228b8521b72b1f36c739a205730a51f08f708956a9fbc2992f0c2577726e10c
Instruction ID: deb139891e00de0df21a8119a5ac719f2b90fd71ca104a31385e7dcf2d7f8420
Opcode Fuzzy Hash: b228b8521b72b1f36c739a205730a51f08f708956a9fbc2992f0c2577726e10c
Instruction Fuzzy Hash: D3319E3120415A9FDB179FA8D858AAF3BE2FB88211F044425F915CB365CB78CC66DBA0

Function 068BDCB1 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c9bf5f4c4fce5943ed92cf237e0fea77635db26ea7efb82162645624693618
Instruction ID: 4468408c3870b66635f85b576ffa96c531effc8badfa2bb88e5650108a10d209
Opcode Fuzzy Hash: c5c9bf5f4c4fce5943ed92cf237e0fea77635db26ea7efb82162645624693618
Instruction Fuzzy Hash: AA318035901319DFDB14AFA1E4AC7EE7BB1FF8A316F005829D115A6294CB781A44CF90

Function 014E76E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59004abab2cf1a3896985ed017d3578f1d698ca9ebf429c2f85f304cd01b9aca
Instruction ID: a455fbe2425a06b1d7dc5db53965ef7b59fda33678841d2e0723c9582de83dc3
Opcode Fuzzy Hash: 59004abab2cf1a3896985ed017d3578f1d698ca9ebf429c2f85f304cd01b9aca
Instruction Fuzzy Hash: 4621D63834020147EB261739D898A7B36D79FC4A2BF148076D606CB7A9EE35DC42E3C1

Function 014EA809 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46dced6196c0c3d32e9c4644fe1dfd1bd639cf0f3409895135e40a8c070ab9fe
Instruction ID: d784b4989fcaaf471ce04cdf4f8d8e0c31cab6a47294556cafac41115b7e59ff
Opcode Fuzzy Hash: 46dced6196c0c3d32e9c4644fe1dfd1bd639cf0f3409895135e40a8c070ab9fe
Instruction Fuzzy Hash: 31317375A005098FCB04CF6DC888AAEBBF6FF84751B268659E515973B5CB34DC42CB90

Function 014E2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd14ee8358218a2004fd0ac96a32cd39491f3dfc9ef685abe2dc1d3a6e8d3ff5
Instruction ID: 1648746f0c39dc8d98e7ac3660eb6ea21c2ea36466b7d6094e99564a9bb9a7e0
Opcode Fuzzy Hash: fd14ee8358218a2004fd0ac96a32cd39491f3dfc9ef685abe2dc1d3a6e8d3ff5
Instruction Fuzzy Hash: 0221E275A001159FCF14DF34C8449AF77AAEB89254B10C51AD94A8B390DB75EA42CBD2

Function 0125D006 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108015872.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_125d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 327ebaffd4328077cb0240ee5c472516942bb0e85d8c33c4ec72e49842ca1640
Instruction ID: dd2c7ce7c5573116f37185a9443ed4d7829d078c09cce8c8c00e682530dab52a
Opcode Fuzzy Hash: 327ebaffd4328077cb0240ee5c472516942bb0e85d8c33c4ec72e49842ca1640
Instruction Fuzzy Hash: 77314C7150D3C49FCB038B64C994711BF71AF47214F29C5EBD9898F2A7C27A980ACB62

Function 0124D404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4107969881.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_124d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2bae811339b71e67d855300bd192f4d20c24d699b18da5db1f5c76c6f1474c
Instruction ID: 90752ccc94fa405ceff58194442600bd6c897484108a9bda73019dba34026e19
Opcode Fuzzy Hash: 2f2bae811339b71e67d855300bd192f4d20c24d699b18da5db1f5c76c6f1474c
Instruction Fuzzy Hash: 84216771610248DFDB09DF98D9C0B67BF65FBA4314F20C169EA090B256C336E446C7A1

Function 014E5A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b9bfaa402ac7e85bfa7d26abfdc8bf8c48fa8ad126ccd3a61f7fc6e42c42dc
Instruction ID: 3e39146a9e543734067c618ec858a97987d93bb286f3901cc31e04e3159b9908
Opcode Fuzzy Hash: c4b9bfaa402ac7e85bfa7d26abfdc8bf8c48fa8ad126ccd3a61f7fc6e42c42dc
Instruction Fuzzy Hash: B22193397016119FD72A9B29D49893FB7D6FBC865AB15416AE906CF364CE34DC02CBC0

Function 0125D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108015872.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_125d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6633280be2a49f0f1a14b952d7fe3c462ceb3b3d1f04f3c2035e2289c777db2c
Instruction ID: a9b91565df00156ddfd030173423f09bf89ea7f719198ae85e821d530b130911
Opcode Fuzzy Hash: 6633280be2a49f0f1a14b952d7fe3c462ceb3b3d1f04f3c2035e2289c777db2c
Instruction Fuzzy Hash: 7B213471514208DFCB51DFA8C9C4B26BBA5FB84314F20C56DED494B352C77AD846CA61

Function 014E215C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9833234f8cb24cf9bc021a22536e07850c583258882f92a5affe6d0dfd4905
Instruction ID: 81bed5471e0c6c96b6831c31968901bac3922b96503e408468b8105a07d3d924
Opcode Fuzzy Hash: 9e9833234f8cb24cf9bc021a22536e07850c583258882f92a5affe6d0dfd4905
Instruction Fuzzy Hash: 8511CE35E082599FCB029BB89C008DEFF34FF8A3107258797D226B70A1EA745946C392

Function 068B96F0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db3e158436998a087d4c6503c676af3738b9820e095f82cb307db607281db33
Instruction ID: 52db51b6e77498b01c7728f58babe1a72395033dbff0e77bb59d49c46909693e
Opcode Fuzzy Hash: 6db3e158436998a087d4c6503c676af3738b9820e095f82cb307db607281db33
Instruction Fuzzy Hash: 2B11E6353182945FCF4A6FB8586456E3FB3AFC5340745486AE545CB3D2CE348E06C3A6

Function 014E4DB9 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d800d544d7cfab1feb177aae6d8738a1a6a19041f3f498e8e2930ae661ea23fa
Instruction ID: 20120fde3597fc7ea58a52280125da83770462109c7fffb3361e03fe5c3f172b
Opcode Fuzzy Hash: d800d544d7cfab1feb177aae6d8738a1a6a19041f3f498e8e2930ae661ea23fa
Instruction Fuzzy Hash: A221C0716041199FEB16AF6CD848B6B3BE6FB88621F044429F905CB355CB78CC56CBE0

Function 068BE0C0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9a3c5ec9d8b1d615907dda19e463ecdb168bb3d84001558e9cc5b5a12f6341
Instruction ID: 2be4bd4b5250b8e7fcd7be6c328ca3fcf1c7efedaf9160b02d5732cf2aa53b84
Opcode Fuzzy Hash: ae9a3c5ec9d8b1d615907dda19e463ecdb168bb3d84001558e9cc5b5a12f6341
Instruction Fuzzy Hash: E511E5307042549FD7150B7998585FBBBEBAFC9351B29897AE546C7395CE348C0A8360

Function 014EE059 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924a925af9360592640f7def2b8447ba78e6003d330928ac26b8afa51fbd6097
Instruction ID: 3e335a0b5202f8ac5c4dd5526cca030a6183f94871fabbf0313fddd61934e937
Opcode Fuzzy Hash: 924a925af9360592640f7def2b8447ba78e6003d330928ac26b8afa51fbd6097
Instruction Fuzzy Hash: C0216D70D002199FDB45EFBDD98469EBFF2FB84304F00D66AD009AB368EB705A458B81

Function 0124D3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4107969881.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_124d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 6782656b53bff2e7d07c271b5435fd888db75a2021e5383ad6a69da8b2276ba8
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: DB112E72400284CFCB06CF44C9C4B56BF72FB94324F24C2A9DA090B657C33AE41ACBA2

Function 068B9280 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d1f20b21706c02d115ee0da364b4dd80c51ee3376a103f1bd79b7a520376dbc
Instruction ID: b7e230a551dd670ef4886c9a844fdebf7e8bad329ca3b1b611c67604210d5f85
Opcode Fuzzy Hash: 3d1f20b21706c02d115ee0da364b4dd80c51ee3376a103f1bd79b7a520376dbc
Instruction Fuzzy Hash: A81134B6800249DFDF10CF99C945BEEBFF4EB49320F148419EA18A7261C339A954DFA5

Function 068B8EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68af3d59b120b2f4b0cc44d7d874a184ae72d8002bc07f676a2f5f6ffdf27476
Instruction ID: 52aebed760a5a4006d529379ddbf13070119c02a3bf9dc7451518fc2f42367d4
Opcode Fuzzy Hash: 68af3d59b120b2f4b0cc44d7d874a184ae72d8002bc07f676a2f5f6ffdf27476
Instruction Fuzzy Hash: B211FA74E001498FEB44DFE8E850BEEBBB6AB48315F00A465E908E7349EB3099428B51

Function 068B9999 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d66774656dba4231dbfa4f957b18435bb1d0a1ec153a842f2e1b0b4d0553f00
Instruction ID: c5d6d182112469f12164dc9de68e69e818747df09298a9303cfa51b727bee3c8
Opcode Fuzzy Hash: 2d66774656dba4231dbfa4f957b18435bb1d0a1ec153a842f2e1b0b4d0553f00
Instruction Fuzzy Hash: 531144B6800289DFCB10CF99C944AEEBFF4EB48320F149419E668A7261C339A550DFA4

Function 014EE068 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01431b5db0000247dce3a6df5be2579236a50eafb288e144291af131749978a7
Instruction ID: a46445ec8a8050f168a83339f01c4cf6b1911e3eaf32d238a12230791eab9694
Opcode Fuzzy Hash: 01431b5db0000247dce3a6df5be2579236a50eafb288e144291af131749978a7
Instruction Fuzzy Hash: EC114C70D002199FDB45EFBDD58469EBFF2FB84304F00D6AAD005AB328EB705A458B81

Function 014E5607 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f14c87cf13cc65f9014065ec06cac57e7a336be93575d5ac48c80a8b94edb4
Instruction ID: 7935af696125fa8ffbacc402cb9c574a211e085ae21c3704d7260c274840719e
Opcode Fuzzy Hash: 46f14c87cf13cc65f9014065ec06cac57e7a336be93575d5ac48c80a8b94edb4
Instruction Fuzzy Hash: 0C0145327001552FDB078E649800AEF3BEAFBD8251B19802BF518CF284CA7488068BA0

Function 014E1F61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f52a96ad547cc14572bb631c2942e1d9006af64c0a4c249ca25060fc4acd7c
Instruction ID: 673010c6022afd1515cd24dff5b328c83b0566c59f779b1a6d225abf8e46832d
Opcode Fuzzy Hash: a0f52a96ad547cc14572bb631c2942e1d9006af64c0a4c249ca25060fc4acd7c
Instruction Fuzzy Hash: 8A2103B4C0020A8FCB51EFA8D9495EEBFF1FF49301F00416AD815B7224EB345A89CBA1

Function 014E1F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740f8add04f2a10ee924f1037dbb5b04d685cc038634eaa4b9ab37dc469223f2
Instruction ID: 4a83e2938f3ed9b2c90cd7d3969d7524a369e932d6eeb24ab9eece891480441b
Opcode Fuzzy Hash: 740f8add04f2a10ee924f1037dbb5b04d685cc038634eaa4b9ab37dc469223f2
Instruction Fuzzy Hash: AB2147B4D046098FCB21EFA8D4485EEBFF0BF4A314F1442AAD455BB264EB301A85CB91

Function 068B2670 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee866735835a09b7ebb2738b5f0a9d7fccfa0d8389459cff1608030990692c0
Instruction ID: 08f9b642d72965478f3f9e298630e1048017c9815b77405dc9432c347f3ab257
Opcode Fuzzy Hash: 4ee866735835a09b7ebb2738b5f0a9d7fccfa0d8389459cff1608030990692c0
Instruction Fuzzy Hash: 5A11AD71E002148FCBA0DB7CE5189AE7BF4EF88725701016AE50ADB325DB71C9068B91

Function 068B25E8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b4989c390fd39e5a134bab7bdee34fcb43df884275fda73214f465cc25e536
Instruction ID: d1655b88df0cebb11c7eacd08a3de6a9f203e6a2b6326eb63bf4e39f5968d24e
Opcode Fuzzy Hash: d2b4989c390fd39e5a134bab7bdee34fcb43df884275fda73214f465cc25e536
Instruction Fuzzy Hash: E101E470E0021A8FCF54EFB9C8506EEBBF5AF89204F10856AD519E7350E7389A02CB90

Function 068B9760 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d4ba2fdc90f3e568b03e2c61be4c5de9edc54a54e4725613fd4da8449b7152
Instruction ID: 32e626b320cff18da5490bc44983ac28574e41b7665444a041a0c55bd957cb7a
Opcode Fuzzy Hash: a2d4ba2fdc90f3e568b03e2c61be4c5de9edc54a54e4725613fd4da8449b7152
Instruction Fuzzy Hash: F6F0B4323001186F8F05AE98A8449AF7AABEFC8310B004429FA09C7350CA31881197A5

Function 014EDD70 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e269dfba7adb5609ba0770528c77e0f7939c432c8ee7bfa5b7d41073355c9b8
Instruction ID: f290e2c8fc7daefaacc3fee1a2881ba9fd4c085230fbf2e095b6404245df2aec
Opcode Fuzzy Hash: 5e269dfba7adb5609ba0770528c77e0f7939c432c8ee7bfa5b7d41073355c9b8
Instruction Fuzzy Hash: DCE0D831D40209A7CB109E99EC4D6EFB7B8EBC6311F009525A108B7691DB75921686A1

Function 014E2010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b902c8ce6d31277707a8327274a3e5a8158b25c4135edb21430f7f3a23b47d3
Instruction ID: c969b5f06a5d6a3c7a2fb5d0a64bf70e62a23f3460686ec20b23cef17119659c
Opcode Fuzzy Hash: 9b902c8ce6d31277707a8327274a3e5a8158b25c4135edb21430f7f3a23b47d3
Instruction Fuzzy Hash: 68E0D831D143679FC701AB70AC044EFBB34AED2730B12466FE09476441EB74195BC7A2

Function 014E2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b84a6d2b683b31b1a8348d65d0ce23ad9932d48642eb26a5cddb51fac13bdf
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: e1b84a6d2b683b31b1a8348d65d0ce23ad9932d48642eb26a5cddb51fac13bdf
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 014E8258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 0ad076c8d60dc15b75efdee079127b942f19b7739f5997a593e0fee5d087caa5
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 1FC0123360C1282AAA25108E7C48AA3BB8CC6C12B6A250137F91CA3220A8539C8101A8

Function 014EA70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667f9c65ad6394b9b36378e08f83c5a2052b9440e6f04b9608937a1c96329585
Instruction ID: dded8b4f50c9e24d90cc0c323574aa90f9791a1d2799fef66da254401c176c20
Opcode Fuzzy Hash: 667f9c65ad6394b9b36378e08f83c5a2052b9440e6f04b9608937a1c96329585
Instruction Fuzzy Hash: 2DD0173AB01008DFCB018F88E840CDDB7B6FB9C221B008016E921A3261C6319821DB50

Function 014E5EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b177f864087e968dc7b81ec888c71ab86bf2e176ce2735d33125e387ec98fc99
Instruction ID: 1c1645689b067bb6af617e3c6c20cb7fa04c1bdf8c68617ab7964ac317b984ab
Opcode Fuzzy Hash: b177f864087e968dc7b81ec888c71ab86bf2e176ce2735d33125e387ec98fc99
Instruction Fuzzy Hash: 3ED02B704543414FD716F735E95149A7B75FBC1304F0042A9E8050A12FDAB8884E4710

Function 014E5EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2fbc8c79f111b5bc4e7b6fb38831d6cf20796d07195f743e52e9d05e3692b38
Instruction ID: a389e5137fa18a0df2fdc78a8fd36bc76712b15bd45c131a50cd1669425d9aa6
Opcode Fuzzy Hash: f2fbc8c79f111b5bc4e7b6fb38831d6cf20796d07195f743e52e9d05e3692b38
Instruction Fuzzy Hash: 9FC0127015431A4FD506FB76EA45556B76AF7C0204F404620B4090A22EDFB498884790

Non-executed Functions

Function 068B2807 Relevance: 14.1, Strings: 11, Instructions: 387COMMON

Download Yara Rule

Strings

PH^q, xrefs: 068B2EE6
Hbq, xrefs: 068B2869
PH^q, xrefs: 068B2DEB
PH^q, xrefs: 068B2CE2
PH^q, xrefs: 068B2DD7
PH^q, xrefs: 068B2BEA
0oAp, xrefs: 068B2A00
PH^q, xrefs: 068B2ED2
PH^q, xrefs: 068B2CF6
PH^q, xrefs: 068B2BFE
", xrefs: 068B3087

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID: "$0oAp$Hbq$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q
API String ID: 0-2279143882
Opcode ID: effe71eb5366ef27ac6710109645ad09833658736eb88413cabd5ae373585088
Instruction ID: 657dab74ba64d4047e4a397e59d306e988b6d7145b49661129d8d9fd0796367f
Opcode Fuzzy Hash: effe71eb5366ef27ac6710109645ad09833658736eb88413cabd5ae373585088
Instruction Fuzzy Hash: 3F12C074E002188FDB68DF69D994B9DBBF2BF89300F1085A9D509AB364DB359E85CF10

Function 014EE388 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5vq, xrefs: 014EE4A3

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: .5vq
API String ID: 0-493797296
Opcode ID: 46c58a316c1cd45bf1c7895cc443f48318d613e7621800a25be0279824e0af72
Instruction ID: eeec64b313a81957a6d71dc84d02239b6aedb9776e7a9d5b6291cb95c30631c6
Opcode Fuzzy Hash: 46c58a316c1cd45bf1c7895cc443f48318d613e7621800a25be0279824e0af72
Instruction Fuzzy Hash: 5352AC74E01229CFDB65DF69C884B9DBBB2BB88301F1085EAD509A7364DB319E85CF50

Function 068B33B8 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

0oAp, xrefs: 068B3423

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp
API String ID: 0-730047704
Opcode ID: 9d589677fd9bd96b1c297c5fb61b498daeed9b4206c251b200a4fb0f27900400
Instruction ID: 3fc75d72e96badf6d8dd93a1dc97b8d8e6afbffb894844b59ec11ce00df13722
Opcode Fuzzy Hash: 9d589677fd9bd96b1c297c5fb61b498daeed9b4206c251b200a4fb0f27900400
Instruction Fuzzy Hash: A6B19174E00218CFDB54DFA9D994A9DBBF2FF89310F2081A9D919AB365DB31A941CF40

Function 068B33A8 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

0oAp, xrefs: 068B3423

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp
API String ID: 0-730047704
Opcode ID: 6e5e6f7b3a64101acffe29e55a8c8c2b9100fc00739e1699b9ba4092f7de7136
Instruction ID: b3742cc47cb3b694772a7c4d8d0cbdef5060de267b589cbc7c339357d840a42b
Opcode Fuzzy Hash: 6e5e6f7b3a64101acffe29e55a8c8c2b9100fc00739e1699b9ba4092f7de7136
Instruction Fuzzy Hash: 4951C274E00608CFDB48DFAAD98499DBBF2BF89310F149169D818EB365EB349942CF50

Function 068B5EC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d963ddb6fa163e21f4f5531172366b4615f543d916af4351f35cc223ebc497bb
Instruction ID: 573e77a227101331b300fba5107a9cfa4cae6584a1caefa05cb2cca1a6d5bc10
Opcode Fuzzy Hash: d963ddb6fa163e21f4f5531172366b4615f543d916af4351f35cc223ebc497bb
Instruction Fuzzy Hash: 63C1A074E01218CFDB54DFA5C994B9DBBB2FF88304F2081A9D909AB358DB359A85CF50

Function 068B5618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d283f5754c65f3965bcd2ac184b5471f04962c4bee22d7f913ddc929f2b31e7e
Instruction ID: 7a9fce72ddc71174811463bc50778a523c5a0f249f24d2427f8beafb57507145
Opcode Fuzzy Hash: d283f5754c65f3965bcd2ac184b5471f04962c4bee22d7f913ddc929f2b31e7e
Instruction Fuzzy Hash: 2AC1B174E01218CFDB54DFA5C994B9DBBB2BF88300F2091A9D909AB358DB359E85CF50

Function 068B5A70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f0a245f32d701b2e7289321029f9a8e30dd98bed16616c93db2c1813245051
Instruction ID: 97139cc38f4e5b05d407cd1ddc044586b29beb1fd26e37dcabb1b43063bbcbd3
Opcode Fuzzy Hash: 54f0a245f32d701b2e7289321029f9a8e30dd98bed16616c93db2c1813245051
Instruction Fuzzy Hash: 76C1C174E01218CFDB54DFA5C994B9DBBB2BF88304F2081A9D909AB358DB359E85CF50

Function 068B6BD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6dd864c59079275abc54bacdf0d8c78eb321ee58c715583061be7e94353e3ae
Instruction ID: 03eb90383c9f1d60c5dd6abd26d949df4afa53b5d995c6a9f12fc81af4419896
Opcode Fuzzy Hash: e6dd864c59079275abc54bacdf0d8c78eb321ee58c715583061be7e94353e3ae
Instruction Fuzzy Hash: CFC1B174E01218CFDB54DFA5C994B9DBBB2FF88304F2081A9D909AB358DB359A85CF50

Function 068B6320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3120061ad0a0f4192e3fdff3ce6f5e4ac8d2e7f50f1b727eac1d85ee179b33a4
Instruction ID: aeecba9ebb96c5963dd32e9b29c2ab53ae67926a51caea3e2040f06322c8d862
Opcode Fuzzy Hash: 3120061ad0a0f4192e3fdff3ce6f5e4ac8d2e7f50f1b727eac1d85ee179b33a4
Instruction Fuzzy Hash: C0C1C174E01218CFDB54DFA5C994B9DBBB2BF88300F2081A9D909AB358DB359E85CF50

Function 068B6778 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663be4db63ae9a7794a7c5c9b120dd3402c033c50ddeeb7f61534e4f293cc5b8
Instruction ID: 6dd6c17e09d34190573292c2dd7137e2430a79608ece204419e23e27c4e20f7f
Opcode Fuzzy Hash: 663be4db63ae9a7794a7c5c9b120dd3402c033c50ddeeb7f61534e4f293cc5b8
Instruction Fuzzy Hash: 88C1C174E01218CFDB54DFA5C994B9DBBB2BF88304F2081A9D909AB358DB359E85CF50

Function 068B0498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5e4e542f47d7faea2a64bc8367669c1c8c4c5e30fcda11a6b265c06884e83e
Instruction ID: feec3e839884d8dcddc2c2b9ca74ead6e3f55be7e5b45651f31cbb919a9a2af5
Opcode Fuzzy Hash: 7d5e4e542f47d7faea2a64bc8367669c1c8c4c5e30fcda11a6b265c06884e83e
Instruction Fuzzy Hash: 7DC1C174E01218CFDB54DFA5D954B9DBBB2FF88300F2081A9D909AB368DB359A85CF50

Function 068B74A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5742be22dabc50c402275f08f08185cfc8f4c0d7f0661ee3a81ff5981fef6a
Instruction ID: c73b511f3bf1587a4f69aef146c6dd1b28d801aca12a1e8706bd90dcdb50f291
Opcode Fuzzy Hash: bb5742be22dabc50c402275f08f08185cfc8f4c0d7f0661ee3a81ff5981fef6a
Instruction Fuzzy Hash: 00C1BF74E01218CFDB54DFA5C994B9DBBB2BF88300F2081A9D909AB358DB359E85CF50

Function 068B08F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac8f39661b87373d1de69a97c78393018f9f0bc7a0d3ba259cb0695a2c07168
Instruction ID: dba02ec18e35c14a988b027a8e017cd207ca2f8cfa1d25bef8d3bd5295fc97a9
Opcode Fuzzy Hash: fac8f39661b87373d1de69a97c78393018f9f0bc7a0d3ba259cb0695a2c07168
Instruction Fuzzy Hash: ACC1C074E01218CFDB54DFA5C994B9DBBB2BF88304F2081A9D909AB358DB359A85CF50

Function 068B0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e9701457d661b8ecb706f9197ad79447c9a208df14244dd5d207ad0cb880f6
Instruction ID: a96663cfbe80b1f33cc55ec7aae869f08fbf7ace1e2302974a6c82646ff29bf5
Opcode Fuzzy Hash: 58e9701457d661b8ecb706f9197ad79447c9a208df14244dd5d207ad0cb880f6
Instruction Fuzzy Hash: 44C1C074E01218CFDB54DFA5D994B9DBBB2FF88304F2081A9D809AB358DB359A85CF50

Function 068B7050 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930a599a9a6bb0c17cdc02e753a5338fe35c0592a47ef7af3b2521b9914c9ac1
Instruction ID: dc83926e49aa243cd1af53c4ef8283d7222f37466a5d160db04e17dbc17e5cac
Opcode Fuzzy Hash: 930a599a9a6bb0c17cdc02e753a5338fe35c0592a47ef7af3b2521b9914c9ac1
Instruction Fuzzy Hash: ADC1C174E01218CFDB55DFA5C994B9DBBB2BF88300F2081A9D909AB358DB359E85CF50

Function 068B5198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d89ba50c5b2302066d610a9ce79ca6b796bc265747e2b69d7f0a7646961d80
Instruction ID: 5e79c28fd3546a469b564dd068e494d83c17c794a6ef27fa594f572db294505e
Opcode Fuzzy Hash: 43d89ba50c5b2302066d610a9ce79ca6b796bc265747e2b69d7f0a7646961d80
Instruction Fuzzy Hash: 33C1C174E01218CFDB54DFA5C994B9DBBB2BF88300F2081A9D909AB358DB359E85CF50

Function 068B81B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d85ff366b0e3dce5d5d4fd7085c94ef5705697d75592b912c79f3c3a0c3b4ed6
Instruction ID: 4199ea0a5d60d992a0e30f429a2e7a3da202980ea3085e9cd30b86aa3b5ea6e8
Opcode Fuzzy Hash: d85ff366b0e3dce5d5d4fd7085c94ef5705697d75592b912c79f3c3a0c3b4ed6
Instruction Fuzzy Hash: 9BC1B074E01218CFDB54DFA5C994B9DBBB2BF88300F2081A9D909AB358DB359E85CF50

Function 068B7900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75554c8bb0165967133b16e47518aca57bbc4ca97430df385041b28c4b211e9d
Instruction ID: 84152dbf756340b3b7b4c0b0e42cb0cde16a0dcca560c4de787be3f65bb3d655
Opcode Fuzzy Hash: 75554c8bb0165967133b16e47518aca57bbc4ca97430df385041b28c4b211e9d
Instruction Fuzzy Hash: 90C1D174E01218CFDB54DFA5C994B9DBBB2BF88300F2081A9D908AB358DB359E85CF50

Function 068B0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3579bb6cc44ddf6c1269d66ea2d32b1b6407dc426e7320d53a2aafbfb65d63b0
Instruction ID: 469abb450d7103d7af190e61e5357f7c0cc89924ecc60330e4f819468dbf623c
Opcode Fuzzy Hash: 3579bb6cc44ddf6c1269d66ea2d32b1b6407dc426e7320d53a2aafbfb65d63b0
Instruction Fuzzy Hash: 40C1C174E01218CFDB54DFA5D994B9DBBB2BF88300F2091A9D809AB358DB359E85CF50

Function 068B7D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111907819.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_68b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e64dde39fb5d3abe1de6eaad5ca2d391c0d8965035db681c052e52412dad49b
Instruction ID: 766d1e15b3ca20d90d80f2cc9f6141446d842effb14f5d0b7580c4776eb04c5f
Opcode Fuzzy Hash: 8e64dde39fb5d3abe1de6eaad5ca2d391c0d8965035db681c052e52412dad49b
Instruction Fuzzy Hash: 83C1B174E01218CFDB54DFA5C954B9DBBB2BF88304F2081A9D909AB358DB359E85CF50

Function 014E21E2 Relevance: 5.1, Strings: 4, Instructions: 149COMMON

Download Yara Rule

Strings

Xbq, xrefs: 014E220E
Xbq, xrefs: 014E22C7
Xbq, xrefs: 014E2248
Xbq, xrefs: 014E2314

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: a4408a68a4a65b1ef94d7caef883f8dad580f91b1f07f033d93f8dd650f57c06
Instruction ID: afd2b4f6e729a8687f301a9c429975f99597e324ede49cf6076909cb67b1196b
Opcode Fuzzy Hash: a4408a68a4a65b1ef94d7caef883f8dad580f91b1f07f033d93f8dd650f57c06
Instruction Fuzzy Hash: E751E931E042298BDF658F6CC9587BFBBFABB84301F10456AC505A7365DB708D81CB92

Function 014E6088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 014E60BA
\;^q, xrefs: 014E60C6
\;^q, xrefs: 014E609E
\;^q, xrefs: 014E6094

Memory Dump Source

Source File: 00000001.00000002.4108561175.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: ba7ac741432df7204268f9515eb8b01275b30c2a22c5df55f8cffa3d1cf16cb4
Instruction ID: eaa2c64ec4de12c3f2399cf5cc0f8ad0deb79a816b8a939ba6ee40f37f13a246
Opcode Fuzzy Hash: ba7ac741432df7204268f9515eb8b01275b30c2a22c5df55f8cffa3d1cf16cb4
Instruction Fuzzy Hash: 960175717401249F8B54CE2DC44C9267FFBAF94A62F16857BD502CB3B5DA72DC428750

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report new order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_new order.exe_a0ae4b577917af373f82f0f155e6f5f1b3b83e3_63337e3c_36ee73ac-12c9-4d51-9463-803eac033cd6\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER97D0.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9967.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B1D.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
new order.exe